Oracle-Pentesting-Reference

Oracle Database Penetration Testing Reference (10g/11g)

Kali Linux Environment Set-up / Add-ons:

1. Gaining Kali Linux Oracle Support
https://leonjza.github.io/blog/2014/08/17/kali-linux-oracle-support/
https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux

2. Install SQL Developer
https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/index.html

3. Install Oracle DB XE 11G Client on Kali Linux.
https://community.oracle.com/people/Yves+Moriceau-Oracle/blog/2017/02/24/installation-of-oracle-db-xe-11g-on-kali-linux-x64?customTheme=mosc
http://www.oracle.com/technetwork/testcontent/dbinst-101789.html#i

4. Set Environment Variables in /etc/profile

export PATH=$PATH:/usr/lib/oracle/12.2/client64/bin
export SQLPATH=/usr/lib/oracle/12.2/client64/bin
export TNS_ADMIN=/usr/lib/oracle/12.2/client64/lib
export LD_LIBRARY_PATH=/usr/lib/oracle/12.2/client64/lib
export ORACLE_HOME=/usr/lib/oracle/12.2/client64

export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
export PATH=$JAVA_HOME/bin:$PATH

5. EZConnect string to connect to remote Oracle Database using SQLPlus

<username>/<password>@<hostname>:<port>/SID

Example: scott/tiger@<IP Address>:1521/XE

Tools, Exploits and Modules

Tools

ODAT - Oracle Database Audit Tool
https://github.com/quentinhardy/odat
Oracle Audit Tool (Included in ODAT)
http://www.vulnerabilityassessment.co.uk/oat.htm

Exploits

Oracle 9i/10g - 'utl_file' FileSystem Access
https://www.exploit-db.com/exploits/2959/
Oracle 10/11g - 'exp.exe?file' Local Buffer Overflow
https://www.exploit-db.com/exploits/16169/

Metasploit Modules

auxilary/admin/oracle/oracle_login
auxiliary/admin/oracle/oracle_sql
Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE
auxiliary/sqli/oracle/dbms_cdc_ipublish
Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE
auxiliary/sqli/oracle/dbms_cdc_publish
Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE
auxiliary/sqli/oracle/dbms_cdc_publish2
Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET
auxiliary/sqli/oracle/dbms_cdc_publish3
Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION
auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription
Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION
auxiliary/sqli/oracle/dbms_export_extension
Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML
auxiliary/sqli/oracle/dbms_metadata_get_granted_xml
Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML
auxiliary/sqli/oracle/dbms_metadata_get_xml
Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN
auxiliary/sqli/oracle/dbms_metadata_open
Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger
auxiliary/sqli/oracle/droptable_trigger
Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution
auxiliary/sqli/oracle/jvm_os_code_10g
Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution
auxiliary/sqli/oracle/jvm_os_code_11g
Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE
auxiliary/sqli/oracle/lt_compressworkspace
Oracle DB SQL Injection via SYS.LT.FINDRICSET
auxiliary/sqli/oracle/lt_findricset_cursor
iSQL*Plus Login Utility
auxiliary/scanner/oracle/isqlplus_login
Oracle iSQLPlus SID Check
auxiliary/scanner/oracle/isqlplus_sidbrute
Oracle Password Hashdump
auxiliary/scanner/oracle/oracle_hashdump
Oracle RDBMS Login Utility
auxiliary/scanner/oracle/oracle_login
Oracle TNS Listener SID Bruteforce
auxiliary/scanner/oracle/sid_brute
Oracle TNS Listener SID Enumeration
auxiliary/scanner/oracle/sid_enum
Oracle Application Server Spy Servlet SID Enumeration
auxiliary/scanner/oracle/spy_sid
Oracle TNS Listener Service Version Query
auxiliary/scanner/oracle/tnslsnr_version
Oracle TNS Listener Checker
auxiliary/scanner/oracle/tnspoison_checker

Useful Links

First Steps in Oracle Penetration Testing:
https://www.adampalmer.me/iodigitalsec/2013/08/12/first-steps-in-oracle-penetration-testing/

Hacking Oracle Cheat Sheet/Queries:
http://www.red-database-security.com/wp/oracle_cheat.pdf

Attacking Oracle with the Metasploit Framework:
https://www.slideshare.net/chrisgates/attacking-oracle-with-the-metasploit-framework http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf

Oracle Database TNS Listener Poison Attack:
http://www.joxeankoret.com/download/tnspoison.pdf