SlideShare uma empresa Scribd logo

Hacking oracle using metasploit

Alberto García Illera
Alberto García Illera
Tecnologia
1 de 64
Baixar para ler offline
Attacking Oracle Web Applications with Metasploit Chris Gates (carnal0wnage)
Whoami • Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Sr. Security Consultant for Rapid7 – Affiliations  Attack Research, Metasploit Project • Work • Previous Talks – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks 3
Why Are We Here? • Here to talk about attacking oracle web applications (middleware) • What’s out there and how prevalent it is • Why so much of it is unpatched • Demo Metasploit auxiliary modules to find and attack it 4
What Is Oracle Middleware? 5
What is Oracle Middleware?  Enterprise Resource Planning (ERP)  Oracle E-Business Suite*  Oracle Application Server 9i/10g/11i**  Oracle Reports/Forms  Oracle Portal  Oracle Financials/Supplier/Recruitment  For Oracle lots of different products…  For this talk I’m going to lump them all together as “web applications”  *Technically Oracle considers E-Business Suite an “application” as it rides on top of OAS  **weblogic 6
Market Share  Big list of customers  http://www.oracle.com/customers/cust _list_atoz.html 8
Reach  By now we should agree there's a lot of Oracle out there...  That's good right?  Except a lot of it is un-patched and vulnerable :-(  Why? 9
How Did We Get Here?  Pay for patches  Most products are free downloads but you pay for support and patches 10
How Did We Get Here?  Extremely vague advisories  Must pay for extended advisory info (metalink)  Oracle does not release POC code 11
How Did We Get Here?  Extremely vague advisories 12
How Did We Get Here?  Difficult patch / upgrade processes  Complex applications / If it works don't touch it mentality 13
Locating Oracle Servers  Numerous server header strings:  www.owasp.org/index.php/Testing_for_Oracle  Solution:  oracle_version_scanner.rb 14
Locating Oracle Servers • oracle_version_scanner.rb 15
Finding Default Content  First step is to find useful “stuff”  Google/Bing useful (Google Dorks)  Issue is how to find content internal or when its not indexed  Solution:  oas_cgi_scan.rb 16
Abusing Default Content  Most Oracle Middleware applications come with lots of default content  Must be manually removed (no patch to remove content)  Must know exactly where and what files to delete  Tons of information disclosure  Sometimes exploitation potential or credential leakage 18
Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Ships with Oracle 9.2 Database and installed by default 19
Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Select sys.database_name • '1'='2' UNION SELECT sys.database_name, -500 FROM Dual 20
Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • /dav_portal/portal/ directory is protected using basic authentication. It is possible to bypass and access content of dav_portal by adding a specially crafted cookie value in the http request header. 22
Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • Finding vulnerable hosts: 23
Abusing Default Content Examples (OAS) • oracle_dav_bypass.rb 24
Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • How many targets? • And…unpatched 25
Abusing Default Content Examples (OAS) • /xsql/adhocsql/sqltoxml.html • Now in all fairness, this one usually doesn't work...db usually isn't set up. But sometimes it is :-) 26
Abusing Default Content Examples (OAS) • Ability to run SQL Commands (database version) 27
Abusing Default Content Examples (OAS) • UDDI Endpoints 33
Abusing Default Content Examples (OAS) • UDDI Endpoints 34
Abusing Default Content Examples (OAS) • UDDI Endpoints – Check Default Passwords 35
Abusing Default Content Examples (OAS) • UDDI Endpoints – Check Default Passwords (Success) 36
Abusing Default Content Examples (OAS) • Info Disclosure -- /webapp/wm/javart.jsp 37
Abusing Default Content Examples (OAS) • Info Disclosure 38
Abusing Default Content Examples (OAS) • Info Disclosure -- /cgi-bin/printenv 39
Oracle iSQLPlus • Web-based interface to the TNS Listener – Available on Oracle Database 9 & 10  oracle_isqlplus_sidbrute  oracle_isqlplus_login 41
Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb  Different POST requests for 9 vs 10  Module fingerprints version and chooses correct POST  Uses SID list already in Metasploit  Using error message returned by Oracle determines valid SID  Wrong SID:  ORA-12154: TNS: could not resolve service name  Right SID (wrong password):  ORA-01017: invalid username/password; logon denied 42
Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb 43
Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb 44
Oracle iSQLPlus  oracle_isqlplus_login.rb  Once we have a valid SID start checking for default user/pass accounts 47
Oracle iSQLPlus  oracle_isqlplus_login.rb  Works on Oracle DB 10 as well 49
Oracle Portal  Web based PL/SQL applications are enabled by the PL/SQL Gateway, which is is the component that translates web requests into database queries.  Products that use the PL/SQL Gateway include, but are not limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB, WebDB and Oracle Application Server  Several software implementations, ranging from the early web listener product to the Apache mod_plsql module to the XML Database (XDB) web server. 50
Oracle Portal http://download.oracle.com/docs/cd/B10467_16/tour/portal_intro.htm 51
