Attacking Oracle Web Applicationswith Metasploit (and wXf)Chris Gatescarnal0wnage
Whoami    • Chris Gates (CG)       –   Twitter carnal0wnage       –   Blog carnal0wnage.attackresearch.com       –   Job...
Why Are We Here?    • Here to talk about attacking oracle web      applications (middleware)    • What’s out there and how...
Oracle is a Mythical Creature5
Oracle Is Complicated6
Oracle Is Complicated7
You Pay For Patches & Updates      Most products are free downloads but you       pay for support and patches    • Back t...
Extremely Vague Advisories       Must pay for extended advisory info        (metalink)9
Extremely Vague Advisories10
Extremely Vague Advisories11
Is This Helpful??!!     • http://www.example.com/pls/foo/wwv_render_report.show?P_QUE       RY=1&P_ROW_FUNCTION=[SQL_INJEC...
Extremely Vague Advisories13
Oracle does not release POC code        Oracle does not release POC code        Oracle does not support researchers rele...
Difficult patch / upgrade processes        Complex applications breeds a “If it works dont         touch it” mentality15
Database Security Companies Don’t Share Info        Sorry, I have no *proof* of this, but go look at         their latest...
Mythical Creature?  Marketing17
Mythical Creature?  Reality?18
Defenses     • I’m totally open to suggestions on       these 19
Testing For Oracle     • Ever run into this?20
Testing For Oracle     • Or this?21
Testing For Oracle     • Or this?22
There’s a lot of Oracle out there http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf23
What Is Oracle Middleware?24
What is Oracle Middleware?        Enterprise Resource Planning (ERP)           Oracle E-Business Suite*           Oracl...
Market Share        Big list of customers        http://www.oracle.com/customers/cust_list_atoz.html28
Reach        By now we should agree theres a lot of Oracle         out there...        Thats good right?        Except ...
Or is all of this just FUD?30
Locating Oracle Servers        Numerous server header strings:          www.owasp.org/index.php/Testing_for_            ...
Locating Oracle Servers     •   oracle_version_scanner.rb32
Finding Default Content        First step is to find useful “stuff”        Google/Bing useful (Google Dorks)        Iss...
Finding Default Content     • oracle_oas_scan looks for interesting pages related to       oracle application servers & tr...
Did You Know?        Most Oracle Middleware applications         come with lots of default content          Must be manu...
Abusing Default Content Examples (DB)     • /demo/sql/jdbc/JDBCQuery.jsp     • Ships with Oracle 9.2 Database and installe...
Abusing Default Content Examples (DB)     • /demo/sql/jdbc/JDBCQuery.jsp     • Select sys.database_name     • 1=2 UNION SE...
Abusing Default Content Examples (DB)     • /demo/sql/jdbc/JDBCQuery.jsp     • Select sys.database_name     • 1=2 UNION SE...
Abusing Default Content Examples (OAS)     • Oracle Application Server 10g DAV Authentication Bypass       CVE-2008-2138  ...
Abusing Default Content Examples (OAS)     • Oracle Application Server 10g DAV       Authentication Bypass CVE-2008-2138  ...
Abusing Default Content Examples (OAS)     • oracle_dav_bypass.rb41
Abusing Default Content Examples (OAS)     • Oracle Application Server 10g DAV       Authentication Bypass CVE-2008-2138  ...
OOPS!43
Abusing Default Content Examples (OAS)     • /xsql/adhocsql/sqltoxml.html     • Now in all fairness, this one usually does...
