---
layout: post
title: Some Metasploit and Oracle Notes - Part 2
date: 2009-05-12 20:41:55.000000000 +01:00
categories:
- Metasploit
- Penetration Testing
tags: []
status: publish
type: post
published: true
---<br />
SCOTT                          CONNECT                     NO  YES NO<br />
<b>SCOTT                          DBA                               NO  YES NO</b><br />
SCOTT                          RESOURCE                   NO  YES NO<br />
</i><br />
It's worth noting that some of these Oracle modules (there's 9 in the current Metasploit svn versions) have required privilege levels (dbms_cdc_publish for example in a vanilla 10GR2 setup needs EXECUTE_CATALOG_ROLE to run which only SYS and users with the DBA role have...), so it's worth trying out several to fit different scenarios...<br />
So here we are with DBA, which to be honest for a lot attackers is all that's needed.  The data in the database is likely to be the "crown jewels" which the attackers looking for, but hey we can go further with the wonders of Metasploit and execute code on the underlying operating system...</p>
<p><b>5. Leverage Oracles functionality to get access to the underlying operating system</b><br />
So at the moment I don't see a metasploit option for doing this in *nix (there's a win32 command execution module on <a href="http://www.metasploit.com/users/mc/oracle/win32exec.rb">mc's </a>page), however that's not a serious problem as it turns out the nice guys at Oracle provide ways to do this easily.</p>
<p>A quick google around revealed <a href="http://www.oracle.com/technology/tech/java/jsp/pdf/calling_shell_commands_from_plsql_1.1.pdf">this paper</a> from Oracle on command execution from a database user and from my running of it, it works fine (although requires creation of new database objects so best suited to an environment that can be rolled back easily...).<br />
So there you go, from nothing to OS access in 5 easy steps, courtesy of Metasploit...</p>