Oracle Portal • Essentially the PL/SQL Gateway simply acts as a proxy server taking the user's web request and passes it on to the database server where it is executed. 1. The web server accepts a request from a web client and determines if it should be processed by the PL/SQL Gateway. 2. The PL/SQL Gateway processes the request by extracting the requested package name, procedure, and variables. 3. The requested package and procedure are wrapped in a block of anonymous PL/SQL, and sent to the database server. 4. The database server executes the procedure and sends the results back to the Gateway as HTML. 5. The gateway sends the response, via the web server, back to the client. 52
Oracle Portal  URLs for PL/SQL web applications are normally easily recognizable and generally start with the following  http://www.example.com/pls/xyz  http://www.example.com/xyz/owa  http://www.example.com/xyz/portal  In this URL, xyz is the Database Access Descriptor, or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, etc 53
Oracle Portal http://download.oracle.com/docs/cd/B10467_16/tour/portal_how.htm 54
Oracle Portal • Database Access Descriptors  Similar to SIDs, required to interact with the portal.  Lots of defaults but can be anything alphanumeric  Common Defaults: SIMPLEDAD ORASSO HTMLDB SSODAD PORTAL PORTAL2 PORTAL30 PORTAL30_SSO DAD OWA PROD APP 55
Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs 56
Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs 57
Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs – Set VERBOSE to false to just see found DADs 58
Oracle Portal • Verify mod_plsql gateway is running • Null is valid function and should return a 200 • Something random is not, and should return a 404 – http://www.example.com/pls/dad/null – http://www.example.com/pls/dad/nosuchfunction • If the server responds with a 200 OK response for the first and a 404 Not Found for the second then it indicates that the server is running the PL/SQL Gateway. • http://www.owasp.org/index.php/Testing_for_Oracle 59
Oracle Portal Testing PLSQL Gateway • oracle_plsql_enabled.rb 60
Oracle Portal • It is possible to exploit vulnerabilities in the PL/SQL packages that are installed by default in the database server. How you do this depends on the version of the PL/SQL Gateway. • Examples: – http://www.example.com/pls/dad/OWA_UTIL.CELLSPRINT? P_THEQUERY=SELECT+USERNAME+FROM+ALL_USERS – http://www.example.com/pls/dad/CXTSYS.DRILOAD.VALIDATE_ST MT?SQLSTMT=SELECT+1+FROM+DUAL – http://server.example.com/pls/dad/orasso.home?);execute+imm ediate+:1;--=select+1+from+dual 61
Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Test the various PL/SQL gateway exploit methods • Based on notsosecure.com’s oap.pl http://code.google.com/p/oaphacker/ 62
Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Test the various PL/SQL gateway exploit methods 63
Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Attack Surface? 64
Oracle Portal Exploitation • Run SQL Queries – Database Version 66
Oracle Portal Exploitation • Run SQL Queries – Database SID 67
Oracle Portal Exploitation • Run SQL Queries – Database Users 68
Oracle Portal Exploitation • Run SQL Queries – Check my privileges 69
Oracle Portal Exploitation • But I want shell! Or at least access to tasty data • Next step is to escalate to DBA via privilege escalation, see oracle Defcon 17 talk... • Dependent on backend database version....if its patched, you're out of luck • Most functions run as PORTAL_PUBLIC user who is a limited account • However, some functions run as PORTAL user who is DBA  70
Oracle Portal Exploitation • However, some functions run as PORTAL user who is DBA  • http://server/portal/pls/portal/PORTAL.wwexp_api_engine.action?p_otype=FO LDER&p_octx=FOLDERMAP.1_6&p_datasource_data=document.SEARCH23915_ PAGESEARCH_146202305.ft&p_datasource_data=document.SEARCH23915_PAG ESEARCH_146202305.fi&p_datasource_data=document.SEARCH23915_PAGESE ARCH_146202305.fs&p_datasource_data=nls_sub_domain%3Dtext%2Cnls_nam e%3Dfolderplpopup&p_domain=wwc&p_sub_domain=FOLDERMAP&p_back_ur l=PORTAL.wwexp_render.show_tree%3Fp_otype%3DSITEMAP%26p_domain%3 Dwwc%26p_sub_domain%3DFOLDERMAP%26p_headerimage%3D%2Fimages% 2Fbhfind2.gif%26p_show_banner%3DNO%26p_show_cancel%3DNO%26p_title %3DBrowse%2520Pages%26p_open_item%3D%26p_open_items%3D0.SITEMAP .FOLDERMAP.0_- 1&p_action=show(wwexp_datatype.g_exp_param);execute%20immediate%20' grant dba to public';end;-- 71
Oracle Portal Exploitation • PORTAL.wwexp_api_engine.action Exploit • Before • After 72
Exploitation of Various Web Apps • Oracle secure backup • Oracle times 10? • Oracle 9.2 Enterprise Manager Reporting Sql Injection 75
Enterprise Manager SQL Injection • Oracle Enterprise Manager Reporting SQL Injection CVE- 2006-1885 -- Oracle 9iR2 76
Enterprise Manager SQL Injection • Oracle Enterprise Manager Reporting SQL Injection CVE- 2006-1885 -- Oracle 9iR2 77
Exploithub Exploits Demo 78
Oracle Ninjas / Resources • Alexander Kornbrust http://www.red-database-security.com/ • Sumit Siddharth http://www.notsosecure.com • David Litchfield http://www.davidlitchfield.com/blog/ • Joxean Koret http://joxeankoret.com/ • http://www.argeniss.com/index.html • http://www.0xdeadbeef.info/ • http://www.databasesecurity.com/oracle/hpoas.pdf • http://www.owasp.org/index.php/Testing_for_Oracle 80
Special Thanks To • Alexander Kornbrust • MC • Sid • cktricky • mubix 81