Abusing Default Content Examples (OAS)     • Ability to run SQL Commands (database version)45
Abusing Default Content Examples (OAS)     • Ability to run SQL Commands (database SID)46
Abusing Default Content Examples (OAS)     • Ability to run SQL Commands (database user & privs)47
Abusing Default Content Examples (OAS)     • Use that information with other default content48
Abusing Default Content Examples (OAS)     • Use that information with other default content49
Abusing Default Content Examples (OAS)     • Use that information with other default content50
Abusing Default Content Examples (OAS)     • UDDI Endpoints51
Abusing Default Content Examples (OAS)     • UDDI Endpoints52
Abusing Default Content Examples (OAS)     • UDDI Endpoints – Check Default Passwords53
Abusing Default Content Examples (OAS)     • UDDI Endpoints – Check Default Passwords (Success)54
Abusing Default Content Examples (OAS)     • Info Disclosure -- /webapp/wm/javart.jsp55
Abusing Default Content Examples (OAS)     • Info Disclosure56
Abusing Default Content Examples (OAS)     • Info Disclosure -- /cgi-bin/printenv57
Abusing Default Content Examples (Ebiz)     • Oracle E-Business Content Scanner58
Abusing Default Content Examples (Ebiz)     • Oracle E-Business Content Scanner59
Abusing Default Content Examples (Ebiz)60
Abusing Default Content Examples (Ebiz)     • WEB PING     R11 http://site.com/pls/DAD/fnd_web.ping     R12 http://site.co...
Fun E-Business Vulns     • http://www.hacktics.com/content/advisories/AdvORA200       91214.html62
Fun E-Business Vulns     • http://www.slideshare.net/rootedcon/joxean-koret-       hackproofing-oracle-financials-11i-r12-...
Defenses     • Use my scanners (or for-pay oracle       scanners) and remove default content     • Mod_rewrite rules may h...
Oracle iSQLPlus     • Web-based interface to the TNS Listener         – Available on Oracle Database 9 & 10        isqlpl...
Oracle iSQLPlus        isqlplus_sidbrute.rb        Different POST requests for 9 vs 10        Module fingerprints versi...
Oracle iSQLPlus        isqlplus_sidbrute.rb67
Oracle iSQLPlus        Isqlplus_sidbrute.rb68
Oracle iSQLPlus        isqlplus_sidbrute.rb        Added bonus, by default iSQLPlus authenticates to the first SID in   ...
Oracle iSQLPlus        isqlplus_sidbrute.rb        Added bonus, by default isqlplus (9 & 10) authenticates to the       ...
Oracle iSQLPlus        isqlplus_login.rb        Once we have a valid SID start checking for default user/pass         ac...
Oracle iSQLPlus        isqlplus_login.rb        Look ma no SID!72
Oracle iSQLPlus        isqlplus_login.rb        Works on Oracle DB 10 as well73
Defenses     • If you aren’t using...Remove it     • Why someone put full database access inside a web app       with just...
Oracle Portal        Web based PL/SQL applications are enabled by the PL/SQL         Gateway, which is the component that...
Oracle Portal     http://download.oracle.com/docs/cd/B10467_16/tour/portal_intro.htm76
Oracle Portal     •   Essentially the PL/SQL Gateway simply acts as a proxy         server taking the users web request an...
Oracle Portal        URLs for PL/SQL web applications are normally easily         recognizable and generally start with t...
Oracle Portal     http://download.oracle.com/docs/cd/B10467_16/tour/portal_how.htm79
Oracle Portal     •   Database Access Descriptors          Similar to SIDs, required to interact with the           porta...
Oracle Portal     • oas_cgi_scan will find common Portal instances81
Oracle Portal     • oas_cgi_scan will find common Portal instances82
Oracle Portal     • oas_cgi_scan will find common Portal instances83
Oracle DAD Scanner     • oracle_dad_scanner.rb        – Scans for common Oracle DADs84
Oracle DAD Scanner     • oracle_dad_scanner.rb        – Scans for common Oracle DADs85
Oracle DAD Scanner     • oracle_dad_scanner.rb        – Scans for common Oracle DADs        – Set VERBOSE to false to just...
Oracle DAD Scanner     • [DAD]/admin_/dadentries.htm87
Oracle Portal     • Verify mod_plsql gateway is running            • Null is valid function and should return a 200       ...
Oracle Portal Testing PLSQL Gateway     • oracle_plsql_enabled.rb89
Oracle Portal     • It is possible to exploit vulnerabilities in the PL/SQL       packages that are installed by default i...
