diff --git a/lib/msf/core/exploit/oracle.rb b/lib/msf/core/exploit/oracle.rb index ae5d8f888f..3175becfc2 100644 --- a/lib/msf/core/exploit/oracle.rb +++ b/lib/msf/core/exploit/oracle.rb @@ -2,103 +2,147 @@ # # This module provides methods for communicating with a host running oracle. # Dependencies: -# - Oracle Instant Client -# - ruby-dbi -# - ruby-oci8 +# - Oracle Instant Client +# - ruby-oci8 +# +# Rory McCune +# MC # ### +require 'msf/core' + module Msf module Exploit::ORACLE - + + def initialize(info = {}) super register_options( [ - OptString.new('RHOST', [ true, 'The Oracle host.', '']), - OptString.new('RPORT', [ true, 'The TNS port.', '1521']), - OptString.new('SID', [ true, 'The sid to authenticate with.', 'ORCL']), - OptString.new('DBUSER', [ true, 'The username to authenticate with.', 'SCOTT']), - OptString.new('DBPASS', [ true, 'The password to authenticate with.', 'TIGER']), + OptString.new('RHOST', [ true, 'The Oracle host.', '']), + OptString.new('RPORT', [ true, 'The TNS port.', '1521']), + OptString.new('SID', [ true, 'The sid to authenticate with.', 'ORCL']), + OptString.new('DBUSER', [ true, 'The username to authenticate with.', 'SCOTT']), + OptString.new('DBPASS', [ true, 'The password to authenticate with.', 'TIGER']), ], Msf::Exploit::ORACLE ) begin - require 'rubygems' - gem 'dbi' - require 'dbi' - @havedbi = true + require 'oci8' rescue ::LoadError - @havedbi = false - end - - if(not @havedbi) - begin - require 'dbi' - @havedbi = true - rescue ::LoadError - @havedbi = false - end + print_error("oci8 module not loaded, is installed ok?") + raise RuntimeError, "The oci8 module is not available!" end end - + def connect - print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}...") - - if ( not @havedbi ) - print_error("The dbi module is not available!") - raise RuntimeError, "The dbi module is not available!" + # Create a Connection to the Database + if datastore['DBUSER'] == 'SYS' || datastore['DBUSER'] == 'SYSTEM' + handle = OCI8.new(datastore['DBUSER'], + datastore['DBPASS'], + "//#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}", + :SYSDBA) + else + handle = OCI8.new(datastore['DBUSER'], + datastore['DBPASS'], + "//#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}") end - - - begin - handle = DBI.connect( - "DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}", - "#{datastore['DBUSER']}", - "#{datastore['DBPASS']}" - ) - rescue ::DBI::DatabaseError => e - print_error("Oracle DB connection failed: #{e.class} #{e.to_s}") - handle.disconnect_all if handle - return - rescue ::Interrupt - raise $! - rescue DBI::InterfaceError - print_error("The Oracle Database Instant Client has not been installed") - raise RuntimeError, "Missing OCI8 DBI driver" - end - + # 23.11 passing a raise call after the print_error, so we get the error message and the error is passed on in case the module needs it (eg, login_brute) + rescue ::OCIError => e + # print_error("#{e.class} #{e.to_s}") + raise end def disconnect - disconnect_all + connect.logoff end - def prepare_exec(exec) + def prepare_exec(sql) begin - sploit = connect.prepare(exec) - sploit.execute - rescue DBI::DatabaseError => e - print_status("#{e.to_s}") + sploit = connect.parse(sql) + rescue ::OCIError => e + print_error("#{e.to_s}") return end - + # DEBUG + # print_status("did the parse sploit type is " + sploit.type.to_s) begin - sploit.each do | data | - print_status("#{data.join(",").to_s}") - end - print_status("Done...") - sploit.finish - rescue DBI::DatabaseError => e - #print_error("#{e.to_s}") - if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ ) - print_status("Done...") - else - return + sploit.exec + rescue ::OCIError => e + if ( e.to_s =~ /ORA-00942: table or view does not exist/ ) + print_status("ORA-00942: table or view does not exist") + raise RuntimeError, "ORA-00942: table or view does not exist" end + print_status e.to_s + end + + # The Handling is a little different for certain types of query + # Mainly Select needs a fetch statement to get the data + # Also return types are a little different (some return rows changed so we can used that) + # The case statement could probaby be collapsed a bit but leaving it as is for the moment + # in case it's useful later... + + # Select Queries + case sploit.type + when 1, :select_stmt + # Create an array to return to the calling function + results = Array.new + while r = sploit.fetch() + str = r.join(',') + # Removed