Thread: [sqlmap-users] Oracle Results
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Chris O. <chr...@gm...> - 2011-05-25 10:16:36
|
Hi All Not a sqlmap question as such, but maybe someone can help. I've found an sqli flaw in a test that has resulted in the following: --- banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi' current user is DBA: 'False' current user: 'IFSSYS' available databases [4]: [*] CTXSYS [*] IFSSYS [*] SYS [*] SYSTEM --- These all seem to be system databases. I don't know enough about Oracle to know if 1) they are all sys dbs 2) if there's anywhere I can go from here. The content of these databases seems to be all related to privs and such within Oracle. What I'm looking for is the web app data. Does anyone more familiar with Oracle know why it would only be systems databases accessible through the sqli flaw? We can try other tactics later but I was just wondering if this is normal from a data extraction point of view with Oracle. I've dumped a fair amount of the data and there's none systems related so far... Cheers Chris |
|
From: Miroslav S. <mir...@gm...> - 2011-05-25 10:23:22
|
hi Chris. Oracle has a rather different "concept" for databases (from dumping point of view). data is stored into "schemas" which are the same thing as "users", and each user has it's tables under the same named schema. that means that your best best would be to use the: --tables -D IFSSYS <--- current user name and then dump tables from there on also, be sure that you are using the latest revision from our repository kr On Wed, May 25, 2011 at 12:16 PM, Chris Oakley <chr...@gm...> wrote: > Hi All > > Not a sqlmap question as such, but maybe someone can help. I've found an > sqli flaw in a test that has resulted in the following: > > --- > banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - > 64bi' > current user is DBA: 'False' > current user: 'IFSSYS' > > available databases [4]: > [*] CTXSYS > [*] IFSSYS > [*] SYS > [*] SYSTEM > --- > > These all seem to be system databases. I don't know enough about Oracle to > know if 1) they are all sys dbs 2) if there's anywhere I can go from here. > The content of these databases seems to be all related to privs and such > within Oracle. What I'm looking for is the web app data. Does anyone more > familiar with Oracle know why it would only be systems databases accessible > through the sqli flaw? > > We can try other tactics later but I was just wondering if this is normal > from a data extraction point of view with Oracle. I've dumped a fair amount > of the data and there's none systems related so far... > > Cheers > > Chris > > > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2011-05-25 10:25:59
|
p.s. in future for questions like this "if 1) they are all sys dbs" there is a switch called: --exclude-sysdbs which will filter out all system database names from --dbs output kr On Wed, May 25, 2011 at 12:23 PM, Miroslav Stampar <mir...@gm...> wrote: > hi Chris. > > Oracle has a rather different "concept" for databases (from dumping > point of view). > > data is stored into "schemas" which are the same thing as "users", and > each user has it's tables under the same named schema. > > that means that your best best would be to use the: > > --tables -D IFSSYS <--- current user name > and then dump tables from there on > > also, be sure that you are using the latest revision from our repository > > kr > > On Wed, May 25, 2011 at 12:16 PM, Chris Oakley > <chr...@gm...> wrote: >> Hi All >> >> Not a sqlmap question as such, but maybe someone can help. I've found an >> sqli flaw in a test that has resulted in the following: >> >> --- >> banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - >> 64bi' >> current user is DBA: 'False' >> current user: 'IFSSYS' >> >> available databases [4]: >> [*] CTXSYS >> [*] IFSSYS >> [*] SYS >> [*] SYSTEM >> --- >> >> These all seem to be system databases. I don't know enough about Oracle to >> know if 1) they are all sys dbs 2) if there's anywhere I can go from here. >> The content of these databases seems to be all related to privs and such >> within Oracle. What I'm looking for is the web app data. Does anyone more >> familiar with Oracle know why it would only be systems databases accessible >> through the sqli flaw? >> >> We can try other tactics later but I was just wondering if this is normal >> from a data extraction point of view with Oracle. I've dumped a fair amount >> of the data and there's none systems related so far... >> >> Cheers >> >> Chris >> >> >> >> ------------------------------------------------------------------------------ >> vRanger cuts backup time in half-while increasing security. >> With the market-leading solution for virtual backup and recovery, >> you get blazing-fast, flexible, and affordable data protection. >> Download your free trial now. >> http://p.sf.net/sfu/quest-d2dcopy1 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: <ja...@ev...> - 2011-05-25 10:29:28
|