Recomendados

PHP and Mysql
PHP and MysqlPHP and Mysql
PHP and MysqlSankhadeep Roy
 
SQLAlchemy Primer
SQLAlchemy PrimerSQLAlchemy Primer
SQLAlchemy Primer泰 増田
 
Loops in java script
Loops in java scriptLoops in java script
Loops in java scriptRavi Bhadauria
 
Class 3 - PHP Functions
Class 3 - PHP FunctionsClass 3 - PHP Functions
Class 3 - PHP FunctionsAhmed Swilam
 
Printing with APEX: PL/PDF
Printing with APEX: PL/PDFPrinting with APEX: PL/PDF
Printing with APEX: PL/PDFEnkitec
 
An introduction to SQLAlchemy
An introduction to SQLAlchemyAn introduction to SQLAlchemy
An introduction to SQLAlchemymengukagan
 
Installation of java and program execution
Installation of java and program executionInstallation of java and program execution
Installation of java and program executionRakhee Chhibber
 
Sql
SqlSql
SqlPriyank Tewari
 

Recomendados

PHP and Mysql
PHP and MysqlPHP and Mysql
PHP and MysqlSankhadeep Roy
 
SQLAlchemy Primer
SQLAlchemy PrimerSQLAlchemy Primer
SQLAlchemy Primer泰 増田
 
Loops in java script
Loops in java scriptLoops in java script
Loops in java scriptRavi Bhadauria
 
Class 3 - PHP Functions
Class 3 - PHP FunctionsClass 3 - PHP Functions
Class 3 - PHP FunctionsAhmed Swilam
 
Printing with APEX: PL/PDF
Printing with APEX: PL/PDFPrinting with APEX: PL/PDF
Printing with APEX: PL/PDFEnkitec
 
An introduction to SQLAlchemy
An introduction to SQLAlchemyAn introduction to SQLAlchemy
An introduction to SQLAlchemymengukagan
 
Installation of java and program execution
Installation of java and program executionInstallation of java and program execution
Installation of java and program executionRakhee Chhibber
 
Sql
SqlSql
SqlPriyank Tewari
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
Osgi
OsgiOsgi
OsgiHeena Madan
 
