Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.
Rank
- Normal
Authors
- MC < mc [at] metasploit.com >
Vulnerability References
Development
Similar Modules
- auxiliary/sqli/oracle/dbms_cdc_ipublish
- auxiliary/sqli/oracle/dbms_cdc_publish
- auxiliary/sqli/oracle/dbms_cdc_publish2
- auxiliary/sqli/oracle/dbms_cdc_publish3
- auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription
- auxiliary/sqli/oracle/dbms_export_extension
- auxiliary/sqli/oracle/dbms_metadata_get_granted_xml
- auxiliary/sqli/oracle/dbms_metadata_open
- auxiliary/sqli/oracle/droptable_trigger
- auxiliary/sqli/oracle/jvm_os_code_10g
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/sqli/oracle/dbms_metadata_get_xml
msf auxiliary(dbms_metadata_get_xml) > set RHOST [TARGET IP]
msf auxiliary(dbms_metadata_get_xml) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/sqli/oracle/dbms_metadata_get_xml
msf auxiliary(dbms_metadata_get_xml) > set RHOST [TARGET IP]
msf auxiliary(dbms_metadata_get_xml) > run
Module Options
| DBPASS | The password to authenticate with. (default: TIGER) |
| DBUSER | The username to authenticate with. (default: SCOTT) |
| RHOST | The Oracle host. (default: ) |
| RPORT | The TNS port. (default: 1521) |
| SID | The sid to authenticate with. (default: ORCL) |
| SQL | SQL to execute. (default: GRANT DBA to SCOTT) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |