Changelog Version 2.1 (2016/03/04) :
+ A new module (cve) for exploiting some CVE (Common Vulnerabilities and Exposures). CVE-2012-3137 (perhaps this number, I’m not sure…) implemented at the moment: A user authenticated can modify all tables who can select even if he can’t modify them normally (no ALTER privilege).
+ new option (–accounts-files) for remote authentication attack which uses 2 distinct files: a login list and password list.
+ Print 10g passwords for oclHashcat compatibility.
+ bug fixes (listening with nc).
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
Usage examples of ODAT:
+ You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
+ You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA
+ You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database
Tested on Oracle Database 10g, 11g and 12c(12.1.0.2.0).
Features:
+ search valid SID on a remote Oracle Database listener via:
— a dictionary attack
— a brute force attack
— ALIAS of the listener
+ search Oracle accounts using:
— a dictionary attack
— each Oracle user like the password (need an account before to use this attack)
+ execute system commands on the database server using:
— DBMS_SCHEDULER
— JAVA
— external tables
— oradbg
+ download files stored on the database server using:
— UTL_FILE
— external tables
— CTXSYS
— DBMS_LOB
+ upload files on the database server using:
— UTL_FILE
— DBMS_XSLPROCESSOR
— DBMS_ADVISOR
+ delete files using:
— UTL_FILE
+ gain privileged access using these following system privileges combinations (see help for privesc module commands): (NEW : 2016/02/21)
— CREATE ANY PROCEDURE
— CREATE PROCEDURE and EXECUTE ANY PROCEDURE
— CREATE ANY TRIGER (and CREATE PROCEDURE)
— ANALYZE ANY (and CREATE PROCEDURE)
— CREATE ANY INDEX (and CREATE PROCEDURE)
+ send/reveive HTTP requests from the database server using:
— UTL_HTTP
— HttpUriType
+ scan ports of the local server or a remote server using:
— UTL_HTTP
— HttpUriType
— UTL_TCP
+ capture a SMB authentication through:
— an index in order trigger a SMB connection
+ Cexploit some CVE:
— the CVE-2012-313 (http://cvedetails.com/cve/2012-3137)
–+ pickup the session key and salt for arbitrary users
–+ attack by dictionary on sessions
— the CVE-2012-3137? (https://twitter.com/gokhanatil/status/595853921479991297): A user authenticated can modify all tables who can select even if he can’t modify them normally (no ALTER privilege).
+ check CVE-2012-1675 (http://seclists.org/fulldisclosure/2012/Apr/204)
+ search in column names thanks to the search module:
— search a pattern (ex: password) in column names
+ unwrap PL/SQL source code (10g/11g and 12c)
+ get system privileges and roles granted. It is possible to get privileges and roles of roles granted also (NEW : 2016/02/21)
Installation:
Get instant client basic, sdk (devel) and sqlplus from the Oracle web site: X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html X86: http://www.oracle.com/technetwork/topics/linuxsoft-082809.html sudo apt-get install libaio1 python-dev alien python-pip alien -i oracle-instantclient11.2-basic-???.x???.rpm (as root user on debian, ubuntu and Kali 2.0) alien -i oracle-instantclient11.2-sqlplus-???.x???.rpm alien -i oracle-instantclient11.2-devel_???_???.rpm pip install cx_Oracle sudo apt-get install python-scapy sudo pip install colorlog termcolor pycrypto sudo pip install argcomplete && sudo activate-global-python-argcomplete git clone https://github.com/quentinhardy/odat && cd odat ./odat.py -h Update ./odat.py -update
Source: https://github.com/quentinhardy | Our post before