2009-05-01 22:01:21 +00:00
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2009-05-01 22:01:21 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
2010-11-11 22:43:22 +00:00
|
|
|
# http://metasploit.com/framework/
|
2009-05-01 22:01:21 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
include Msf::Auxiliary::Report
|
2009-05-01 22:01:21 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Oracle XML DB SID Discovery',
|
|
|
|
'Description' => %q{
|
|
|
|
This module simply makes a authenticated request to retrieve
|
|
|
|
the sid from the Oracle XML DB httpd server.
|
|
|
|
},
|
2009-07-23 02:55:51 +00:00
|
|
|
'Version' => '$Revision$',
|
2009-05-01 22:01:21 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],
|
|
|
|
],
|
|
|
|
'Author' => [ 'MC' ],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(8080),
|
|
|
|
OptString.new('DBUSER', [ false, 'The db user to authenticate with.', 'scott']),
|
|
|
|
OptString.new('DBPASS', [ false, 'The db pass to authenticate with.', 'tiger']),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
begin
|
|
|
|
|
|
|
|
user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}"
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-05-01 22:01:21 +00:00
|
|
|
res = send_request_raw({
|
|
|
|
'uri' => '/oradb/PUBLIC/GLOBAL_NAME',
|
|
|
|
'version' => '1.0',
|
|
|
|
'method' => 'GET',
|
|
|
|
'headers' =>
|
|
|
|
{
|
|
|
|
'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
|
|
|
|
}
|
|
|
|
}, 5)
|
|
|
|
|
2010-03-11 22:55:37 +00:00
|
|
|
if( not res )
|
|
|
|
print_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...") if datastore['VERBOSE']
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2009-05-01 22:01:21 +00:00
|
|
|
if (res.code == 200)
|
2010-04-30 08:40:19 +00:00
|
|
|
if (not res.body.length > 0)
|
2010-03-11 22:55:37 +00:00
|
|
|
# sometimes weird bug where body doesn't have value yet
|
|
|
|
res.body = res.bufq
|
|
|
|
end
|
|
|
|
sid = res.body.scan(/<GLOBAL_NAME>(\S+)<\/GLOBAL_NAME>/)
|
2009-05-01 22:01:21 +00:00
|
|
|
report_note(
|
|
|
|
:host => ip,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:type => 'SERVICE_NAME',
|
|
|
|
:data => "#{sid}"
|
2010-04-30 08:40:19 +00:00
|
|
|
)
|
2010-03-11 22:55:37 +00:00
|
|
|
print_status("Discovered SID: '#{sid}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}")
|
2009-05-01 22:01:21 +00:00
|
|
|
else
|
2010-03-11 22:55:37 +00:00
|
|
|
print_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...")
|
2009-05-01 22:01:21 +00:00
|
|
|
end
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|