└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Oracle-Pentesting-Reference
  2 | Oracle Database Penetration Testing Reference (10g/11g)
  3 | 
  4 | ### Kali Linux Environment Set-up / Add-ons:
  5 | _1. Gaining Kali Linux Oracle Support_   
  6 | https://leonjza.github.io/blog/2014/08/17/kali-linux-oracle-support/   
  7 | https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux
  8 | 
  9 | _2. Install SQL Developer_  
 10 | https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/index.html
 11 | 
 12 | _3. Install Oracle DB XE 11G Client on Kali Linux_.  
 13 | https://community.oracle.com/people/Yves+Moriceau-Oracle/blog/2017/02/24/installation-of-oracle-db-xe-11g-on-kali-linux-x64?customTheme=mosc  
 14 | http://www.oracle.com/technetwork/testcontent/dbinst-101789.html#i
 15 | 
 16 | _4. Set Environment Variables in /etc/profile_
 17 | ```
 18 | export PATH=$PATH:/usr/lib/oracle/12.2/client64/bin
 19 | export SQLPATH=/usr/lib/oracle/12.2/client64/bin
 20 | export TNS_ADMIN=/usr/lib/oracle/12.2/client64/lib
 21 | export LD_LIBRARY_PATH=/usr/lib/oracle/12.2/client64/lib
 22 | export ORACLE_HOME=/usr/lib/oracle/12.2/client64
 23 | 
 24 | export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
 25 | export PATH=$JAVA_HOME/bin:$PATH
 26 | ```
 27 | _5. EZConnect string to connect to remote Oracle Database using SQLPlus_
 28 | ```
 29 | <username>/<password>@<hostname>:<port>/SID
 30 | 
 31 | Example: scott/tiger@<IP Address>:1521/XE
 32 | ```
 33 | 
 34 | ### Tools, Exploits and Modules
 35 | 
 36 | #### Tools
 37 | ODAT - Oracle Database Audit Tool  
 38 | https://github.com/quentinhardy/odat  
 39 | Oracle Audit Tool (Included in ODAT)  
 40 | http://www.vulnerabilityassessment.co.uk/oat.htm
 41 | 
 42 | #### Exploits
 43 | Oracle 9i/10g - 'utl_file' FileSystem Access  
 44 | https://www.exploit-db.com/exploits/2959/  
 45 | Oracle 10/11g - 'exp.exe?file' Local Buffer Overflow  
 46 | https://www.exploit-db.com/exploits/16169/
 47 | 
 48 | #### Metasploit Modules
 49 | 
 50 | auxilary/admin/oracle/oracle_login  
 51 | auxiliary/admin/oracle/oracle_sql  
 52 | Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE  
 53 | auxiliary/sqli/oracle/dbms_cdc_ipublish                               
 54 | Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE  
 55 | auxiliary/sqli/oracle/dbms_cdc_publish  
 56 | Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE  
 57 | auxiliary/sqli/oracle/dbms_cdc_publish2                                 
 58 | Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET  
 59 | auxiliary/sqli/oracle/dbms_cdc_publish3                           
 60 | Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION  
 61 | auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription      
 62 | Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION  
 63 | auxiliary/sqli/oracle/dbms_export_extension                           
 64 | Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML  
 65 | auxiliary/sqli/oracle/dbms_metadata_get_granted_xml                
 66 | Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML  
 67 | auxiliary/sqli/oracle/dbms_metadata_get_xml                                
 68 | Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN  
 69 | auxiliary/sqli/oracle/dbms_metadata_open                             
 70 | Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger  
 71 | auxiliary/sqli/oracle/droptable_trigger                                 
 72 | Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution  
 73 | auxiliary/sqli/oracle/jvm_os_code_10g                                 
 74 | Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution  
 75 | auxiliary/sqli/oracle/jvm_os_code_11g                       
 76 | Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE  
 77 | auxiliary/sqli/oracle/lt_compressworkspace                                  
 78 | Oracle DB SQL Injection via SYS.LT.FINDRICSET  
 79 | auxiliary/sqli/oracle/lt_findricset_cursor  
 80 | iSQL*Plus Login Utility  
 81 | auxiliary/scanner/oracle/isqlplus_login                                                 
 82 | Oracle iSQLPlus SID Check  
 83 | auxiliary/scanner/oracle/isqlplus_sidbrute                                            
 84 | Oracle Password Hashdump  
 85 | auxiliary/scanner/oracle/oracle_hashdump                                           
 86 | Oracle RDBMS Login Utility  
 87 | auxiliary/scanner/oracle/oracle_login                                                  
 88 | Oracle TNS Listener SID Bruteforce  
 89 | auxiliary/scanner/oracle/sid_brute                                                      
 90 | Oracle TNS Listener SID Enumeration  
 91 | auxiliary/scanner/oracle/sid_enum                                     
 92 | Oracle Application Server Spy Servlet SID Enumeration  
 93 | auxiliary/scanner/oracle/spy_sid                                                     
 94 | Oracle TNS Listener Service Version Query  
 95 | auxiliary/scanner/oracle/tnslsnr_version                              
 96 | Oracle TNS Listener Checker  
 97 | auxiliary/scanner/oracle/tnspoison_checker                           
 98 | 
 99 | ### Useful Links
100 | 
101 | First Steps in Oracle Penetration Testing:  
102 | https://www.adampalmer.me/iodigitalsec/2013/08/12/first-steps-in-oracle-penetration-testing/
103 | 
104 | Hacking Oracle Cheat Sheet/Queries:  
105 | http://www.red-database-security.com/wp/oracle_cheat.pdf
106 | 
107 | Attacking Oracle with the Metasploit Framework:  
108 | https://www.slideshare.net/chrisgates/attacking-oracle-with-the-metasploit-framework
109 | http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf
110 | 
111 | Oracle Database TNS Listener Poison Attack:  
112 | http://www.joxeankoret.com/download/tnspoison.pdf
113 | 


--------------------------------------------------------------------------------