Asp.Net Core MVC , Razor page , Entity Framework Core
Asp.Net Core MVC , Razor page , Entity Framework CoreAsp.Net Core MVC , Razor page , Entity Framework Core
Asp.Net Core MVC , Razor page , Entity Framework Coremohamed elshafey
 
Php.ppt
Php.pptPhp.ppt
Php.pptNidhi mishra
 
Document Object Model
Document Object ModelDocument Object Model
Document Object ModelMayur Mudgal
 
La sécurité avec SQL Server 2012
La sécurité avec SQL Server 2012La sécurité avec SQL Server 2012
La sécurité avec SQL Server 2012Microsoft Technet France
 
Spring Boot
Spring BootSpring Boot
Spring Bootkoppenolski
 
Spring Boot
Spring BootSpring Boot
Spring BootJaran Flaath
 
Spring boot
Spring bootSpring boot
Spring bootBhagwat Kumar
 
Grails GORM - You Know SQL. You Know Queries. Here's GORM.
Grails GORM - You Know SQL. You Know Queries. Here's GORM.Grails GORM - You Know SQL. You Know Queries. Here's GORM.
Grails GORM - You Know SQL. You Know Queries. Here's GORM.Ted Vinke
 
Javascript
JavascriptJavascript
Javascriptmussawir20
 
Html5 semantics
Html5 semanticsHtml5 semantics
Html5 semanticsWebtech Learning
 
Introduction To Single Page Application
Introduction To Single Page ApplicationIntroduction To Single Page Application
Introduction To Single Page ApplicationKMS Technology
 
JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and Arrays JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and ArraysWebStackAcademy
 
JAVA SCRIPT
JAVA SCRIPTJAVA SCRIPT
JAVA SCRIPTGo4Guru
 
Spring AOP
Spring AOPSpring AOP
Spring AOPAnushaNaidu
 
Java OCA teoria 5
Java OCA teoria 5Java OCA teoria 5
Java OCA teoria 5Valerio Radice
 
Introduction to Spring Boot!
Introduction to Spring Boot!Introduction to Spring Boot!
Introduction to Spring Boot!Jakub Kubrynski
 
Javascript ES6 generators
Javascript ES6 generatorsJavascript ES6 generators
Javascript ES6 generatorsRamesh Nair
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHPShweta A
 
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Source Conference
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfChris Gates
 

Mais conteúdo relacionado

Mais procurados

Asp.Net Core MVC , Razor page , Entity Framework Core
Asp.Net Core MVC , Razor page , Entity Framework CoreAsp.Net Core MVC , Razor page , Entity Framework Core
Asp.Net Core MVC , Razor page , Entity Framework Coremohamed elshafey
 
Document Object Model
Document Object ModelDocument Object Model
Document Object ModelMayur Mudgal
 
Grails GORM - You Know SQL. You Know Queries. Here's GORM.
Grails GORM - You Know SQL. You Know Queries. Here's GORM.Grails GORM - You Know SQL. You Know Queries. Here's GORM.
Grails GORM - You Know SQL. You Know Queries. Here's GORM.Ted Vinke
 
Introduction To Single Page Application
Introduction To Single Page ApplicationIntroduction To Single Page Application
Introduction To Single Page ApplicationKMS Technology
 
JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and Arrays JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and ArraysWebStackAcademy
 
JAVA SCRIPT
JAVA SCRIPTJAVA SCRIPT
JAVA SCRIPTGo4Guru
 
Introduction to Spring Boot!
Introduction to Spring Boot!Introduction to Spring Boot!
Introduction to Spring Boot!Jakub Kubrynski
 
Javascript ES6 generators
Javascript ES6 generatorsJavascript ES6 generators
Javascript ES6 generatorsRamesh Nair
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHPShweta A
 

Mais procurados (20)

Spring Boot
Spring BootSpring Boot
Spring Boot
 
Osgi
OsgiOsgi
Osgi
 
Asp.Net Core MVC , Razor page , Entity Framework Core
Asp.Net Core MVC , Razor page , Entity Framework CoreAsp.Net Core MVC , Razor page , Entity Framework Core
Asp.Net Core MVC , Razor page , Entity Framework Core
 
Php.ppt
Php.pptPhp.ppt
Php.ppt
 
Document Object Model
Document Object ModelDocument Object Model
Document Object Model
 
La sécurité avec SQL Server 2012
La sécurité avec SQL Server 2012La sécurité avec SQL Server 2012
La sécurité avec SQL Server 2012
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Spring boot
Spring bootSpring boot
Spring boot
 
Grails GORM - You Know SQL. You Know Queries. Here's GORM.
Grails GORM - You Know SQL. You Know Queries. Here's GORM.Grails GORM - You Know SQL. You Know Queries. Here's GORM.
Grails GORM - You Know SQL. You Know Queries. Here's GORM.
 
