Oracle TNS Listener Remote Poisoning 測試

1. 遠程數據投毒漏洞（CVE-2012-1675）
   允許***者在不提供用戶名/密碼的情況下，向遠程“TNS Listener”組件處理的數據投毒的漏洞。
   COST 是class of secure transports 的縮寫。是為了控制實例注冊提供的一種安全控制機制。其作用是對于一個確定的listener，限制哪些實例通過哪些協議可以進行注冊。這將避免有其他遠程實例進行惡意注冊，并由此產生信息泄露等風險。
   它通過在 listner.ora中設置參數SECURE_REGISTER_listener_name的值，指定為一個transport list（限定的注冊協議列表，如IPC、TCP、TCPS）來實現這一功能。 該功能從 10.2.0.3 版本開始支持（雖然10g R2的在線文檔中并未明確說明），一直到11.2.0.4版本及之后依然可用。但是，在11.2.0.4后，oracle建議使用默認的VNCR配置。

2. 危害
   最主要的危害為，***者可以自行創建一個和當前生產數據庫同名的數據庫，將其向生產數據庫的監聽注冊。
   這樣將導致用戶連接被路由指向***者創建的實例，造成業務響應中斷
   應用程序報告 ORA-12545: Connect failed because target host or object does not exist
3. 受到影響的版本
   雖然安全警告描述的是10203開始，但是實際是從8i開始的任何版本
   4.我的驗證

[root@204_maridb ~]# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \

chmod 755 msfinstall && \
./msfinstall
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5532 100 5532 0 0 6758 0 --:--:-- --:--:-- --:--:-- 6754
Checking for and installing update..
Adding metasploit-framework to your repository list..已加載插件：fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
metasploit | 2.9 kB 00:00:00
metasploit/primary_db | 9.8 kB 00:00:00
Loading mirror speeds from cached hostfile

• epel: mirrors.tuna.tsinghua.edu.cn
  正在解決依賴關系
  --> 正在檢查事務
  ---> 軟件包 metasploit-framework.x86_64.0.5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6 將被 安裝
  --> 解決依賴關系完成

依賴關系解決

========================================================================================================================================================================================================
Package 架構 版本 源 大小

正在安裝:
metasploit-framework x86_64 5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6 metasploit 195 M

事務概要

安裝 1 軟件包

總下載量：195 M
安裝大小：433 M
Downloading packages:
警告：/var/cache/yum/x86_64/7/metasploit/packages/metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm: 頭V4 RSA/SHA256 Signature, 密鑰 ID 2007b954: NOKEYMB 00:00:00 ETA
metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm 的公鑰尚未安裝
metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm | 195 MB 00:05:07
從 file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit 檢索密鑰
導入 GPG key 0x2007B954:
用戶ID : "Metasploit <metasploit@rapid7.com>"
指紋 : 09e5 5faf 4f78 62cd 6d55 8997 cdfb 5fa5 2007 b954
來自 : /etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安裝 : metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64 1/1
Run msfconsole to get started
驗證中 : metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64 1/1

已安裝:
metasploit-framework.x86_64 0:5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6

完畢！
[root@204_maridb ~]# ms
msfbinscan msfd msfelfscan msfpescan msfrpc msfupdate msgattrib msgcmp msgconv msgexec msgfmt msghack msgmerge msguniq
msfconsole msfdb msfmachscan msfrop msfrpcd msfvenom msgcat msgcomm msgen msgfilter msggrep msginit msgunfmt msql2mysql
[root@204_maridb ~]# msfconsole
-bash: /usr/local/bin/msfconsole: 沒有那個文件或目錄
[root@204_maridb ~]# which msfconsole
/usr/bin/msfconsole
[root@204_maridb ~]# /usr/bin/msfconsole
[-] *rting the Metasploit Framework console...|
[-] WARNING: No database support: No database YAML file
[-]

+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __ | |
| ==c(__(o(__(() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \ | |_______ |
| // \ | |==[msf >]============\ |
| // \ | |__\ |
| // RECON \ | (@)(@)(@)(@)(@)(@)(@)/ |
| // \ | ***** |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l | / || \ |
| | PAYLOAD |""_, | / (|| \ |
| |__||)| | | _||) | |
| |(@)(@)"""|(@)(@)|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+

   =[ metasploit v5.0.19-dev-                         ]

• -- --=[ 1880 exploits - 1062 auxiliary - 328 post ]
• -- --=[ 546 payloads - 44 encoders - 10 nops ]
• -- --=[ 2 evasion ]

msf5 > use auxiliary/admin/oracle/tnscmd
msf5 auxiliary(admin/oracle/tnscmd) > info

   Name: Oracle TNS Listener Command Issuer
 Module: auxiliary/admin/oracle/tnscmd
License: Metasploit Framework License (BSD)
   Rank: Normal

Disclosed: 2009-02-01

Provided by:
MC <mc@metasploit.com>

Check supported:
No

Basic options:
Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

Description:
This module allows for the sending of arbitrary TNS commands in
order to gather information. Inspired from tnscmd.pl from
www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd

msf5 auxiliary(admin/oracle/tnscmd) > set RHOST www.xxxx.cc
RHOST => www.xxxx.cc
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS www.xxxx.cc yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > run
[-] Auxiliary failed: option RHOSTS failed to validate.
msf5 auxiliary(admin/oracle/tnscmd) > set RHOST www.baidu.com
RHOST => www.baidu.com
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS www.baidu.com yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > run
[*] Running module against 61.135.169.125

[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Running module against 61.135.169.121
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/tnscmd) > use auxiliary/admin/oracle/sid_brute
msf5 auxiliary(admin/oracle/sid_brute) > show options

Module options (auxiliary/admin/oracle/sid_brute):

Name Current Setting Required Description

RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
SIDFILE /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.

msf5 auxiliary(admin/oracle/sid_brute) > set RHOST www.baidu.com
RHOST => www.baidu.com
msf5 auxiliary(admin/oracle/sid_brute) > show options

Module options (auxiliary/admin/oracle/sid_brute):

Name Current Setting Required Description

RHOSTS www.baidu.com yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
SIDFILE /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.

msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 61.135.169.121

[] www.baidu.com:1521 - Starting brute force on www.baidu.com, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Running module against 61.135.169.125
[] www.baidu.com:1521 - Starting brute force on www.baidu.com, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'
[-] 127.0.0.1:1521 - The connection was refused by the remote host (127.0.0.1:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[*] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'

[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) >
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[*] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > exit
[root@204_maridb ~]# /usr/bin/msfconsole
[-] *rting the Metasploit Framework console...|
[-] WARNING: No database support: No database YAML file
[-]

           .;lxO0KXXXK0Oxl:.
       ,o0WMMMMMMMMMMMMMMMMMMKd,
    'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
  :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,

lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit

   =[ metasploit v5.0.19-dev-                         ]

• -- --=[ 1880 exploits - 1062 auxiliary - 328 post ]
• -- --=[ 546 payloads - 44 encoders - 10 nops ]
• -- --=[ 2 evasion ]

msf5 > use auxiliary/admin/oracle/tnscmd
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > use auxiliary/admin/oracle/sid_brute
msf5 auxiliary(admin/oracle/sid_brute) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[*] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) >