search

quentinhardy / odat

ODAT: Oracle Database Attacking Tool
1.6k stars 345 forks source link

Feature Request - Oracle PL/SQL Client #44

Open mgeeky opened 4 years ago

mgeeky commented 4 years ago

Hi,

Can we have a separate module being a simple REPL interactive shell (with the possibility of providing SQL statements from a batch file - *.sql) offering nothing more than a pseudo-SQL shell? Similar thing to what Impacket offers through their mssqlclient.py.

Features they got there:

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     download {remote} {local}  - download a remote file to a local path
     upload {local} {remote}    - upload a local file to a remote path (OLE required)
     enable_ole                 - you know what it means
     disable_ole                - you know what it means

If we could have something similar - that would be awesome. I was just on the engagement where my SQL*Plus couldn't connect and ODAT easily did. However since all I had was this standalone version of ODAT - I couldn't write my own module quickly and thus wasn't really able to issue arbitrary SQL queries.

Can we have something like that?

Best regards, Mariusz.

quentinhardy commented 4 years ago

It seems all these features (enable_xp_cmdshell, disable_xp_cmdshell, xp_cmdshell, sp_start_job, minimal sql shell, upload, etc) are already implemented in odat.

There is already a minimal sql shell in odat. It will take lot of time to develop a full interactive SQL shell (e.g create stored procedures) with Cx_oracle. It's better to use sqlplus for executing any requests you want.

What is your case you can't connect with sqlplus but with odat you can ?

mgeeky commented 4 years ago

I don't have access to that deployment anymore, but that was related to different protocol version supported by sqlplus where odat supported that protocol. For various reasons I couldn't upload other sqlplus executables.

Maybe that minimal sql shell could be a bit better exposed and referenced? I never knew there is sth like that in odat before.

quentinhardy commented 4 years ago

I understand the problem with sqlplus, related to different versions.

About minimal sql shell, It was a new feature in version 4.2 (04/02/2020). But you can execute 'select' requests only for the moment.