Javascript
JavascriptJavascript
Javascript
 
Html5 semantics
Html5 semanticsHtml5 semantics
Html5 semantics
 
Introduction To Single Page Application
Introduction To Single Page ApplicationIntroduction To Single Page Application
Introduction To Single Page Application
 
JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and Arrays JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and Arrays
 
JAVA SCRIPT
JAVA SCRIPTJAVA SCRIPT
JAVA SCRIPT
 
Spring AOP
Spring AOPSpring AOP
Spring AOP
 
Java OCA teoria 5
Java OCA teoria 5Java OCA teoria 5
Java OCA teoria 5
 
Introduction to Spring Boot!
Introduction to Spring Boot!Introduction to Spring Boot!
Introduction to Spring Boot!
 
Javascript ES6 generators
Javascript ES6 generatorsJavascript ES6 generators
Javascript ES6 generators
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHP
 

Semelhante a Hacking oracle using metasploit

Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Source Conference
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfChris Gates
 
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOpsOracle database 12c_and_DevOps
Oracle database 12c_and_DevOpsMaria Colgan
 
Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )Rajput Rajnish
 
Whats new in Oracle Database 12c release 12.1.0.2
Whats new in Oracle Database 12c release 12.1.0.2Whats new in Oracle Database 12c release 12.1.0.2
Whats new in Oracle Database 12c release 12.1.0.2Connor McDonald
 
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...Insight Technology, Inc.
 
REST Enabling Your Oracle Database
REST Enabling Your Oracle DatabaseREST Enabling Your Oracle Database
REST Enabling Your Oracle DatabaseJeff Smith
 
Database As A Service: OEM + ODA (OOW 15 Presentation)
Database As A Service: OEM + ODA (OOW 15 Presentation)Database As A Service: OEM + ODA (OOW 15 Presentation)
Database As A Service: OEM + ODA (OOW 15 Presentation)Bobby Curtis
 
OUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeOUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeGeorgi Kodinov
 
MV2ADB - Move to Oracle Autonomous Database in One-click
MV2ADB - Move to Oracle Autonomous Database in One-clickMV2ADB - Move to Oracle Autonomous Database in One-click
MV2ADB - Move to Oracle Autonomous Database in One-clickRuggero Citton
 
Oracle Cloud DBaaS
Oracle Cloud DBaaSOracle Cloud DBaaS
Oracle Cloud DBaaSArush Jain
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debuggingMaarten Smeets
 
Turning Relational Database Tables into Hadoop Datasources by Kuassi Mensah
Turning Relational Database Tables into Hadoop Datasources by Kuassi MensahTurning Relational Database Tables into Hadoop Datasources by Kuassi Mensah
Turning Relational Database Tables into Hadoop Datasources by Kuassi MensahData Con LA
 
MySQL Document Store - A Document Store with all the benefts of a Transactona...
MySQL Document Store - A Document Store with all the benefts of a Transactona...MySQL Document Store - A Document Store with all the benefts of a Transactona...
MySQL Document Store - A Document Store with all the benefts of a Transactona...Olivier DASINI
 

Semelhante a Hacking oracle using metasploit (20)

Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOpsOracle database 12c_and_DevOps
Oracle database 12c_and_DevOps
 
Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )
 
Whats new in Oracle Database 12c release 12.1.0.2
Whats new in Oracle Database 12c release 12.1.0.2Whats new in Oracle Database 12c release 12.1.0.2
Whats new in Oracle Database 12c release 12.1.0.2
 
Oracle OpenWo2014 review part 03 three_paa_s_database
Oracle OpenWo2014 review part 03 three_paa_s_databaseOracle OpenWo2014 review part 03 three_paa_s_database
Oracle OpenWo2014 review part 03 three_paa_s_database
 
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
 
REST Enabling Your Oracle Database
REST Enabling Your Oracle DatabaseREST Enabling Your Oracle Database
REST Enabling Your Oracle Database
 
