Just my notes on attacking Oracle applications that were scrounged together from various talks and documents. I’ve tried to clean them up a bit so they’re somewhat usable.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

Attacking Oracle Applications
REFERENCES: 
http://vimeo.com/26231845 (Metasploit/wXf @ Source Boston 2011)
http://vimeo.com/19569973 (Metasploit @ BlackHat DC 2011)
https://media.blackhat.com/bh-dc-11/Gates/BlackHat_DC_2011_Gates_Attacking_Oracle_Web-wp.pdf (Slides)
**Check WXF for the scripts in this document rather than metasploit, might be newer/more options
OWASP – http://www.owasp.org/index.php/Testing_for_Oracle
Chris Gates Article – http://www.ethicalhacker.net/content/view/363/24/

Scan for default, exploitable/interesting content:

-oracle_version_scanner.rb


-oas_cgi_scan.rb (combines nikto and some other stuff with good explanations)

Use the above to scan the site for default content, there is a ton of it by default on Oracle, some of it is vulnerable and must be MANUALLY removed. Some examples of things it may find (there are TONS) -UDDI Endpoints -> can test default unames and passwords to admin things
-Oracle isqlplus -> SQL execution (installed by default)
Attack the isqlplus login:
-oracle_isqlplus_sidbrute – metasploit module
-oracle_isqlplug_login – metasploit module
-printenv, javart.jsp… lots of info disclosure and other default content


-oracle_dav_bypass.rb – an exploit to bypass basic auth on oracle webdav if it is found by the above scripts

Attacking PL/SQL Gateways:

(1) Identify PL/SQL Gateway and DAD


PL/SQL Gateway
-Gateway takes client requests and then proxies them to the backend database.
-To identify PL/SQL Gateways look for pls in the URL (can be different, usually 3 letters) followed by DAD name

eg: /pls/xyz
   /pls/owa
   /pls/portal
   /xyz/owa
   /xyz/portal

Common DAD names:
SIMPLEDAD, ORASSO, HTMLDB, SSODAD, PORTAL, PORTAL2, PORTAL30, PORTA30_SSO, DAD, OWA, PROD, APP

-CGI scanner should pick up common DAD and PLS names
-look at oracle_dad_scanner.rb look for 302’s and 200’s for valid DAD’s

(2) Ensure PL/SQL gateway is up and running, use oracle_plsql_enabled.rb

   It makes a request to /pls/dad/null – should return 200
    /pls/dad/nofunction – should return 404

(3) From here you may exploit SQL injection in PL/SQL packages installed by default 

use oracle_modplsql_pwncheck.rb to check for common vulns

(4) Escalate to DBA – get code execution! 


Some functions run as DBA and you can promote your unpriv user to DBA
Check oracle_modplsql_escalate.rb for other privilege escalation exploits

(5) Now you can run commands! 

oracle_portal_runcmd.rb Also look into “Oracle Portal Hacker” from Syd

(7) Privilege Escalation and running other commands 


eg:(UPDATE, INSERT, DELETE) from a SELECT based SQL Injection in Oracle: http://www.youtube.com/watch?v=J9PxYSvb8DI&feature=player_embedded

ORACLE NINJAS/RESOURCES:

OWASP – http://www.owasp.org/index.php/Testing_for_Oracle
Alexander Kornbrust – http://www.red-database-security.com
Sumit Siddharth – http://www.notsosecure.com
David Litchfield – http://www.davidlitchfield.com/blog/
Joxean Koret – http://joxeankoret.com
http://www.argeniss.com/index.html
http://0xdeadbeef.info
http://databasesecurity.com/oracle/hpoas.pdf

By admin