Oracle Portal Exploitation     • oracle_modplsql_pwncheck.rb     • Test the various PL/SQL gateway exploit methods     • B...
Oracle Portal Exploitation     • oracle_modplsql_pwncheck.rb     • Test the various PL/SQL gateway exploit methods93
Oracle Portal Exploitation     • Also in wXf!94
Oracle Portal Exploitation     • oracle_modplsql_pwncheck.rb     • Attack Surface?95
Oracle Portal Exploitation     • Run SQL Queries – Database Version97
Oracle Portal Exploitation     • Run SQL Queries – Database SID98
Oracle Portal Exploitation     • Run SQL Queries – Database Users99
Oracle Portal Exploitation      • Run SQL Queries – Check my privileges100
Defenses      • Stop here…      • The rest is just for fun.101
Oracle Portal Exploitation      • But I want shell! Or at least access to tasty data      • Next step is to escalate to DB...
Oracle Portal Exploitation      • SQL Injection in function owned by PORTAL      • http://server/portal/pls/portal/PORTAL....
Oracle Portal Exploitation      • PORTAL.wwexp_api_engine.action Exploit      • Before      • After104
Oracle Portal Exploitation      • oracle_modplsql_escalate.rb      • Attempts various privilege escalation exploits105
Oracle Portal Exploitation      • oracle_modplsql_escalate.rb      • Attempts various privilege escalation exploits106
Oracle Portal Exploitation      • oracle_portal_runcmd.rb      • Verify URL and DBA status107
Oracle Portal Exploitation      • oracle_portal_runcmd.rb      • Set up java libraries and runcmd function108
Oracle Portal Exploitation      • oracle_portal_runcmd.rb109
Oracle Portal Exploitation      • oracle_portal_runcmd.rb110
Exploitation of Various Web Apps      • Oracle Secure Backup      • Oracle Times 10      • Oracle 9.2 Enterprise Manager R...
Exploitation of Various Web Apps      • Oracle Secure Backup112
Enterprise Manager SQL Injection      • Oracle Enterprise Manager Reporting SQL Injection CVE-        2006-1885 -- Oracle ...
Enterprise Manager SQL Injection      • Oracle Enterprise Manager Reporting SQL Injection CVE-        2006-1885 -- Oracle ...
Exploithub Exploits Demo115
Where To Get The Code      • iSQL*Plus modules are in the trunk now      • MSF Modules         – https://github.com/carnal...
Oracle Ninjas / Resources      •   Alexander Kornbrust http://www.red-database-security.com/      •   Sumit Siddharth http...
Questions?             Chris Gates             @carnal0wnage             cg [] metasploit [] com118
Special Thanks To      •   Alexander Kornbrust      •   MC      •   Sid      •   cktricky      •   Mubix      •   todb119
Upcoming SlideShare
Loading in...5
×

SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf

4,261
-1

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,261
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf

  1. 1. Attacking Oracle Web Applicationswith Metasploit (and wXf)Chris Gatescarnal0wnage
  2. 2. Whoami • Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Sr. Security Consultant for Rapid7 – Affiliations  Attack Research, Metasploit Project • Work • Previous Talks – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks3
  3. 3. Why Are We Here? • Here to talk about attacking oracle web applications (middleware) • What’s out there and how prevalent it is • Why so much of it is unpatched • Demo Metasploit (and wXf) auxiliary modules to find and attack it • Not talking about XSS – but there’s plenty!4
  4. 4. Oracle is a Mythical Creature5
  5. 5. Oracle Is Complicated6
  6. 6. Oracle Is Complicated7
  7. 7. You Pay For Patches & Updates  Most products are free downloads but you pay for support and patches • Back to complicated. Have you ever tried to find anything on the Metalink site?8
  8. 8. Extremely Vague Advisories  Must pay for extended advisory info (metalink)9
  9. 9. Extremely Vague Advisories10
  10. 10. Extremely Vague Advisories11