Database As A Service: OEM + ODA (OOW 15 Presentation)
Database As A Service: OEM + ODA (OOW 15 Presentation)Database As A Service: OEM + ODA (OOW 15 Presentation)
Database As A Service: OEM + ODA (OOW 15 Presentation)
 
ow.ppt
ow.pptow.ppt
ow.ppt
 
ow.ppt
ow.pptow.ppt
ow.ppt
 
Ow
OwOw
Ow
 
OUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeOUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source Code
 
PHP Oracle
PHP OraclePHP Oracle
PHP Oracle
 
Plantilla oracle
Plantilla oraclePlantilla oracle
Plantilla oracle
 
MV2ADB - Move to Oracle Autonomous Database in One-click
MV2ADB - Move to Oracle Autonomous Database in One-clickMV2ADB - Move to Oracle Autonomous Database in One-click
MV2ADB - Move to Oracle Autonomous Database in One-click
 
Oracle Cloud DBaaS
Oracle Cloud DBaaSOracle Cloud DBaaS
Oracle Cloud DBaaS
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debugging
 
Turning Relational Database Tables into Hadoop Datasources by Kuassi Mensah
Turning Relational Database Tables into Hadoop Datasources by Kuassi MensahTurning Relational Database Tables into Hadoop Datasources by Kuassi Mensah
Turning Relational Database Tables into Hadoop Datasources by Kuassi Mensah
 
MySQL Document Store - A Document Store with all the benefts of a Transactona...
MySQL Document Store - A Document Store with all the benefts of a Transactona...MySQL Document Store - A Document Store with all the benefts of a Transactona...
MySQL Document Store - A Document Store with all the benefts of a Transactona...
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Hacking oracle using metasploit

