Tuesday, December 4, 2012

Attacking Oracle Applications

Just my notes on attacking Oracle applications that were scrounged together from various talks and documents. I've tried to clean them up a bit so they're somewhat usable.

Attacking Oracle Applications
http://vimeo.com/26231845 (Metasploit/wXf @ Source Boston 2011)
http://vimeo.com/19569973 (Metasploit @ BlackHat DC 2011)
https://media.blackhat.com/bh-dc-11/Gates/BlackHat_DC_2011_Gates_Attacking_Oracle_Web-wp.pdf (Slides)
**Check WXF for the scripts in this document rather than metasploit, might be newer/more options
OWASP - http://www.owasp.org/index.php/Testing_for_Oracle
Chris Gates Article - http://www.ethicalhacker.net/content/view/363/24/

Scan for default, exploitable/interesting content:


-oas_cgi_scan.rb (combines nikto and some other stuff with good explanations)

Use the above to scan the site for default content, there is a ton of it by default on Oracle, some of it is vulnerable and must be MANUALLY removed. Some examples of things it may find (there are TONS) -UDDI Endpoints -> can test default unames and passwords to admin things
-Oracle isqlplus -> SQL execution (installed by default)
Attack the isqlplus login:
-oracle_isqlplus_sidbrute - metasploit module
-oracle_isqlplug_login - metasploit module
-printenv, javart.jsp... lots of info disclosure and other default content

-oracle_dav_bypass.rb - an exploit to bypass basic auth on oracle webdav if it is found by the above scripts

Attacking PL/SQL Gateways:

(1) Identify PL/SQL Gateway and DAD

PL/SQL Gateway
-Gateway takes client requests and then proxies them to the backend database.
-To identify PL/SQL Gateways look for pls in the URL (can be different, usually 3 letters) followed by DAD name

eg: /pls/xyz

Common DAD names:

-CGI scanner should pick up common DAD and PLS names
-look at oracle_dad_scanner.rb look for 302's and 200's for valid DAD's

(2) Ensure PL/SQL gateway is up and running, use oracle_plsql_enabled.rb

   It makes a request to /pls/dad/null - should return 200
    /pls/dad/nofunction - should return 404

(3) From here you may exploit SQL injection in PL/SQL packages installed by default 

use oracle_modplsql_pwncheck.rb to check for common vulns

(4) Escalate to DBA - get code execution! 

Some functions run as DBA and you can promote your unpriv user to DBA
Check oracle_modplsql_escalate.rb for other privilege escalation exploits

(5) Now you can run commands! 

oracle_portal_runcmd.rb Also look into "Oracle Portal Hacker" from Syd

(7) Privilege Escalation and running other commands 

eg:(UPDATE, INSERT, DELETE) from a SELECT based SQL Injection in Oracle: http://www.youtube.com/watch?v=J9PxYSvb8DI&feature=player_embedded


OWASP - http://www.owasp.org/index.php/Testing_for_Oracle
Alexander Kornbrust - http://www.red-database-security.com
Sumit Siddharth - http://www.notsosecure.com
David Litchfield - http://www.davidlitchfield.com/blog/
Joxean Koret - http://joxeankoret.com

No comments:

Post a Comment