4 years ago · 7a176dd384
--- a/Readme.md
+++ b/Readme.md
@@ -0,0 +1,159 @@
 
				+# Oracle Cheatsheet for penetration testers
			
 
				+## Index
			
 
				+
			
 
				+## Why
			
 
				+There are plenty of cheatsheets and documentation for oracle SQL Injections. There have also been countless presentations and research on the subject, however the material is very sparse, mostly out of date and totally non exhaustive.
			
 
				+As a penetration tester I have to deal daily with Oracle DBMS, both via SQL Injections, direct connecctions or access to the hosting machine.
			
 
				+
			
 
				+## Basic Information
			
 
				+Most of the times Oracle RDMS run on linux, specifically RedHat or Oracle Linux. The most version I found in the wild were 9 which is extremely old, 10, 11 as most common and 12 in the best cases.
			
 
				+Oracle has an official client called `sqlplus`. Sometimes it is extremely useful to have `sqlplus` and the import and export utilities ready in standalone packages. Please see the #Downloads sections for that.
			
 
				+Oracle instances are defined in a file called `tnsmaes.ora` where an instance name is associated to a connection string.
			
 
				+
			
 
				+Example tnsnames.ora:
			
 
				+
			
 
				+```
			
 
				+PROD_DB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = 10.50.50.10) (PORT = 1521)) (CONNECT_DATA = (SID = PROD)))
			
 
				+PREPROD_DB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = 10.50.50.10) (PORT = 1522)) (CONNECT_DATA = (SID = PREPROD)))
			
 
				+DEV_DB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = 10.20.20.10) (PORT = 1521)) (CONNECT_DATA = (SID = DEVEL)))
			
 
				+
			
 
				+```
			
 
				+This file support failover, load balancing and many more options, for further information refer to https://docs.oracle.com/cd/B28359_01/network.111/b28317/tnsnames.htm#NETRF007
			
 
				+Information specified in this file are extremely useful in order to know the database in use and their specifics. All information in the connect string is required to connect to an Oracle instance.
			
 
				+
			
 
				+## Sqlplus
			
 
				+Sqlplus examples:
			
 
				+
			
 
				+```
			
 
				+# Automatic login
			
 
				+sqlplus my_user/my_password@PROD_DB
			
 
				+
			
 
				+# Prompt for password
			
 
				+sqlplus myuser@PROD_DB
			
 
				+
			
 
				+# Connect to instance not present in tnsnames.ora
			
 
				+sqlplus my_user@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=192.168.1.10)(Port=1521))(CONNECT_DATA=(SID=REMOTE_SID)))
			
 
				+
			
 
				+# In case there are problems with the shell double quotes can be used
			
 
				+sqlplus my_user@"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=192.168.1.10)(Port=1521))(CONNECT_DATA=(SID=REMOTE_SID)))"
			
 
				+
			
 
				+# For a local instance if logged in with the oracle user
			
 
				+sqlplus "/ as sysdba"
			
 
				+sqlplus "sys as sysdba"
			
 
				+```
			
 
				+
			
 
				+## Import/Export
			
 
				+Oracle uses a proprietary format both for storing the actual data on the disk and for export/import process. While it is technically possible to dump a table trough sqlplus it is often very CPU consuming and not very efficient for large tables. In this case Oracle provides two different set of utilities:
			
 
				+ * imp/exp
			
 
				+ * impdp/expdp
			
 
				+
			
 
				+Both require special privileges: this means that even if you have select privileges on a table that doesn't mean you have the privilege to bulk export it. Please refer to https://docs.oracle.com/database/121/SUTIL/GUID-8B6975D3-3BEC-4584-B416-280125EEC57E.htm
			
 
				+
			
 
				+Now the old import export format has been reverse engineered and a python script for decosing the data is provided in the downloads section. You can also find the stabdalone utilities with the required dependencies packed.
			
 
				+
			
 
				+## Password hashes
			
 
				+Oracle password hashes are both stored inside the database and selectable from a privileged users and stored on disk.
			
 
				+```
			
 
				+$ORACLE_HOME/dbs/orapw<sid> # Unix,
			
 
				+%ORACLE_HOME%\database\PWD<sid>.ora # Windows
			
 
				+```
			
 
				+```
			
 
				+> SELECT * FROM SYS.USER
			
 
				+```
			
 
				+
			
 
				+Fopr more info http://marcel.vandewaters.nl/oracle/security/password-hashes
			
 
				+
			
 
				+## Recon
			
 
				+To begin with Oracle has plenty of system tables and views to keep track of its properties. Some of them have either `all`, `dba` or `user` prefix. What does it mean?
			
 
				+
			
 
				+From https://sqljana.wordpress.com/2016/12/21/oracle-data-dictionary-views-user-vs-all-vs-dba-views-100-level-basics/
			
 
				+
			
 
				+> USER* Views
			
 
				+> USER_*: Views that start with USER_ list only the objects owned by the currently logged in user
			
 
				+
			
 
				+> ALL* Views
			
 
				+> ALL_*: Views that start with ALL_ list only the objects the currently logged in user has permissions to access
			
 
				+
			
 
				+> DBA* Views
			
 
				+> DBA_*: Views that start with DBA_ list all objects unless restricted by the WHERE clause
			
 
				+
			
 
				+Most of the time the most useful will be the ones with the `all_` prefix, exceot if we already are dba.
			
 
				+
			
 
				+
			
 
				+Oracle default databases to exclude to get cleaner results for custom tables/columns/procedures (from https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/settings.py):
			
 
				+```
			
 
				+('ANONYMOUS', 'APEX_030200', 'APEX_PUBLIC_USER', 'APPQOSSYS', 'BI', 'CTXSYS', 'DBSNMP', 'DIP', 'EXFSYS', 'FLOWS_%', 'FLOWS_FILES', 'HR', 'IX', 'LBACSYS', 'MDDATA', 'MDSYS', 'MGMT_VIEW', 'OC', 'OE', 'OLAPSYS', 'ORACLE_OCM', 'ORDDATA', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'OWBSYS', 'PM', 'SCOTT', 'SH', 'SI_INFORMTN_SCHEMA', 'SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR', 'SYS', 'SYSMAN', 'SYSTEM', 'WKPROXY', 'WKSYS', 'WK_TEST', 'WMSYS', 'XDB', 'XS$NULL')
			
 
				+```
			
 
				+
			
 
				+Check Oracle version:
			
 
				+```
			
 
				+SELECT * FROM V$VERSION;
			
 
				+SELECT * FROM V$INSTANCE;
			
 
				+SELECT * FROM PRODUCT_COMPONENT_VERSION;
			
 
				+```
			
 
				+Get the current user:
			
 
				+```
			
 
				+SELECT USER FROM DUAL;
			
 
				+```
			
 
				+Get the instance name:
			
 
				+```
			
 
				+SELECT SYS_CONTEXT('USERENV','INSTANCE_NAME') FROM DUAL;
			
 
				+SELECT SYS_CONTEXT('USERENV', 'SID') FROM DUAL;
			
 
				+```
			
 
				+Check if user is DBA:
			
 
				+```
			
 
				+
			
 
				+```
			
 
				+Check if Java is available:
			
 
				+```
			
 
				+SELECT dbms_java.get_ojvm_property(PROPSTRING=>'java.version') FROM DUAL;
			
 
				+```
			
 
				+
			
 
				+List all users
			
 
				+```
			
 
				+SELECT USER FROM SYS.USER$
			
 
				+SELECT USER, PASSWORD FROM SYS.USER$;
			
 
				+SELECT USERNAME from DBA_USERS;
			
 
				+```
			
 
				+
			
 
				+List all databases
			
 
				+```
			
 
				+SELECT TABLESPACE_NAME FROM USER_TABLESPACES;
			
 
				+SELECT USERNAME, DEFAULT_TABLESPACE from DBA_USERS;
			
 
				+```
			
 
				+
			
 
				+List all tables
			
 
				+```
			
 
				+SELECT OWNER, TABLE_NAME FROM ALL_TABLES;
			
 
				+```
			
 
				+
			
 
				+List all columns
			
 
				+```
			
 
				+SELECT OWNER, TABLE_NAME, COLUMNS NAME FROM ALL_TAB_COLUMNS;
			
 
				+```
			
 
				+
			
 
				+Linked instances
			
 
				+```
			
 
				+SELECT * FROM SYS.LINK$;
			
 
				+```
			
 
				+
			
 
				+Past queries:
			
 
				+```
			
 
				+SELECT SQL_TEXT FROM V$SQL;
			
 
				+SELECT * FROM WRH$_SQLTEXT;
			
 
				+```
			
 
				+
			
 
				+## Common error based vectors
			
 
				+
			
 
				+## Common out of bound channels
			
 
				+
			
 
				+## Linked instances
			
 
				+
			
 
				+## Procedures, packages and functions
			
 
				+
			
 
				+## Stacked queries e privilege escalation
			
 
				+
			
 
				+## Command execution from sqlplus
			
 
				+
			
 
				+## Command execution from SQL Injection
			
 
				+
			
--- a/stuff/sqlplus-11.2.0-2-x64.tgz
+++ b/stuff/sqlplus-11.2.0-2-x64.tgz