ODAT : Oracle Database Attacking Tool

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.

Usage examples of ODAT:

• You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
• You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA
• You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database

Tested on Oracle Database 10g, 11g, 12c, 18c and 19c.

Features

Thanks to ODAT, you can:

• search valid SID on a remote Oracle Database listener via:
  • a dictionary attack
  • a brute force attack
  • ALIAS of the listener
• search Oracle accounts using:
  • a dictionary attack
  • each Oracle user like the password (need an account before to use this attack)
• execute system commands on the database server using:
  • DBMS_SCHEDULER
  • JAVA
  • external tables
  • oradbg
• download files stored on the database server using:
  • UTL_FILE
  • DBMS_XSLPROCESSOR
  • external tables
  • CTXSYS
  • DBMS_LOB
• upload files on the database server using:
  • UTL_FILE
  • DBMS_XSLPROCESSOR
  • DBMS_ADVISOR
• delete files using:
  • UTL_FILE
• gain privileged access using these following system privileges combinations (see help for privesc module commands):
  • CREATE ANY PROCEDURE
  • CREATE PROCEDURE and EXECUTE ANY PROCEDURE
  • CREATE ANY TRIGER (and CREATE PROCEDURE)
  • ANALYZE ANY (and CREATE PROCEDURE)
  • CREATE ANY INDEX (and CREATE PROCEDURE)
• send/reveive HTTP requests from the database server using:
  • UTL_HTTP
  • HttpUriType
• scan ports of the local server or a remote server using:
  • UTL_HTTP
  • HttpUriType
  • UTL_TCP
• capture a SMB authentication through:
  • an index in order trigger a SMB connection
• exploit some CVE:
  • the CVE-2012-3137
    • pickup the session key and salt for arbitrary users
    • attack by dictionary on sessions
  • the CVE-2012-????: A user authenticated can modify all tables who can select even if he can’t modify them normally (no ALTER privilege).
  • the CVE-2012-1675 (aka TNS poisoning attack)
• search in column names thanks to the search module:
  • search a pattern (ex: password) in column names
• unwrap PL/SQL source code (10g/11g and 12c)
• get system privileges and roles granted. It is possible to get privileges and roles of roles granted also
• execute arbitrary SELECT requests (aka minimal sql shell)

This list is not exhaustive.

Supported Platforms and dependencies

ODAT is compatible with Linux only.

Standalone version exists in order to don’t have need to install dependencies (see https://github.com/quentinhardy/odat/releases/). The ODAT standalone has been generated thanks to pyinstaller.

If you want to have the development version installed on your computer, these following tools and dependencies are needed:

• Langage: Python 3
• Oracle dependancies:
  • Instant Oracle basic
  • Instant Oracle sdk
• Python libraries:
  • cx_Oracle
  • passlib
  • pycrypto
  • python-scapy
  • python-libnmap (new from python 5.1)
  • colorlog (recommended)
  • termcolor (recommended)
  • argcomplete (recommended)
  • pyinstaller (recommended)

Installation (optional, for development version)

This part describes how to install instantclient, CX_Oracle and some others python libraries on Ubuntu in order to have the ODAT development version. Don’t forget that an ODAT standalone version exists at https://github.com/quentinhardy/odat/releases/: It is not required to install something for use the standalone version

• Clone the repository to get the ODAT source code:

git clone https://github.com/quentinhardy/odat.git

• Update wiki pages in this repository for getting the ODAT documentation locally:

cd odat/
git submodule init
git submodule update

• Get instant client basic, sdk (devel) and sqlplus from the Oracle web site:
  • X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
  • X86: http://www.oracle.com/technetwork/topics/linuxsoft-082809.html
• For the moment (03/2021), Oracle Database instant client version 11.2 is the best version if you want to generate the ODAT standalone with pyinstaller. For using the ODAT development version, the last version of the Oracle client can be used (e.g. version 19).
• Install python3-dev, alien and libaio1 package (for sqlplus):

sudo apt-get install libaio1 python3-dev alien python3-pip

• Generate DEB files from RPM files with :

sudo alien --to-deb oracle-instantclient19.3-basic-???.x???.rpm
sudo alien --to-deb oracle-instantclient19.3-devel-???.x???.rpm

• Install instant client basic, sdk and sqlplus:

sudo dpkg -i oracle-instantclient19.3-basic-???.x???.deb
sudo dpkg -i oracle-instantclient19.3-devel_???_???.deb

• Put these lines in your /etc/profile file in order to define Oracle env variables:

export ORACLE_HOME=/usr/lib/oracle/19.3/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH

• Restart your session (to apply env variables)
• Create the /etc/ld.so.conf.d/oracle.conf file and add the path to Oracle home:

/usr/lib/oracle/19.3/client64/lib/

• Update the ldpath using:

sudo ldconfig

• Install CX_Oracle

sudo -s
source /etc/profile
pip3 install cx_Oracle

• Test if all is good:

python3 -c 'import cx_Oracle' 

This command should just return without errors.

• Install some python libraries:

sudo apt-get install python3-scapy
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

• Download and install the development version of pyinstaller (http://www.pyinstaller.org/) for python 3.

python setup.py install

• or install through pip:

pip3 install pyinstaller

• Run ODAT:

./odat.py -h