  • 1. Attacking Oracle Web Applications with Metasploit Chris Gates (carnal0wnage)
  • 2. Whoami • Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Sr. Security Consultant for Rapid7 – Affiliations  Attack Research, Metasploit Project • Work • Previous Talks – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks 3
  • 3. Why Are We Here? • Here to talk about attacking oracle web applications (middleware) • What’s out there and how prevalent it is • Why so much of it is unpatched • Demo Metasploit auxiliary modules to find and attack it 4
  • 4. What Is Oracle Middleware? 5
  • 5. What is Oracle Middleware?  Enterprise Resource Planning (ERP)  Oracle E-Business Suite*  Oracle Application Server 9i/10g/11i**  Oracle Reports/Forms  Oracle Portal  Oracle Financials/Supplier/Recruitment  For Oracle lots of different products…  For this talk I’m going to lump them all together as “web applications”  *Technically Oracle considers E-Business Suite an “application” as it rides on top of OAS  **weblogic 6
  • 6. Market Share  Big list of customers  http://www.oracle.com/customers/cust _list_atoz.html 8
  • 7. Reach  By now we should agree there's a lot of Oracle out there...  That's good right?  Except a lot of it is un-patched and vulnerable :-(  Why? 9
  • 8. How Did We Get Here?  Pay for patches  Most products are free downloads but you pay for support and patches 10
  • 9. How Did We Get Here?  Extremely vague advisories  Must pay for extended advisory info (metalink)  Oracle does not release POC code 11
  • 10. How Did We Get Here?  Extremely vague advisories 12
  • 11. How Did We Get Here?  Difficult patch / upgrade processes  Complex applications / If it works don't touch it mentality 13
  • 12. Locating Oracle Servers  Numerous server header strings:  www.owasp.org/index.php/Testing_for_Oracle  Solution:  oracle_version_scanner.rb 14
  • 13. Locating Oracle Servers • oracle_version_scanner.rb 15
  • 14. Finding Default Content  First step is to find useful “stuff”  Google/Bing useful (Google Dorks)  Issue is how to find content internal or when its not indexed  Solution:  oas_cgi_scan.rb 16
  • 15. Abusing Default Content  Most Oracle Middleware applications come with lots of default content  Must be manually removed (no patch to remove content)  Must know exactly where and what files to delete  Tons of information disclosure  Sometimes exploitation potential or credential leakage 18
  • 16. Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Ships with Oracle 9.2 Database and installed by default 19
  • 17. Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Select sys.database_name • '1'='2' UNION SELECT sys.database_name, -500 FROM Dual 20
  • 18. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • /dav_portal/portal/ directory is protected using basic authentication. It is possible to bypass and access content of dav_portal by adding a specially crafted cookie value in the http request header. 22
  • 19. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • Finding vulnerable hosts: 23
  • 20. Abusing Default Content Examples (OAS) • oracle_dav_bypass.rb 24
  • 21. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • How many targets? • And…unpatched 25
  • 22. Abusing Default Content Examples (OAS) • /xsql/adhocsql/sqltoxml.html • Now in all fairness, this one usually doesn't work...db usually isn't set up. But sometimes it is :-) 26
  • 23. Abusing Default Content Examples (OAS) • Ability to run SQL Commands (database version) 27
  • 24. Abusing Default Content Examples (OAS) • UDDI Endpoints 33
  • 25. Abusing Default Content Examples (OAS) • UDDI Endpoints 34
  • 26. Abusing Default Content Examples (OAS) • UDDI Endpoints – Check Default Passwords 35
  • 27. Abusing Default Content Examples (OAS) • UDDI Endpoints – Check Default Passwords (Success) 36
  • 28. Abusing Default Content Examples (OAS) • Info Disclosure -- /webapp/wm/javart.jsp 37
  • 29. Abusing Default Content Examples (OAS) • Info Disclosure 38
  • 30. Abusing Default Content Examples (OAS) • Info Disclosure -- /cgi-bin/printenv 39
  • 31. Oracle iSQLPlus • Web-based interface to the TNS Listener – Available on Oracle Database 9 & 10  oracle_isqlplus_sidbrute  oracle_isqlplus_login 41
  • 32. Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb  Different POST requests for 9 vs 10  Module fingerprints version and chooses correct POST  Uses SID list already in Metasploit  Using error message returned by Oracle determines valid SID  Wrong SID:  ORA-12154: TNS: could not resolve service name  Right SID (wrong password):  ORA-01017: invalid username/password; logon denied 42
  • 33. Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb 43
  • 34. Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb 44
  • 35. Oracle iSQLPlus  oracle_isqlplus_login.rb  Once we have a valid SID start checking for default user/pass accounts 47
  • 36. Oracle iSQLPlus  oracle_isqlplus_login.rb  Works on Oracle DB 10 as well 49
  • 37. Oracle Portal  Web based PL/SQL applications are enabled by the PL/SQL Gateway, which is is the component that translates web requests into database queries.  Products that use the PL/SQL Gateway include, but are not limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB, WebDB and Oracle Application Server  Several software implementations, ranging from the early web listener product to the Apache mod_plsql module to the XML Database (XDB) web server. 50
  • 38. Oracle Portal http://download.oracle.com/docs/cd/B10467_16/tour/portal_intro.htm 51