  11. 11. Is This Helpful??!! • http://www.example.com/pls/foo/wwv_render_report.show?P_QUE RY=1&P_ROW_FUNCTION=[SQL_INJECTION_HERE]12
  12. 12. Extremely Vague Advisories13
  13. 13. Oracle does not release POC code  Oracle does not release POC code  Oracle does not support researchers releasing code “As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the pre- installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code (or "proof of concept code") for vulnerabilities in our products.”  http://www.oracle.com/technetwork/topics/security/alerts-086861.html14
  14. 14. Difficult patch / upgrade processes  Complex applications breeds a “If it works dont touch it” mentality15
  15. 15. Database Security Companies Don’t Share Info  Sorry, I have no *proof* of this, but go look at their latest advisories and CPU analysis • http://www.cvedetails.com/vendor/93/Oracle.html To see what the rest of us get left to work with16
  16. 16. Mythical Creature?  Marketing17
  17. 17. Mythical Creature?  Reality?18
  18. 18. Defenses • I’m totally open to suggestions on these 19
  19. 19. Testing For Oracle • Ever run into this?20
  20. 20. Testing For Oracle • Or this?21
  21. 21. Testing For Oracle • Or this?22
  22. 22. There’s a lot of Oracle out there http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf23
  23. 23. What Is Oracle Middleware?24
  24. 24. What is Oracle Middleware?  Enterprise Resource Planning (ERP)  Oracle E-Business Suite*  Oracle Application Server 9i/10g/11i**  Oracle Reports/Forms  Oracle Portal  Oracle Financials/Supplier/Recruitment  For Oracle lots of different products…  For this talk I’m going to lump them all together as “web applications”  *Technically Oracle considers E-Business Suite an “application” as it rides on top of OAS  **weblogic25
  25. 25. Market Share  Big list of customers  http://www.oracle.com/customers/cust_list_atoz.html28
  26. 26. Reach  By now we should agree theres a lot of Oracle out there...  Thats good right?  Except a lot of it is un-patched and vulnerable   And all ERP and sensitive sites are internal right?  Should we be worried about all the exposed Oracle?29
  27. 27. Or is all of this just FUD?30
  28. 28. Locating Oracle Servers  Numerous server header strings:  www.owasp.org/index.php/Testing_for_ Oracle  Solution:  oracle_version_scanner.rb  http_version does this too (just tells you all headers, not just Oracle)31
  29. 29. Locating Oracle Servers • oracle_version_scanner.rb32
  30. 30. Finding Default Content  First step is to find useful “stuff”  Google/Bing useful (Google Dorks)  Issue is how to find content internal or when its not indexed  Solution:  oracle_oas_scan.rb33
  31. 31. Finding Default Content • oracle_oas_scan looks for interesting pages related to oracle application servers & tries to tell you why its important.34
  32. 32. Did You Know?  Most Oracle Middleware applications come with lots of default content  Must be manually removed (no patch to remove content)  Must know exactly where and what files to delete  Tons of information disclosure  Sometimes exploitation potential or credential leakage35
  33. 33. Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Ships with Oracle 9.2 Database and installed by default36
  34. 34. Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Select sys.database_name • 1=2 UNION SELECT sys.database_name, -500 FROM Dual37
  35. 35. Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Select sys.database_name • 1=2 UNION SELECT sys.login_user, -500 FROM Dual38
  36. 36. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • /dav_portal/portal/ directory is protected using basic authentication. It is possible to bypass and access content of dav_portal by adding a specially crafted cookie value in the http request header.39
  37. 37. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • Finding vulnerable hosts:40
