[Oracle] oracle远程漏洞投毒扫描工具


本文总阅读量

1、安装扫描工具

1
2
3
4

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall

2、扫描相应的数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@node3 soft]# msfconsole
[-] ***rting the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***
      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v5.0.27-dev-                         ]
+ -- --=[ 1895 exploits - 1067 auxiliary - 329 post       ]
+ -- --=[ 547 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

指定扫描数据库的ip地址

1
2
3
msf5 >  use auxiliary/scanner/oracle/tnspoison_checker
msf5 auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.168.177
rhosts => 192.168.168.177

查看配置选项

1
2
3
4
5
6
7
8
msf5 auxiliary(scanner/oracle/tnspoison_checker) > show options
Module options (auxiliary/scanner/oracle/tnspoison_checker):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.168.177  yes       The target address range or CIDR identifier
   RPORT    1521             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads

进行漏洞扫描

1
2
3
4
msf5 auxiliary(scanner/oracle/tnspoison_checker) > run
[+] 192.168.168.177:1521 - 192.168.168.177:1521 is vulnerable
[*] 192.168.168.177:1521 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

根据提示177该服务器是易受攻击的,说明存在漏洞
下面是具体进行渗透测试:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf5 auxiliary(scanner/oracle/tnspoison_checker) > use auxiliary/admin/oracle/tnscmd
msf5 auxiliary(admin/oracle/tnscmd) > set rhosts 192.168.168.177
rhosts => 192.168.168.177
msf5 auxiliary(admin/oracle/tnscmd) > show options
Module options (auxiliary/admin/oracle/tnscmd):

   Name    Current Setting                   Required  Description
   ----    ---------------                   --------  -----------
   CMD     (CONNECT_DATA=(COMMAND=VERSION))  no        Something like ping, version, status, etc..
   RHOSTS  192.168.168.177                   yes       The target address range or CIDR identifier
   RPORT   1521                              yes       The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > run
[*] Running module against 192.168.168.177

[*] 192.168.168.177:1521 - Sending '(CONNECT_DATA=(COMMAND=VERSION))' to 192.168.168.177:1521
[*] 192.168.168.177:1521 - writing 90 bytes.
[*] 192.168.168.177:1521 - reading
[*] 192.168.168.177:1521 - .e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647552)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4))))
[*] Auxiliary module execution completed

修改oracle服务端的监听配置文件listener.ora,增加下列内容
单实例

1
2
VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(192.168.168.177)

多实例
listener.ora文件添加如下内容(RAC)

1
2
3
4
5
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN*=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(两台host的IP都列进来)

重新加载监听

1
lsnrctl reload

再次重新检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf5 auxiliary(admin/oracle/tnscmd) > use auxiliary/scanner/oracle/tnspoison_checker
msf5 auxiliary(scanner/oracle/tnspoison_checker) >  set rhosts 192.168.168.177
rhosts => 192.168.168.177
msf5 auxiliary(scanner/oracle/tnspoison_checker) > show options

Module options (auxiliary/scanner/oracle/tnspoison_checker):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.168.177  yes       The target address range or CIDR identifier
   RPORT    1521             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads

msf5 auxiliary(scanner/oracle/tnspoison_checker) > run

[-] 192.168.168.177:1521 - 192.168.168.177:1521 is not vulnerable
[*] 192.168.168.177:1521 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
oracle
目录
  1. 1. 1、安装扫描工具
  2. 2. 2、扫描相应的数据库

Proudly powered by Hexo and Theme by Lap
本站访客数人次
© 2020 zeven0707's blog