forked from quentinhardy/odat
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO.txt
34 lines (33 loc) · 2.46 KB
/
TODO.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
###############################################################################################################################
ODAT
###############################################################################################################################
-----------
HIGH
-----------
1. Windows reverse shell in the JAVA and DBMSSCHEDULER module with Powershell ?
1. Execute SQL requests with someone other than APEX_040200 (i.e. ORDSYS) when the user has CREATE ANY PROCEDURE privilege
2- Executing Code as SYSDBA: "oradebug setmypid", oradebug call system “/bin/touch -f /home/oracle/rds.txt”Function returned 0
http://blog.red-database-security.com/2011/09/17/disable-auditing-and-running-os-commands-using-oradebug/
http://www.petefinnigan.com/weblog/archives/00001353.htm
3- Remonter un le SID "BLABLA" lorsque l'alias est sous la forme '.H......"..<(DESCRIPTION=(TMP=)(VSNNUM=0)(ERR=0)(ALIAS=listener_BLABLA))'
-----------
MEDIUM
-----------
1- To Transfert files via DBMS_SCHEDULER.get_file (http://docs.oracle.com/cd/B28359_01/appdev.111/b28419/d_sched.htm#BABDDBFH)
2- Implement SQL Injection via Oracle DBMS_EXPORT_EXTENSION in Oracle 9i / 10g to grant the DBA permission (http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html)
3- Sniffing HTTP NTLM with HTTP GET Request utl_http or HTTPUriType, It's possible?
4- Read files with XMLType
5- Create files with DBMS_XMLDOM
6- Execute system command with PL/SQL native (undocumented)
7- Create an option for each module to show sql command used by this one. The aim : when the tool can't be used, sql commands generated by the tool can be used.
8- Catch errors when the credential file given by a user is not good
9- Feature for dumping tables or databases
-----------
LOW
-----------
1- To Transfert files via DBMS_FILE_TRANSFER (http://psoug.org/reference/dbms_file_trans.html). Need an Oracle database installed localy because need database link.
2- Vérifier qu'il y a du chiffrement ? Que faire ?
3- Vérifier comment st stockés les mots de passe dans l'application
5- Execute command system with "alter system set “_oradbg_pathname”=‘/tmp/debug.sh’;"
Alter system set is an undocumented parameter (since Oracle 10g) that allows you to specify the name of
6- Additional SMB Auth method with set_log, compatible with 8-9 only : https://erpscan.com/press-center/blog/smbrelay-bible-3-smbrelay-by-oracle/ (thanks to Lexus89)