  38. 38. Abusing Default Content Examples (OAS) • oracle_dav_bypass.rb41
  39. 39. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • How many targets? • And…unpatched42
  40. 40. OOPS!43
  41. 41. Abusing Default Content Examples (OAS) • /xsql/adhocsql/sqltoxml.html • Now in all fairness, this one usually doesnt work...db usually isnt set up. But sometimes it is :-)44
  42. 42. Abusing Default Content Examples (OAS) • Ability to run SQL Commands (database version)45
  43. 43. Abusing Default Content Examples (OAS) • Ability to run SQL Commands (database SID)46
  44. 44. Abusing Default Content Examples (OAS) • Ability to run SQL Commands (database user & privs)47
  45. 45. Abusing Default Content Examples (OAS) • Use that information with other default content48
  46. 46. Abusing Default Content Examples (OAS) • Use that information with other default content49
  47. 47. Abusing Default Content Examples (OAS) • Use that information with other default content50
  48. 48. Abusing Default Content Examples (OAS) • UDDI Endpoints51
  49. 49. Abusing Default Content Examples (OAS) • UDDI Endpoints52
  50. 50. Abusing Default Content Examples (OAS) • UDDI Endpoints – Check Default Passwords53
  51. 51. Abusing Default Content Examples (OAS) • UDDI Endpoints – Check Default Passwords (Success)54
  52. 52. Abusing Default Content Examples (OAS) • Info Disclosure -- /webapp/wm/javart.jsp55
  53. 53. Abusing Default Content Examples (OAS) • Info Disclosure56
  54. 54. Abusing Default Content Examples (OAS) • Info Disclosure -- /cgi-bin/printenv57
  55. 55. Abusing Default Content Examples (Ebiz) • Oracle E-Business Content Scanner58
  56. 56. Abusing Default Content Examples (Ebiz) • Oracle E-Business Content Scanner59
  57. 57. Abusing Default Content Examples (Ebiz)60
  58. 58. Abusing Default Content Examples (Ebiz) • WEB PING R11 http://site.com/pls/DAD/fnd_web.ping R12 http://site.com/OA_HTML/jsp/fnd/fndping.jsp61
  59. 59. Fun E-Business Vulns • http://www.hacktics.com/content/advisories/AdvORA200 91214.html62
  60. 60. Fun E-Business Vulns • http://www.slideshare.net/rootedcon/joxean-koret- hackproofing-oracle-financials-11i-r12-rootedcon-201063
  61. 61. Defenses • Use my scanners (or for-pay oracle scanners) and remove default content • Mod_rewrite rules may help redirect malicious requests for E-Business. • Patch • Am I big weenie if I recommend a WAF? – Caveat, I have NO idea if WAFs check for any of this stuff (but I hope they do)64
  62. 62. Oracle iSQLPlus • Web-based interface to the TNS Listener – Available on Oracle Database 9 & 10  isqlplus_sidbrute  isqlplus_login65
  63. 63. Oracle iSQLPlus  isqlplus_sidbrute.rb  Different POST requests for 9 vs 10  Module fingerprints version and chooses correct POST  Uses SID list already in Metasploit  Using error message returned by Oracle determines valid SID  Wrong SID:  ORA-12154: TNS: could not resolve service name  Right SID (wrong password):  ORA-01017: invalid username/password; logon denied66
  64. 64. Oracle iSQLPlus  isqlplus_sidbrute.rb67
  65. 65. Oracle iSQLPlus  Isqlplus_sidbrute.rb68
  66. 66. Oracle iSQLPlus  isqlplus_sidbrute.rb  Added bonus, by default iSQLPlus authenticates to the first SID in the tnsnames.ora file. This means we can pass no SID and it will try to auth to the top SID in the tnsnames.ora file 69
  67. 67. Oracle iSQLPlus  isqlplus_sidbrute.rb  Added bonus, by default isqlplus (9 & 10) authenticates to the first SID in the tnsnames.ora file. This means we can pass no SID and it will try to auth to the top SID in the tnsnames.ora file 70
  68. 68. Oracle iSQLPlus  isqlplus_login.rb  Once we have a valid SID start checking for default user/pass accounts71
  69. 69. Oracle iSQLPlus  isqlplus_login.rb  Look ma no SID!72
  70. 70. Oracle iSQLPlus  isqlplus_login.rb  Works on Oracle DB 10 as well73