this as it should really be down to the exploit to decide what to print + # eg leaving this in messes up oraenum. + # print_status(str) + results << str + end + + return results + + # Update Queries + when 2, :update_stmt + connect.commit + + # If we were successful our return should be a Fixnum with the number of rows updated + result = ['UPDATE Successful ' + sploit.row_count.to_s + ' Rows Updated'] + return result + # Delete Queries + when 3, :delete_stmt + connect.commit + # If we were successful our return should be a Fixnum with the number of rows updated + result = ['DELETE Successful ' + sploit.row_count.to_s + ' Rows Deleted'] + return result + # Insert Queries + when 4, :insert_stmt + connect.commit + # If we were successful our return should be a Fixnum with the number of rows updated + result = ['INSERT Successful ' + sploit.row_count.to_s + ' Rows Inserted'] + return result + # Create Queries + when 5, :create_stmt + connect.commit + if sploit + print_status('CREATE successful') + end + when 6, :drop_stmt + connect.commit + if sploit + print_status('DROP successful') + end + when 7, :alter_stmt + connect.commit + if sploit + print_status('Alter successful') + end + when 8, :begin_stmt + connect.commit + when 9, :declare_stmt + connect.commit + else + print_status("Didn't match Query Type!") + print_status("Query type passed was " + sploit.type.to_s) end end - + end end diff --git a/modules/auxiliary/admin/oracle/login_brute.rb b/modules/auxiliary/admin/oracle/login_brute.rb index f392b2a7b1..f4a66ac0c8 100644 --- a/modules/auxiliary/admin/oracle/login_brute.rb +++ b/modules/auxiliary/admin/oracle/login_brute.rb @@ -48,14 +48,14 @@ class Metasploit3 < Msf::Auxiliary fd = CSV.foreach(list) do |brute| - datastore['DBUSER'] = brute[2] - datastore['DBPASS'] = brute[3] + datastore['DBUSER'] = brute[2].downcase + datastore['DBPASS'] = brute[3].downcase begin - c = connect - c.disconnect - rescue ::Exception => e - + connect + disconnect + rescue ::OCIError => e + print_error("#{e.class} #{e.to_s}") else if (not e) report_note( diff --git a/modules/auxiliary/admin/oracle/oraenum.rb b/modules/auxiliary/admin/oracle/oraenum.rb index ed261a56d4..01e423383a 100644 --- a/modules/auxiliary/admin/oracle/oraenum.rb +++ b/modules/auxiliary/admin/oracle/oraenum.rb @@ -27,37 +27,14 @@ class Metasploit3 < Msf::Auxiliary end - def plsql_query(exec) - @dbh ||= connect - - querydata = "" - - sploit = @dbh.prepare(exec) - sploit.execute - - begin - sploit.each do | data | - querydata << ("#{data.join(",").to_s} \n") - end - sploit.finish - rescue DBI::DatabaseError => e - #print_error("#{e.to_s}") - if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ ) - print_status("Done...") - else - return - end - end - return querydata - end def run begin #Get all values from v$parameter query = 'select name,value from v$parameter' vparm = {} - params = plsql_query(query) - params.each_line do |l| + params = prepare_exec(query) + params.each do |l| name,value = l.split(",") vparm["#{name}"] = value end @@ -68,14 +45,15 @@ class Metasploit3 < Msf::Auxiliary #Version Check query = 'select * from v$version' - ver = plsql_query(query) + ver = prepare_exec(query) print_status("The versions of the Components are:") - ver.each_line do |v| + ver.each do |v| print_status("\t#{v.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{v.chomp}") end + #Saving Major Release Number for other checks - majorrel = ver.scan(/Edition Release (\d*)./) + majorrel = ver[0].scan(/Edition Release (\d*)./) #------------------------------------------------------- #Audit Check @@ -125,11 +103,11 @@ class Metasploit3 < Msf::Auxiliary end end - print_status("\tUTL Directory Access is set to #{vparm["utl_file_dir"].strip}") if vparm["utl_file_dir"] != " " - report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "UTL_DIR: #{ vparm["utl_file_dir"]}") if not vparm["utl_file_dir"].empty? + print_status("\tUTL Directory Access is set to #{vparm["utl_file_dir"]}") if vparm["utl_file_dir"] != " " + report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "UTL_DIR: #{ vparm["utl_file_dir"]}") if not vparm["utl_file_dir"]#.empty? - print_status("\tAudit log is saved at #{vparm["audit_file_dest"].strip}") - report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit Log Location: #{ vparm["audit_file_dest"]}") if not vparm["audit_file_dest"].empty? + print_status("\tAudit log is saved at #{vparm["audit_file_dest"]}") + report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit Log Location: #{ vparm["audit_file_dest"]}") if not vparm["audit_file_dest"]#.empty? end #------------------------------------------------------- @@ -142,9 +120,9 @@ class Metasploit3 < Msf::Auxiliary WHERE resource_name = 'PASSWORD_LOCK_TIME' AND profile = 'DEFAULT' | - lockout = plsql_query(query) - print_status("\tCurrent Account Lockout Time is set to #{lockout.chomp}") - report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Lockout Time: #{lockout.chomp}") + lockout = prepare_exec(query) + print_status("\tCurrent Account Lockout Time is set to #{lockout[0].chomp}") + report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Lockout Time: #{lockout[0].chomp}") rescue => e if e.to_s =~ /ORA-00942: table or view does not exist/ @@ -160,9 +138,9 @@ class Metasploit3 < Msf::Auxiliary WHERE resource_name = 'FAILED_LOGIN_ATTEMPTS' AND profile = 'DEFAULT' | - failed_logins = plsql_query(query) - print_status("\tThe Number of Failed Logins before an account is locked is set to #{failed_logins.chomp}") - report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Fail Logins Permitted: #{failed_logins.chomp}") + failed_logins = prepare_exec(query) + print_status("\tThe Number of Failed Logins before an account is locked is set to #{failed_logins[0].chomp}") + report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Fail Logins Permitted: #{failed_logins[0].chomp}") rescue => e if e.to_s =~ /ORA-00942: table or view does not exist/ @@ -178,9 +156,9 @@ class Metasploit3 < Msf::Auxiliary WHERE resource_name = 'FAILED_LOGIN_ATTEMPTS' AND profile = 'DEFAULT' | - grace_time = plsql_query(query) - print_status("\tThe Password Grace Time is set to #{grace_time.chomp}") - report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Password Grace Time: #{grace_time.chomp}") + grace_time = prepare_exec(query) + print_status("\tThe Password Grace Time is set to #{grace_time[0].chomp}") + report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Password Grace Time: #{grace_time[0].chomp}") rescue => e if e.to_s =~ /ORA-00942: table or view does not exist/ @@ -196,9 +174,9 @@ class Metasploit3 < Msf::Auxiliary WHERE resource_name = 'PASSWORD_LIFE_TIME' AND profile = 'DEFAULT' | - passlife_time = plsql_query(query) - print_status("\tThe Lifetime of Passwords is set to #{passlife_time.chomp}") - report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Life Time: #{passlife_time.chomp}") + passlife_time = prepare_exec(query) + print_status("\tThe Lifetime of Passwords is set to #{passlife_time[0].chomp}") + report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Life Time: #{passlife_time[0].chomp}") rescue => e if e.to_s =~ /ORA-00942: table or view does not exist/ @@ -213,9 +191,9 @@ class Metasploit3 < Msf::Auxiliary WHERE resource_name = 'PASSWORD_REUSE_TIME' AND profile = 'DEFAULT' | - passreuse = plsql_query(query) - print_status("\tThe Number of Times a Password can be reused is set to #{passreuse.chomp}") - report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Reuse Time: #{passreuse.chomp}") + passreuse = prepare_exec(query) + print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}") + report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Reuse Time: #{passreuse[0].chomp}") rescue => e if e.to_s =~ /ORA-00942: table or view does not exist/ @@ -230,10 +208,10 @@ class Metasploit3 < Msf::Auxiliary WHERE resource_name = 'PASSWORD_REUSE_MAX' AND profile = 'DEFAULT' | - passreusemax = plsql_query(query) - print_status("\tThe Maximun Number of Times a Password needs to be changed before it can be reused is set to #{passreusemax.chomp}") - report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Maximun Reuse Time: #{passreusemax.chomp}") - print_status("\tThe Number of Times a Password can be reused is set to #{passreuse.chomp}") + passreusemax = prepare_exec(query) + print_status("\tThe Maximun Number of Times a Password needs to be changed before it can be reused is set to #{passreusemax[0].chomp}") + report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Maximun Reuse Time: #{passreusemax[0].chomp}") + print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}") rescue => e if e.to_s =~ /ORA-00942: table or view does not exist/ @@ -248,8 +226,8 @@ class Metasploit3 < Msf::Auxiliary WHERE resource_name = 'PASSWORD_VERIFY_FUNCTION' AND profile = 'DEFAULT' | - passrand = plsql_query(query) - if