Just my notes on attacking Oracle applications that were scrounged together from various talks and documents. I’ve tried to clean them up a bit so they’re somewhat usable.

Attacking Oracle Applications
REFERENCES: 
http://vimeo.com/26231845 (Metasploit/wXf @ Source Boston 2011)
http://vimeo.com/19569973 (Metasploit @ BlackHat DC 2011)
https://media.blackhat.com/bh-dc-11/Gates/BlackHat_DC_2011_Gates_Attacking_Oracle_Web-wp.pdf (Slides)
**Check WXF for the scripts in this document rather than metasploit, might be newer/more options
OWASP – http://www.owasp.org/index.php/Testing_for_Oracle
Chris Gates Article – http://www.ethicalhacker.net/content/view/363/24/

Scan for default, exploitable/interesting content:

-oracle_version_scanner.rb


-oas_cgi_scan.rb (combines nikto and some other stuff with good explanations)

Use the above to scan the site for default content, there is a ton of it by default on Oracle, some of it is vulnerable and must be MANUALLY removed. Some examples of things it may find (there are TONS) -UDDI Endpoints -> can test default unames and passwords to admin things
-Oracle isqlplus -> SQL execution (installed by default)
Attack the isqlplus login:
-oracle_isqlplus_sidbrute – metasploit module
-oracle_isqlplug_login – metasploit module
-printenv, javart.jsp… lots of info disclosure and other default content


-oracle_dav_bypass.rb – an exploit to bypass basic auth on oracle webdav if it is found by the above scripts

Attacking PL/SQL Gateways:

(1) Identify PL/SQL Gateway and DAD


PL/SQL Gateway
-Gateway takes client requests and then proxies them to the backend database.
-To identify PL/SQL Gateways look for pls in the URL (can be different, usually 3 letters) followed by DAD name

eg: /pls/xyz
   /pls/owa
   /pls/portal
   /xyz/owa
   /xyz/portal

Common DAD names:
SIMPLEDAD, ORASSO, HTMLDB, SSODAD, PORTAL, PORTAL2, PORTAL30, PORTA30_SSO, DAD, OWA, PROD, APP

-CGI scanner should pick up common DAD and PLS names
-look at oracle_dad_scanner.rb look for 302’s and 200’s for valid DAD’s

(2) Ensure PL/SQL gateway is up and running, use oracle_plsql_enabled.rb

   It makes a request to /pls/dad/null – should return 200
    /pls/dad/nofunction – should return 404

(3) From here you may exploit SQL injection in PL/SQL packages installed by default 

use oracle_modplsql_pwncheck.rb to check for common vulns

(4) Escalate to DBA – get code execution! 


Some functions run as DBA and you can promote your unpriv user to DBA
Check oracle_modplsql_escalate.rb for other privilege escalation exploits

(5) Now you can run commands! 

oracle_portal_runcmd.rb Also look into “Oracle Portal Hacker” from Syd

(7) Privilege Escalation and running other commands 


eg:(UPDATE, INSERT, DELETE) from a SELECT based SQL Injection in Oracle: http://www.youtube.com/watch?v=J9PxYSvb8DI&feature=player_embedded

ORACLE NINJAS/RESOURCES:

OWASP – http://www.owasp.org/index.php/Testing_for_Oracle
Alexander Kornbrust – http://www.red-database-security.com
Sumit Siddharth – http://www.notsosecure.com
David Litchfield – http://www.davidlitchfield.com/blog/
Joxean Koret – http://joxeankoret.com
http://www.argeniss.com/index.html
http://0xdeadbeef.info
http://databasesecurity.com/oracle/hpoas.pdf

By admin