Attacking Oracle Applications
REFERENCES:
http://vimeo.com/26231845 (Metasploit/wXf @ Source Boston 2011)
http://vimeo.com/19569973 (Metasploit @ BlackHat DC 2011)
https://media.blackhat.com/bh-dc-11/Gates/BlackHat_DC_2011_Gates_Attacking_Oracle_Web-wp.pdf (Slides)
**Check WXF for the scripts in this document rather than metasploit, might be newer/more options
OWASP - http://www.owasp.org/index.php/Testing_for_Oracle
Chris Gates Article - http://www.ethicalhacker.net/content/view/363/24/
Scan for default, exploitable/interesting content:
-oracle_version_scanner.rb-oas_cgi_scan.rb (combines nikto and some other stuff with good explanations)
Use the above to scan the site for default content, there is a ton of it by default on Oracle, some of it is vulnerable and must be MANUALLY removed. Some examples of things it may find (there are TONS) -UDDI Endpoints -> can test default unames and passwords to admin things
-Oracle isqlplus -> SQL execution (installed by default)
Attack the isqlplus login:
-oracle_isqlplus_sidbrute - metasploit module
-oracle_isqlplug_login - metasploit module
-printenv, javart.jsp... lots of info disclosure and other default content
-oracle_dav_bypass.rb - an exploit to bypass basic auth on oracle webdav if it is found by the above scripts
Attacking PL/SQL Gateways:
(1) Identify PL/SQL Gateway and DAD
PL/SQL Gateway
-Gateway takes client requests and then proxies them to the backend database.
-To identify PL/SQL Gateways look for pls in the URL (can be different, usually 3 letters) followed by DAD name
eg: /pls/xyz
/pls/owa
/pls/portal
/xyz/owa
/xyz/portal
Common DAD names:
SIMPLEDAD, ORASSO, HTMLDB, SSODAD, PORTAL, PORTAL2, PORTAL30, PORTA30_SSO, DAD, OWA, PROD, APP
-CGI scanner should pick up common DAD and PLS names
-look at oracle_dad_scanner.rb look for 302's and 200's for valid DAD's
(2) Ensure PL/SQL gateway is up and running, use oracle_plsql_enabled.rb
It makes a request to /pls/dad/null - should return 200/pls/dad/nofunction - should return 404
(3) From here you may exploit SQL injection in PL/SQL packages installed by default
use oracle_modplsql_pwncheck.rb to check for common vulns
(4) Escalate to DBA - get code execution!
Some functions run as DBA and you can promote your unpriv user to DBA
Check oracle_modplsql_escalate.rb for other privilege escalation exploits
Check oracle_modplsql_escalate.rb for other privilege escalation exploits
(5) Now you can run commands!
oracle_portal_runcmd.rb Also look into "Oracle Portal Hacker" from Syd
(7) Privilege Escalation and running other commands
eg:(UPDATE, INSERT, DELETE) from a SELECT based SQL Injection in Oracle: http://www.youtube.com/watch?v=J9PxYSvb8DI&feature=player_embedded
Alexander Kornbrust - http://www.red-database-security.com
Sumit Siddharth - http://www.notsosecure.com
David Litchfield - http://www.davidlitchfield.com/blog/
Joxean Koret - http://joxeankoret.com
http://www.argeniss.com/index.html
http://0xdeadbeef.info
http://databasesecurity.com/oracle/hpoas.pdf
ORACLE NINJAS/RESOURCES:
OWASP - http://www.owasp.org/index.php/Testing_for_OracleAlexander Kornbrust - http://www.red-database-security.com
Sumit Siddharth - http://www.notsosecure.com
David Litchfield - http://www.davidlitchfield.com/blog/
Joxean Koret - http://joxeankoret.com
http://www.argeniss.com/index.html
http://0xdeadbeef.info
http://databasesecurity.com/oracle/hpoas.pdf