Oracle Database sqlcl basics

 Need to connect to an oracle database?

Download Oracle SQLcl

https://www.oracle.com/tools/downloads/sqlcl-downloads.html

Extract the zip

Login using this command

> SQL username@//server:1521/databasename

Show what user you are

SQL> show user

Now check what version of oracle you're on

SQL>  select BANNER from v$version;

Display the instance you're on

SQL> select INSTANCE_NAME, HOST_NAME, VERSION from v$instance;

Check what database you're connected to

SQL> select name from V$database;

List all user accounts

SQL> select * from all_users;

1:40905 SERVER-WEBAPP Oracle Weblogic default credentials login attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this default credential alert didn't include documentation.

1 40905 SERVER-WEBAPP Oracle Weblogic default credentials login attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username="; http_client_body; content:"j_password=weblogic"; http_client_body; pcre:"/j_username=(root|system)/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:40905; rev:1; )

1 40904 SERVER-WEBAPP Oracle Weblogic default credentials login attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username=weblogic"; http_client_body; content:"j_password"; http_client_body; pcre:"/j_password=(welcome1|weblogic|admin)/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:40904; rev:1; )

If I had to guess I think it's related to Oracles documenation on default credentials for WebLogic or something similar which stated.

In the tutorial the username is weblogic and the password is Welcome1.

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Java Deserialize Request Headers

I saw an interesting HTTP request in some web traffic. Normally when you see a web request you see the method as GET or POST for example. In this case it said t3 which doesn't seem normal?

t3 12.2.1
AS: 255
HL: 19
MS: 10000000
PU: t3://us-l-breens:7001


After some quick google searching I found a link to an exploit written in python that appears to be this exact HTTP request. So what is it? Well t3 appears to be a protocol used by Oracle for Java remote method invocation. Oh boy, that doesn't sound good. In general it's used to transport data between WebLogic Server and other Java programs. I believe that 12.2.1 is the weblogic version number. I believe AS: 255 is the abbreviation size (although not sure what that means) and HL: 19 is the header length. I'm wondering if MS: 10000000 might stand for message size although I couldn't confirm that? And PU: t3://us-l-breens:7001 I believe might be the proxy url? The us-l-breens is the name of the server (in this case it's the security researcher's [Stephen Breen] local server name), but from what I read it appears the exploit works no matter what you pass in.

It appears to be related to the Java Unserialize vulnerabilities in Oracle WebLogic. At a high level, that means that Oracle WebLogic uses the Java language, and somewhere in Oracle WebLogic it is listening for some serialized user input. When it receives that serialized user input in a flat string format it tries to deserialize that string into a nicer, cleaner, Java programming object/class. The problem was that Java doesn't correctly handle or deserialize some inputs and it can be used for remote code execution.

The python script linked above appears to connect to a particular vulnerable server and port , pass the headers in bold above to establish a connection (sock.sendall). Once the connection is established (sock.recv), the script concatenates the exploit payload (to trigger the deserialize issue) with the desired payload to be executed on the the server (your evil code) and sends that to the open connection (sock.send). See this blog for more details on the vulnerability.

Although this vulnerability is getting old now and you should've already patched it, its again interesting to see that there are still plenty of scanners out there looking for unpatched victims they can exploit.

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Scans for Risky Web Folders

If you review your website , firewall, or IDS logs you may see scanners out on the Internet looking for these various folders, likely because if they are publically exposed they contain juicy information that could help and attacker take over your website.

http://www.mysite.com/_vti_cnf
http://www.mysite.com/_passwords/
http://www.mysite.com/passwords/
http://www.mysite.com/iisadmin/
http://www.mysite.com/~root
http://www.mysite.com/dmsdump/
http://www.mysite.com/oprocmgr-status/


I thought I'd take a second and explain a few of them.

For the _vti_cnf, if you go to a site that has frontpage extensions enabled, then this folder will give you a a complete listing of all the files in the real directory and with this information you could snatch useful files that were not meant to be exposed publically.

I'm going to guess the next 2 folder names give you access somehow to a passwords file or something that again isn't supposed to be exposed publically.

The iisadmin folder is for older versions of IIS that used to allow remote administration, which can be a very bad thing on a public facing site.

The ~root folder is likely referring to if you've somehow improperly configured your linux web server (like apache) to map to your root accounts home folder.

The dmsdump folder refers to Oracle's Dynamic Monitoring Services. Many of Oracle's services in older version were accessible remotely by anonymous users by default which is bad as this can lead to attackers having remote access to administer your server. This is also the case with the Oracle Java Process Manager (oprocmgr-status).

If you have any of these folders exposed on your site publically you've possibly already been compromised, but if not go take those folders down (or restrict them in httpd.conf or htaccess or similar) so they're no longer accessible to the bad guys. In many cases, you'll find that if these folders exists, you may also be using a super duper old unpatched version of software and thus you're going to need to do some major upgrades as well to fix all your issues.

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.