Database Exploit on rchitecthttps://www.rchitect.in/categories/database-exploit/Recent content in Database Exploit on rchitectHugoenSun, 27 Feb 2022 00:00:00 +0000Oracle DB exploit using ODAThttps://www.rchitect.in/posts/odat/Sun, 27 Feb 2022 00:00:00 +0000https://www.rchitect.in/posts/odat/<h1 id="oracle-db-exploit-using-odat"> Oracle DB exploit using ODAT <a class="heading-link" href="#oracle-db-exploit-using-odat"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <p>Refer some of the nmap scan results here during the pentest</p> <pre tabindex="0"><code>sudo nmap -sS -T4 -sV -sC 10.10.10.82 1 тип [sudo] password for rocky: Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-24 06:14 EST Nmap scan report for 10.10.10.82 Host is up (0.089s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 8080/tcp open http Oracle XML DB Enterprise Edition httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=XDB |_http-server-header: Oracle XML DB/Oracle Database |_http-title: 401 Unauthorized 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49159/tcp open oracle-tns Oracle TNS listener (requires service name) 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 15s, deviation: 0s, median: 14s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2022-02-24T11:16:31 |_ start_date: 2022-02-24T00:28:20 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 130.34 seconds </code></pre><h4 id="sometheory-on-oracle-dbfrom-pentest-point-of-view"> SomeTheory on Oracle DB(from pentest point of view) <a class="heading-link" href="#sometheory-on-oracle-dbfrom-pentest-point-of-view"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h4> <p>The above Nmap results shows 1521 port is open and there are some reference for oracle DB as well. 1521 is the port which oracle DB uses to communicate with external servers or applications. The key points if we know 1521 is open to identify the SID.We can call SID as unique database identifier. One of the Method is Bruteforcing. I could see some on metasploit as well.</p>