  71. 71. Defenses • If you aren’t using...Remove it • Why someone put full database access inside a web app with just a user/pass is beyond me. • Removed in 11g74
  72. 72. Oracle Portal  Web based PL/SQL applications are enabled by the PL/SQL Gateway, which is the component that translates web requests into database queries.  Products that use the PL/SQL Gateway include, but are not limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB, WebDB and Oracle Application Server  Several software implementations, ranging from the early web listener product to the Apache mod_plsql module to the XML Database (XDB) web server.75
  73. 73. Oracle Portal http://download.oracle.com/docs/cd/B10467_16/tour/portal_intro.htm76
  74. 74. Oracle Portal • Essentially the PL/SQL Gateway simply acts as a proxy server taking the users web request and passes it on to the database server where it is executed. 1. The web server accepts a request from a web client and determines if it should be processed by the PL/SQL Gateway. 2. The PL/SQL Gateway processes the request by extracting the requested package name, procedure, and variables. 3. The requested package and procedure are wrapped in a block of anonymous PL/SQL, and sent to the database server. 4. The database server executes the procedure and sends the results back to the Gateway as HTML. 5. The gateway sends the response, via the web server, back to the client.77
  75. 75. Oracle Portal  URLs for PL/SQL web applications are normally easily recognizable and generally start with the following  http://www.example.com/pls/xyz  http://www.example.com/xyz/owa  http://www.example.com/xyz/portal  In this URL, xyz is the Database Access Descriptor, or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, etc78
  76. 76. Oracle Portal http://download.oracle.com/docs/cd/B10467_16/tour/portal_how.htm79
  77. 77. Oracle Portal • Database Access Descriptors  Similar to SIDs, required to interact with the portal.  Lots of defaults but can be anything alphanumeric  Common Defaults: SIMPLEDAD ORASSO HTMLDB SSODAD PORTAL PORTAL2 PORTAL30 PORTAL30_SSO DAD OWA PROD APP80
  78. 78. Oracle Portal • oas_cgi_scan will find common Portal instances81
  79. 79. Oracle Portal • oas_cgi_scan will find common Portal instances82
  80. 80. Oracle Portal • oas_cgi_scan will find common Portal instances83
  81. 81. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs84
  82. 82. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs85
  83. 83. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs – Set VERBOSE to false to just see found DADs86
  84. 84. Oracle DAD Scanner • [DAD]/admin_/dadentries.htm87
  85. 85. Oracle Portal • Verify mod_plsql gateway is running • Null is valid function and should return a 200 • Something random is not, and should return a 404 – http://www.example.com/pls/dad/null – http://www.example.com/pls/dad/nosuchfunction • If the server responds with a 200 OK response for the first and a 404 Not Found for the second then it indicates that the server is running the PL/SQL Gateway. • http://www.owasp.org/index.php/Testing_for_Oracle88
  86. 86. Oracle Portal Testing PLSQL Gateway • oracle_plsql_enabled.rb89
  87. 87. Oracle Portal • It is possible to exploit vulnerabilities in the PL/SQL packages that are installed by default in the database server. How you do this depends on the version of the PL/SQL Gateway. • Examples: – http://www.example.com/pls/dad/OWA_UTIL.CELLSPRINT? P_THEQUERY=SELECT+USERNAME+FROM+ALL_USERS – http://www.example.com/pls/dad/CXTSYS.DRILOAD.VALIDATE_ST MT?SQLSTMT=SELECT+1+FROM+DUAL – http://server.example.com/pls/dad/orasso.home?);execute+imm ediate+:1;--=select+1+from+dual91
  88. 88. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Test the various PL/SQL gateway exploit methods • Based on notsosecure.com’s oap.pl http://code.google.com/p/oaphacker/92