  • 39. Oracle Portal • Essentially the PL/SQL Gateway simply acts as a proxy server taking the user's web request and passes it on to the database server where it is executed. 1. The web server accepts a request from a web client and determines if it should be processed by the PL/SQL Gateway. 2. The PL/SQL Gateway processes the request by extracting the requested package name, procedure, and variables. 3. The requested package and procedure are wrapped in a block of anonymous PL/SQL, and sent to the database server. 4. The database server executes the procedure and sends the results back to the Gateway as HTML. 5. The gateway sends the response, via the web server, back to the client. 52
  • 40. Oracle Portal  URLs for PL/SQL web applications are normally easily recognizable and generally start with the following  http://www.example.com/pls/xyz  http://www.example.com/xyz/owa  http://www.example.com/xyz/portal  In this URL, xyz is the Database Access Descriptor, or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, etc 53
  • 41. Oracle Portal http://download.oracle.com/docs/cd/B10467_16/tour/portal_how.htm 54
  • 42. Oracle Portal • Database Access Descriptors  Similar to SIDs, required to interact with the portal.  Lots of defaults but can be anything alphanumeric  Common Defaults: SIMPLEDAD ORASSO HTMLDB SSODAD PORTAL PORTAL2 PORTAL30 PORTAL30_SSO DAD OWA PROD APP 55
  • 43. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs 56
  • 44. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs 57
  • 45. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs – Set VERBOSE to false to just see found DADs 58
  • 46. Oracle Portal • Verify mod_plsql gateway is running • Null is valid function and should return a 200 • Something random is not, and should return a 404 – http://www.example.com/pls/dad/null – http://www.example.com/pls/dad/nosuchfunction • If the server responds with a 200 OK response for the first and a 404 Not Found for the second then it indicates that the server is running the PL/SQL Gateway. • http://www.owasp.org/index.php/Testing_for_Oracle 59
  • 47. Oracle Portal Testing PLSQL Gateway • oracle_plsql_enabled.rb 60
  • 48. Oracle Portal • It is possible to exploit vulnerabilities in the PL/SQL packages that are installed by default in the database server. How you do this depends on the version of the PL/SQL Gateway. • Examples: – http://www.example.com/pls/dad/OWA_UTIL.CELLSPRINT? P_THEQUERY=SELECT+USERNAME+FROM+ALL_USERS – http://www.example.com/pls/dad/CXTSYS.DRILOAD.VALIDATE_ST MT?SQLSTMT=SELECT+1+FROM+DUAL – http://server.example.com/pls/dad/orasso.home?);execute+imm ediate+:1;--=select+1+from+dual 61
  • 49. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Test the various PL/SQL gateway exploit methods • Based on notsosecure.com’s oap.pl http://code.google.com/p/oaphacker/ 62
  • 50. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Test the various PL/SQL gateway exploit methods 63
  • 51. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Attack Surface? 64
  • 52. Oracle Portal Exploitation • Run SQL Queries – Database Version 66
  • 53. Oracle Portal Exploitation • Run SQL Queries – Database SID 67
  • 54. Oracle Portal Exploitation • Run SQL Queries – Database Users 68
  • 55. Oracle Portal Exploitation • Run SQL Queries – Check my privileges 69
  • 56. Oracle Portal Exploitation • But I want shell! Or at least access to tasty data • Next step is to escalate to DBA via privilege escalation, see oracle Defcon 17 talk... • Dependent on backend database version....if its patched, you're out of luck • Most functions run as PORTAL_PUBLIC user who is a limited account • However, some functions run as PORTAL user who is DBA  70
  • 57. Oracle Portal Exploitation • However, some functions run as PORTAL user who is DBA  • http://server/portal/pls/portal/PORTAL.wwexp_api_engine.action?p_otype=FO LDER&p_octx=FOLDERMAP.1_6&p_datasource_data=document.SEARCH23915_ PAGESEARCH_146202305.ft&p_datasource_data=document.SEARCH23915_PAG ESEARCH_146202305.fi&p_datasource_data=document.SEARCH23915_PAGESE ARCH_146202305.fs&p_datasource_data=nls_sub_domain%3Dtext%2Cnls_nam e%3Dfolderplpopup&p_domain=wwc&p_sub_domain=FOLDERMAP&p_back_ur l=PORTAL.wwexp_render.show_tree%3Fp_otype%3DSITEMAP%26p_domain%3 Dwwc%26p_sub_domain%3DFOLDERMAP%26p_headerimage%3D%2Fimages% 2Fbhfind2.gif%26p_show_banner%3DNO%26p_show_cancel%3DNO%26p_title %3DBrowse%2520Pages%26p_open_item%3D%26p_open_items%3D0.SITEMAP .FOLDERMAP.0_- 1&p_action=show(wwexp_datatype.g_exp_param);execute%20immediate%20' grant dba to public';end;-- 71
  • 58. Oracle Portal Exploitation • PORTAL.wwexp_api_engine.action Exploit • Before • After 72
  • 59. Exploitation of Various Web Apps • Oracle secure backup • Oracle times 10? • Oracle 9.2 Enterprise Manager Reporting Sql Injection 75
  • 60. Enterprise Manager SQL Injection • Oracle Enterprise Manager Reporting SQL Injection CVE- 2006-1885 -- Oracle 9iR2 76
  • 61. Enterprise Manager SQL Injection • Oracle Enterprise Manager Reporting SQL Injection CVE- 2006-1885 -- Oracle 9iR2 77
  • 63. Oracle Ninjas / Resources • Alexander Kornbrust http://www.red-database-security.com/ • Sumit Siddharth http://www.notsosecure.com • David Litchfield http://www.davidlitchfield.com/blog/ • Joxean Koret http://joxeankoret.com/ • http://www.argeniss.com/index.html • http://www.0xdeadbeef.info/ • http://www.databasesecurity.com/oracle/hpoas.pdf • http://www.owasp.org/index.php/Testing_for_Oracle 80
  • 64. Special Thanks To • Alexander Kornbrust • MC • Sid • cktricky • mubix 81