This Metasploit module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
91a0457e6fc1353dda1d938850804c7fbf4f3873992700b019c47715d498af97
The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
531bca332b7b8919c806ed365e8ad1c5e5000249344fccaf602038718feac7e5
This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.
47ba8aeb06908edd303259a2080cba7efcaa98f8f66c52b0fa64a15448287fe5
This Metasploit module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.OPEN package/function.
f6664ac501c9f358d8d4a9410aab3c277a77640982c29a4ac936ead1bc75e8b3
The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
7e5369ebdc4bfc61aa262475859d683b00bf47b5e34f9da7b3872e8242c9834c
This Metasploit module exploits a sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
27f5ae57e22ed3cfd2e38c06ca48a65e3dfb8c76f9cc56d51d4721d34c60da9c
This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This Metasploit module has been tested against 9i, 10gR1 and 10gR2.
45e22b08a22f5b9b513570650ac77c9b7cf896df1dddb9d97cc0659722506344
This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.
345c6446dfe846a011460df72073d8ff0549b8076c977837fb20c1f2ddb07dd3
This Metasploit module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
8d3bbc62256bcef0370fd324d79badfe6dada95158c7b728fcf20137808677d2
This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
c969f6f19cf659e35b78bffa83fbc8e8694a50647075c02b8636a5ef97eb6c17
This Metasploit module exploits a sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
ccfe06863fa08c66b4bb04f888a3c40c6a7660aa2a9948479455b087d102bc4d
This Metasploit module exploits a sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
25265a201b6de9b641b309ca9d9e2f86d75f62ec4113d2e80983a1052506dbe8
This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4.
dc9b1de7a0efe0b6df96fb180a6432e4861fefcaaceb66899e1acdd5821ec707
The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
14b30e15660808395b533ff80a789b56b79cedf1bffaa219897f461a53b655dc
The module exploits an sql injection flaw in the CREATE_CHANGE_SET procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
26ed86f78f01db48be7f14a8b9f1b9fec76717709540eee30aa0dfa68088569f
The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability within the login functionality. As of April 15, 2024 this was still unpatched, so all versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched. Retrieving the victims data may take a long amount of time. It is much quicker to get the logins, then just login to the site.
f7e0d4c8db68c72a070412c58aed2d661337854ce5aff7fbe8948bd051ac28cb
This Metasploit module exploits a SQL injection vulnerability in Joomla versions 3.2 through 3.4.4 in order to either enumerate usernames and password hashes.
eaae704ef831c9b61c537f52feac70b43d16b0f1530f7da0d1cbc1ab16b2435b
This Metasploit module exploits a SQL injection vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables (based on the selected options). This Metasploit module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux.
ff56a843c97fa72711235034adea7c67c06a8967f8acf46b212656cf728ac905
This Metasploit module exploits a SQL injection vulnerability in BillQUick Web Suite prior to version 22.0.9.1. The application is .net based, and the database is required to be MSSQL. Luckily the website gives error based SQLi messages, so it is trivial to pull data from the database. However the webapp uses an unknown password security algorithm. This vulnerability does not seem to support stacked queries. This Metasploit module pulls the database name, banner, user, hostname, and the SecurityTable (user table).
d8cefad10acdca162e64259d0c38c3ba88805f7a520f39ce7f23d5c73f4b4074
The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data in the total_service parameter of the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), prior to using it in a dynamically constructed SQL query. As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive data from the backend database such as usernames and password hashes. This Metasploit module uses this vulnerability to dump the list of WordPress users and their associated email addresses and password hashes for cracking offline.
29ecfa5e38864b30d4aa9450311eb83d8df5628e2fbd5acbfcbc4a942cf3b816
This Metasploit module enables an authenticated user to collect the usernames and encrypted passwords of other users in the Dolibarr ERP/CRM via SQL injection.
bf3ca1e9d4350740c01f5818654eeda12704172d96dbfb16f499f0d5e56d58aa
This Metasploit module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme). The injection is blind, but the server response contains a different status code if the query was successful. As such, the attacker can guess the contents of the user database. Most helpfully, the passwords are stored in cleartext within the user table (CVE-2020-5723). This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.
204edd5f46dc100421611af4e2893d13a1a61846015d99b935feb39ee0afa10a
Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if an attacker can gain access to administrative credentials. This vuln was fixed in 1.2.17.
320419705ca13a1bfcafc3cda1ab534c90225edc3090390aa620b065772e9291
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG generation PHP file. This Metasploit module exploits this to read an arbitrary file from the file system. Any authenticated user is able to exploit it, as administrator privileges aren't required.
8ebaffc716eedd5e4b8b8c7e5043252a757d480ee4bddd7781480547382b3917
Firmware versions up to 7.0.0-build1904 of Peplink Balance routers are affected by an unauthenticated SQL injection vulnerability in the bauth cookie, successful exploitation of the vulnerability allows an attacker to retrieve the cookies of authenticated users, bypassing the web portal authentication. By default, a session expires 4 hours after login (the setting can be changed by the admin), for this reason, the module attempts to retrieve the most recently created sessions.
b41d992081cc2b6eb2a8f48d7b8d7bae6acdc73882499f0a6250e5da83246835