  89. 89. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Test the various PL/SQL gateway exploit methods93
  90. 90. Oracle Portal Exploitation • Also in wXf!94
  91. 91. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Attack Surface?95
  92. 92. Oracle Portal Exploitation • Run SQL Queries – Database Version97
  93. 93. Oracle Portal Exploitation • Run SQL Queries – Database SID98
  94. 94. Oracle Portal Exploitation • Run SQL Queries – Database Users99
  95. 95. Oracle Portal Exploitation • Run SQL Queries – Check my privileges100
  96. 96. Defenses • Stop here… • The rest is just for fun.101
  97. 97. Oracle Portal Exploitation • But I want shell! Or at least access to tasty data • Next step is to escalate to DBA via privilege escalation, see oracle Defcon 17 talk... • Dependent on backend database version....if its patched, youre out of luck • Most functions run as PORTAL_PUBLIC user who is a limited account • However, some functions run as PORTAL user who is DBA 102
  98. 98. Oracle Portal Exploitation • SQL Injection in function owned by PORTAL • http://server/portal/pls/portal/PORTAL.wwexp_api_engine.action?p_otype=FO LDER&p_octx=FOLDERMAP.1_6&p_datasource_data=document.SEARCH23915_ PAGESEARCH_146202305.ft&p_datasource_data=document.SEARCH23915_PAG ESEARCH_146202305.fi&p_datasource_data=document.SEARCH23915_PAGESE ARCH_146202305.fs&p_datasource_data=nls_sub_domain%3Dtext%2Cnls_nam e%3Dfolderplpopup&p_domain=wwc&p_sub_domain=FOLDERMAP&p_back_ur l=PORTAL.wwexp_render.show_tree%3Fp_otype%3DSITEMAP%26p_domain%3 Dwwc%26p_sub_domain%3DFOLDERMAP%26p_headerimage%3D%2Fimages% 2Fbhfind2.gif%26p_show_banner%3DNO%26p_show_cancel%3DNO%26p_title %3DBrowse%2520Pages%26p_open_item%3D%26p_open_items%3D0.SITEMAP .FOLDERMAP.0_- 1&p_action=show(wwexp_datatype.g_exp_param);execute%20immediate%20 grant dba to public;end;--103
  99. 99. Oracle Portal Exploitation • PORTAL.wwexp_api_engine.action Exploit • Before • After104
  100. 100. Oracle Portal Exploitation • oracle_modplsql_escalate.rb • Attempts various privilege escalation exploits105
  101. 101. Oracle Portal Exploitation • oracle_modplsql_escalate.rb • Attempts various privilege escalation exploits106
  102. 102. Oracle Portal Exploitation • oracle_portal_runcmd.rb • Verify URL and DBA status107
  103. 103. Oracle Portal Exploitation • oracle_portal_runcmd.rb • Set up java libraries and runcmd function108
  104. 104. Oracle Portal Exploitation • oracle_portal_runcmd.rb109
  105. 105. Oracle Portal Exploitation • oracle_portal_runcmd.rb110
  106. 106. Exploitation of Various Web Apps • Oracle Secure Backup • Oracle Times 10 • Oracle 9.2 Enterprise Manager Reporting SQL Injection111
  107. 107. Exploitation of Various Web Apps • Oracle Secure Backup112
  108. 108. Enterprise Manager SQL Injection • Oracle Enterprise Manager Reporting SQL Injection CVE- 2006-1885 -- Oracle 9iR2113
  109. 109. Enterprise Manager SQL Injection • Oracle Enterprise Manager Reporting SQL Injection CVE- 2006-1885 -- Oracle 9iR2114
  110. 110. Exploithub Exploits Demo115
  111. 111. Where To Get The Code • iSQL*Plus modules are in the trunk now • MSF Modules – https://github.com/carnal0wnage/carnal0wnage-code • Also in wXf (Web eXploitation Framework) – https://github.com/WebExploitationFramework/wXf116
  112. 112. Oracle Ninjas / Resources • Alexander Kornbrust http://www.red-database-security.com/ • Sumit Siddharth http://www.notsosecure.com • David Litchfield http://www.davidlitchfield.com/blog/ • Joxean Koret http://joxeankoret.com/ • http://www.argeniss.com/index.html • http://www.0xdeadbeef.info/ • http://www.databasesecurity.com/oracle/hpoas.pdf • http://www.owasp.org/index.php/Testing_for_Oracle117
  113. 113. Questions? Chris Gates @carnal0wnage cg [] metasploit [] com118
  114. 114. Special Thanks To • Alexander Kornbrust • MC • Sid • cktricky • Mubix • todb119

×