passrand =~ /NULL/ + passrand = prepare_exec(query) + if passrand[0] =~ /NULL/ print_status("\tPassword Complexity is not checked") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Complexity is not being checked for new passwords") else @@ -265,6 +243,7 @@ class Metasploit3 < Msf::Auxiliary end #------------------------------------------------------- + begin if majorrel.join.to_i < 11 @@ -274,9 +253,9 @@ class Metasploit3 < Msf::Auxiliary FROM sys.user$ where password != 'null' and type# = 1 and astatus = 0 | - activeacc = plsql_query(query) + activeacc = prepare_exec(query) print_status("Active Accounts on the System in format Username,Hash are:") - activeacc.each_line do |aa| + activeacc.each do |aa| print_status("\t#{aa.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Active Account #{aa.chomp}") end @@ -286,9 +265,9 @@ class Metasploit3 < Msf::Auxiliary FROM sys.user$ where password != 'null' and type# = 1 and astatus = 0 | - activeacc = plsql_query(query) + activeacc = prepare_exec(query) print_status("Active Accounts on the System in format Username,Password,Spare4 are:") - activeacc.each_line do |aa| + activeacc.each do |aa| print_status("\t#{aa.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Active Account #{aa.chomp}") end @@ -307,9 +286,9 @@ class Metasploit3 < Msf::Auxiliary FROM dba_users WHERE account_status = 'EXPIRED & LOCKED' | - disabledacc = plsql_query(query) + disabledacc = prepare_exec(query) print_status("Expired or Locked Accounts on the System in format Username,Hash are:") - disabledacc.each_line do |da| + disabledacc.each do |da| print_status("\t#{da.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Disabled Account #{da.chomp}") end @@ -319,9 +298,9 @@ class Metasploit3 < Msf::Auxiliary FROM sys.user$ where password != 'null' and type# = 1 and astatus = 8 or astatus = 9 | - disabledacc = plsql_query(query) + disabledacc = prepare_exec(query) print_status("Expired or Locked Accounts on the System in format Username,Password,Spare4 are:") - disabledacc.each_line do |da| + disabledacc.each do |da| print_status("\t#{da.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Disabled Account #{da.chomp}") end @@ -339,9 +318,9 @@ class Metasploit3 < Msf::Auxiliary FROM dba_role_privs WHERE granted_role = 'DBA' | - dbaacc = plsql_query(query) + dbaacc = prepare_exec(query) print_status("Accounts with DBA Privilege in format Username,Hash on the System are:") - dbaacc.each_line do |dba| + dbaacc.each do |dba| print_status("\t#{dba.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with DBA Priv #{dba.chomp}") end @@ -358,9 +337,9 @@ class Metasploit3 < Msf::Auxiliary FROM dba_sys_privs WHERE privilege = 'ALTER SYSTEM' | - altersys = plsql_query(query) + altersys = prepare_exec(query) print_status("Accounts with Alter System Privilege on the System are:") - altersys.each_line do |as| + altersys.each do |as| print_status("\t#{as.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with ALTER SYSTEM Priv #{as.chomp}") end @@ -377,9 +356,9 @@ class Metasploit3 < Msf::Auxiliary FROM dba_sys_privs WHERE privilege = 'JAVA ADMIN' | - javaacc = plsql_query(query) + javaacc = prepare_exec(query) print_status("Accounts with JAVA ADMIN Privilege on the System are:") - javaacc.each_line do |j| + javaacc.each do |j| print_status("\t#{j.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with JAVA ADMIN Priv #{j.chomp}") end @@ -397,9 +376,9 @@ class Metasploit3 < Msf::Auxiliary where privilege = 'CREATE LIBRARY' or privilege = 'CREATE ANY' | - libpriv = plsql_query(query) + libpriv = prepare_exec(query) print_status("Accounts that have CREATE LIBRARY Privilege on the System are:") - libpriv.each_line do |lp| + libpriv.each do |lp| print_status("\t#{lp.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with CREATE LIBRARY Priv #{lp.chomp}") end @@ -417,7 +396,7 @@ class Metasploit3 < Msf::Auxiliary query = %Q| SELECT * FROM dba_users_with_defpwd | - defpwd = plsql_query(query) + defpwd = prepare_exec(query) defpwd.each do |dp| print_status("\tThe account #{dp.chomp} has a default password.") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with Default Password #{dp.chomp}") @@ -430,9 +409,9 @@ class Metasploit3 < Msf::Auxiliary where password != 'null' and type# = 1 | ordfltpss = "#{File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_hashes.txt")}" - returnedstring = plsql_query(query) + returnedstring = prepare_exec(query) accts = {} - returnedstring.each_line do |record| + returnedstring.each do |record| user,pass = record.split(",") accts["#{pass.chomp}"] = "#{user}" end diff --git a/modules/auxiliary/admin/oracle/sql.rb b/modules/auxiliary/admin/oracle/sql.rb index d29f6d2fa7..ab0f9491a5 100644 --- a/modules/auxiliary/admin/oracle/sql.rb +++ b/modules/auxiliary/admin/oracle/sql.rb @@ -37,8 +37,14 @@ class Metasploit3 < Msf::Auxiliary query = datastore['SQL'] begin - print_status("Sending statement: '#{query}'...") - prepare_exec(query) + print_status("Sending statement: '#{query}'...") + result = prepare_exec(query) + #Need this if 'cause some statements won't return anything + if result + result.each do |line| + print_status(line) + end + end rescue => e return end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb index dafa28b861..2fb6d65c12 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb @@ -49,19 +49,15 @@ class Metasploit3 < Msf::Auxiliary clean = "drop function #{name}" + print_status("Sending function...") + prepare_exec(function) + begin - print_status("Sending function...") - prepare_exec(function) - rescue => e - return + print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_GRANTED_XML...") + prepare_exec(package) + rescue ::OCIError => e + print_status("Removing function '#{name}'...") + prepare_exec(clean) end - - print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_GRANTED_XML...") - prepare_exec(package) - - print_status("Removing function '#{name}'...") - prepare_exec(clean) - end - end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb index 093f956f0a..bc1009bb4e 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb @@ -49,19 +49,15 @@ class Metasploit3 < Msf::Auxiliary clean = "drop function #{name}" - begin - print_status("Sending function...") - prepare_exec(function) - rescue => e - return + print_status("Sending function...") + prepare_exec(function) + + begin + print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_XML...") + prepare_exec(package) + rescue ::OCIError => e + print_status("Removing function '#{name}'...") + prepare_exec(clean) end - - print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_XML...") - prepare_exec(package) - - print_status("Removing function '#{name}'...") - prepare_exec(clean) - - end - + end end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb index 8ed0ef7a64..d594e4ccb3 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb @@ -49,19 +49,20 @@ class Metasploit3 < Msf::Auxiliary clean = "drop function #{name}" + + print_status("Sending function...") + prepare_exec(function) + begin - print_status("Sending function...") - prepare_exec(function) - rescue => e - return + print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...") + prepare_exec(package) + rescue ::OCIError => e + if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ ) + print_status("Removing function '#{name}'...") + prepare_exec(clean) + else + end end - - print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...") - prepare_exec(package) - - print_status("Removing function '#{name}'...") - prepare_exec(clean) - end end diff --git a/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb b/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb index 2ac9e42697..8d15396354 100644 --- a/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb @@ -57,16 +57,21 @@ class Metasploit3 < Msf::Auxiliary clean = "DROP FUNCTION #{cruft}" print_status("Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...") + + print_status("Sending function...") + prepare_exec(function) + begin - print_status("Sending function...") - prepare_exec(function) - rescue => e - return + prepare_exec(package1) + prepare_exec(package2) + rescue => e + if ( e.to_s =~ /No Data/ ) + print_status("Removing function '#{cruft}'...") + prepare_exec(clean) + else + return + end end - prepare_exec(package1) - prepare_exec(package2) - print_status("Removing function '#{cruft}'...") - prepare_exec(clean) end diff --git a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb index e0864bb1ad..4472c7aaf4 100644 --- a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb @@ -87,14 +87,8 @@ class Metasploit3 < Msf::Auxiliary clean = "DROP FUNCTION #{cruft}" print_status("Attempting sql injection on SYS.LT.ROLLBACKWORKSPACE...") - begin - prepare_exec(sql) - rescue => e - return - end - + prepare_exec(sql) print_status("Removing function '#{cruft}'...") prepare_exec(clean) end - end