Chris, Before bothering with Sqlmap for the injection it might be worth it to check if you can actually access the Oracle instance remotely. You can do this by connecting to the database on port 1521, this is 'tnslistener'. If you can connect to 1521/tcp there's a lot easier ways to manipulate/own the database without sqlmap. Probably quite faster. Also, having access to TNS increases your chances by 50% of owning the underlying OS. James On Wed, 25 May 2011 11:16:29 +0100, Chris Oakley wrote: > Hi All > > Not a sqlmap question as such, but maybe someone can help. I've > found an sqli flaw in a test that has resulted in the following: > > --- > banner: 'Oracle Database 10g Enterprise Edition Release > 10.2.0.4.0 - 64bi' > current user is DBA: 'False' > current user: 'IFSSYS' > > available databases [4]: > [*] CTXSYS > [*] IFSSYS > [*] SYS > [*] SYSTEM > --- > > These all seem to be system databases. I don't know enough about > Oracle to know if 1) they are all sys dbs 2) if there's anywhere I > can > go from here. The content of these databases seems to be all related > to privs and such within Oracle. What I'm looking for is the web app > data. Does anyone more familiar with Oracle know why it would only > be systems databases accessible through the sqli flaw? > > We can try other tactics later but I was just wondering if this is > normal from a data extraction point of view with Oracle. I've dumped > a fair amount of the data and there's none systems related so far... > > Cheers > > Chris |
|
From: Chris O. <chr...@gm...> - 2011-05-25 10:39:30
|
Thanks for the assistance guys. I'll inspect the contents of that schema specifically in that case. I should have mentioned that I used --exclude-sysdbs with the --dbs flag, I think I just had doubts about the results even so! Unfortunately there are no ports other than 80 and 443 open so access to this is strictly through the web application we're testing. I definitely need to learn more about Oracle. Chris On 25 May 2011 11:29, <ja...@ev...> wrote: > Chris, > > Before bothering with Sqlmap for the injection it might be worth it to > check if you can actually access the Oracle instance remotely. You can > do this by connecting to the database on port 1521, this is > 'tnslistener'. > > If you can connect to 1521/tcp there's a lot easier ways to > manipulate/own the database without sqlmap. Probably quite faster. Also, > having access to TNS increases your chances by 50% of owning the > underlying OS. > > James > > On Wed, 25 May 2011 11:16:29 +0100, Chris Oakley wrote: > > Hi All > > > > Not a sqlmap question as such, but maybe someone can help. I've > > found an sqli flaw in a test that has resulted in the following: > > > > --- > > banner: 'Oracle Database 10g Enterprise Edition Release > > 10.2.0.4.0 - 64bi' > > current user is DBA: 'False' > > current user: 'IFSSYS' > > > > available databases [4]: > > [*] CTXSYS > > [*] IFSSYS > > [*] SYS > > [*] SYSTEM > > --- > > > > These all seem to be system databases. I don't know enough about > > Oracle to know if 1) they are all sys dbs 2) if there's anywhere I > > can > > go from here. The content of these databases seems to be all related > > to privs and such within Oracle. What I'm looking for is the web app > > data. Does anyone more familiar with Oracle know why it would only > > be systems databases accessible through the sqli flaw? > > > > We can try other tactics later but I was just wondering if this is > > normal from a data extraction point of view with Oracle. I've dumped > > a fair amount of the data and there's none systems related so far... > > > > Cheers > > > > Chris > > > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: <ja...@ev...> - 2011-05-25 11:10:57
|
Chris, If you like to learn about severely owning Oracle a nice place to start might be my blog =). http://security.is.doomed.org/wordpress/ Also you can head over to a friend of mines site, http://pentestmonkey.net/cheat-sheets/ for all types of good SQL injection cheat info. =) There is a nice article on exploiting a few methods of oracle. One is implanting a ssh key in a log file you control ( you can change it to authorized_keys). The other method walks you through actually bruteforicing the database SID, cracking a login, then elevating to DB and running some Java programs to spawn a reverse connecting shell back to you. Honestly, If you ever respected Oracle .. You wont after learning how to own the product. Theres also some stuff on there about owning NFS, JBoss/Tomcat and a buncha other junk. Also some codes i wrote James On Wed, 25 May 2011 11:39:22 +0100, Chris Oakley wrote: > Thanks for the assistance guys. I'll inspect the contents of that > schema specifically in that case. I should have mentioned that I > used --exclude-sysdbs with the --dbs flag, I think I just had doubts > about the results even so! Unfortunately there are no ports other > than 80 and 443 open so access to this is strictly through the web > application we're testing. I definitely need to learn more about > Oracle. > > Chris > > On 25 May 2011 11:29, wrote: > >> Chris, >> >> Before bothering with Sqlmap for the injection it might be worth >> it to >> check if you can actually access the Oracle instance remotely. You >> can >> do this by connecting to the database on port 1521, this is >> 'tnslistener'. >> >> If you can connect to 1521/tcp there's a lot easier ways to >> manipulate/own the database without sqlmap. Probably quite faster. >> Also, >> having access to TNS increases your chances by 50% of owning the >> underlying OS. >> >> James >> >> On Wed, 25 May 2011 11:16:29 +0100, Chris Oakley wrote: >> > Hi All >> > >> > Not a sqlmap question as such, but maybe someone can help. I've >> > found an sqli flaw in a test that has resulted in the following: >> > >> > --- >> > banner: 'Oracle Database 10g Enterprise Edition Release >> > 10.2.0.4.0 - 64bi' >> > current user is DBA: 'False' >> > current user: 'IFSSYS' >> > >> > available databases [4]: >> > [*] CTXSYS >> > [*] IFSSYS >> > [*] SYS >> > [*] SYSTEM >> > --- >> > >> > These all seem to be system databases. I don't know enough >> about >> > Oracle to know if 1) they are all sys dbs 2) if there's anywhere >> I >> > can >> > go from here. The content of these databases seems to be all >> related >> > to privs and such within Oracle. What I'm looking for is the >> web app >> > data. Does anyone more familiar with Oracle know why it would >> only >> > be systems databases accessible through the sqli flaw? >> > >> > We can try other tactics later but I was just wondering if this >> is >> > normal from a data extraction point of view with Oracle. I've >> dumped >> > a fair amount of the data and there's none systems related so >> far... >> > >> > Cheers >> > >> > Chris >> >> > > ------------------------------------------------------------------------------ >> vRanger cuts backup time in half-while increasing security. >> With the market-leading solution for virtual backup and recovery, >> you get blazing-fast, flexible, and affordable data protection. >> Download your free trial now. >> http://p.sf.net/sfu/quest-d2dcopy1 [1] >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... [2] >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users [3] > > > > Links: > ------ > [1] http://p.sf.net/sfu/quest-d2dcopy1 > [2] mailto:sql...@li... > [3] https://lists.sourceforge.net/lists/listinfo/sqlmap-users > [4] mailto:ja...@ev... |
|
From: Chris O. <chr...@gm...> - 2011-05-25 11:13:48
|
Thanks James I'll take a look and also pass this on to the rest of the team. Cheers Chris On 25 May 2011 12:10, <ja...@ev...> wrote: > Chris, > > If you like to learn about severely owning Oracle a nice place to start > might be my blog =). http://security.is.doomed.org/wordpress/ > > Also you can head over to a friend of mines site, > http://pentestmonkey.net/cheat-sheets/ for all types of good SQL injection > cheat info. =) > > There is a nice article on exploiting a few methods of oracle. One is > implanting a ssh key in a log file you control ( you can change it to > authorized_keys). The other method walks you through actually bruteforicing > the database SID, cracking a login, then elevating to DB and running some > Java programs to spawn a reverse connecting shell back to you. > > Honestly, If you ever respected Oracle .. You wont after learning how to > own the product. > > Theres also some stuff on there about owning NFS, JBoss/Tomcat and a > buncha other junk. Also some codes i wrote > > James > > > > On Wed, 25 May 2011 11:39:22 +0100, Chris Oakley wrote: > >> Thanks for the assistance guys. I'll inspect the contents of that >> schema specifically in that case. I should have mentioned that I >> used --exclude-sysdbs with the --dbs flag, I think I just had doubts >> about the results even so! Unfortunately there are no ports other >> than 80 and 443 open so access to this is strictly through the web >> application we're testing. I definitely need to learn more about >> Oracle. >> >> Chris >> >> On 25 May 2011 11:29, wrote: >> >> >> Chris, >>> >>> Before bothering with Sqlmap for the injection it might be worth >>> it to >>> check if you can actually access the Oracle instance remotely. You >>> can >>> do this by connecting to the database on port 1521, this is >>> 'tnslistener'. >>> >>> If you can connect to 1521/tcp there's a lot easier ways to >>> manipulate/own the database without sqlmap. Probably quite faster. >>> Also, >>> having access to TNS increases your chances by 50% of owning the >>> underlying OS. >>> >>> James >>> >>> On Wed, 25 May 2011 11:16:29 +0100, Chris Oakley wrote: >>> > Hi All >>> > >>> > Not a sqlmap question as such, but maybe someone can help. I've >>> > found an sqli flaw in a test that has resulted in the following: >>> > >>> > --- >>> > banner: 'Oracle Database 10g Enterprise Edition Release >>> > 10.2.0.4.0 - 64bi' >>> > current user is DBA: 'False' >>> > current user: 'IFSSYS' >>> > >>> > available databases [4]: >>> > [*] CTXSYS >>> > [*] IFSSYS >>> > [*] SYS >>> > [*] SYSTEM >>> > --- >>> > >>> > These all seem to be system databases. I don't know enough >>> about >>> > Oracle to know if 1) they are all sys dbs 2) if there's anywhere >>> I >>> > can >>> > go from here. The content of these databases seems to be all >>> related >>> > to privs and such within Oracle. What I'm looking for is the >>> web app >>> > data. Does anyone more familiar with Oracle know why it would >>> only >>> > be systems databases accessible through the sqli flaw? >>> > >>> > We can try other tactics later but I was just wondering if this >>> is >>> > normal from a data extraction point of view with Oracle. I've >>> dumped >>> > a fair amount of the data and there's none systems related so >>> far... >>> > >>> > Cheers >>> > >>> > Chris >>> >>> >>> >> >> ------------------------------------------------------------------------------ >> >>> vRanger cuts backup time in half-while increasing security. >>> With the market-leading solution for virtual backup and recovery, >>> you get blazing-fast, flexible, and affordable data protection. >>> Download your free trial now. >>> http://p.sf.net/sfu/quest-d2dcopy1 [1] >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... [2] >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users [3] >>> >> >> >> >> Links: >> ------ >> [1] http://p.sf.net/sfu/quest-d2dcopy1 >> [2] mailto:sql...@li... >> [3] https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> [4] mailto:ja...@ev... >> > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X