

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that allows you to test the security of Oracle Databases remotely.

Features:

Search valid SID on a remote Oracle Database listener via:

a dictionary attack



a brute force attack



ALIAS of the listener

Search Oracle accounts using:

a dictionary attack



each Oracle user like the password (need an account before to use this attack)

Execute system commands on the database server using:

DBMS_SCHEDULER



JAVA



external tables



oradbg

Download files stored on the database server using:

UTL_FILE



external tables



CTXSYS



DBMS_LOB

Upload files on the database server using:

UTL_FILE



DBMS_XSLPROCESSOR



DBMS_ADVISOR

Delete files using:

UTL_FILE

Gain privileged access using these following system privileges combinations:

CREATE ANY PROCEDURE



CREATE PROCEDURE and EXECUTE ANY PROCEDURE



CREATE ANY TRIGER (and CREATE PROCEDURE)



ANALYZE ANY (and CREATE PROCEDURE)



CREATE ANY INDEX (and CREATE PROCEDURE)

Send/reveive HTTP requests from the database server using:

UTL_HTTP



HttpUriType

Scan ports of the local server or a remote server using:

UTL_HTTP



HttpUriType



UTL_TCP

Capture a SMB authentication through:

an index in order trigger a SMB connection

Exploit some CVE

Search in column names thanks to the search module:

search a pattern (ex: password) in column names

Unwrap PL/SQL source code (10g/11g and 12c)

Get system privileges and roles granted.





If you want to have the development version installed on your computer, these following tools and dependencies are needed:

Python 2.7

Instant Oracle basic

Instant Oracle sdk

cx_Oracle

passlib

pycrypto

python-scapy

colorlog (recommended)

termcolor (recommended)

argcomplete (recommended)

pyinstaller (recommended)



How To Use ODAT

The -h option can be used to get the ODAT help menu: ./odat.py -h

The all module is the first module that should be used when you meet an Oracle Database. For example, you can use this command for starting:

./odat.py all -s 192.168.1.254 -p 1521

You can give the SID if you know it:

./odat.py all -s 192.168.1.254 -p 1521 -d ORCL

If you know a valid account, you can give it to this module:

./odat.py all -s 192.168.1.254 -p 1521 -d ORCL -U SYS -P password

For each module (i.e. sidguesser), you can use -v, -vv or -vvv for enabling verbosity and understanding how or what the module is doing. For example:

./odat.py all -s 192.168.1.254 -vvv

Before using a specific command of a module, the --test-module should be used first for knowing if you can use it (target is vulnerable, Oracle account has enough privileges, etc). For example: