Cannot Connect to Oracle Database Directly

[capnspacehook]

I am trying to connect to the 'silo' box on the hackthebox network. I have correctly configured and setup all the necessary Oracle tools and packages, I know this because I can connect to the database fine with sqlplus. When I try to connect with sqlmap however, it errors out.

root@kali:/sqlmap# ./sqlmap.py -d oracle://scott:tiger@10.10.10.82:1521/XE
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.2.4.21#dev}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 18:45:33

[18:45:34] [ERROR] please update the 'sqlalchemy' package (Reference: https://github.com/apache/incubator-superset/issues/3447)

[*] shutting down at 18:45:34

I've even tried with sqlalchemy at version 1.1.9 and cx_Oracle at version 5.1.3 as said to be working in the github link sqlmap returned, but only got the same result.

• Installed via git clone
• Client OS: Kali Linux
• version 1.2.4.21#dev
• Target DBMS is Oracle 11g
• sqlalchemy version: 1.2.7
• cx_Oracle version: 6.2.1

[stamparm]

https://github.com/apache/incubator-superset/issues/3447

Temporary Work around

I was able to install cx_Oracle version 5.1.3 and these errors were resolved. I believe you are refactoring for cx_Oracle 6+, so reverting to the older version of cx_Oracle is a temporary measure.

It seems that (as you have newer sqlalchemy version) that downgrading of cx_Oracle is the solution for this whole sqlalchemy+cx_Oracle mess. Please try to downgrade and report back (I could then change the message accordingly)

[capnspacehook]

Sorry for the late reply. End of semester work has me super busy.

So I tried running the same command as above with cx_Oracle at version 5.1.3, and sqlmap told me sqlalchemy requires version 5.2 or greater of cx_Oracle. I tried running with cx_Oracle at version 5.3, and sqlmap printed the same error message as above: update sqlalchemy.

I'm thinking this is a problem with sqlalchemy, not sqlmap...? Or am I wrong?

[stamparm]

This is an issue of sqlalchemy+cx_Oracle in general. Though, I would not have anything against to know the workaround in your case. If you have time you could try to create a direct Oracle connection from python and reply whether you had the problems:

import cx_Oracle

user = "username"
password = "password"
hostname = "hostname"
port = 1234
db = "db"

dsn = cx_Oracle.makedsn(hostname, port, db)
connector = cx_Oracle.connect(dsn=dsn, user=user, password=password)

[stamparm]

Before doing the above thing I just stumbled upon this: https://qiita.com/tkprof/items/7d7b2d00df9c5f16fffe

sqlalchemy should be >= 1.1.11

[Art21XX]

So i came across the same issue as op, i was able to successfully make a manual connection as you stated, Python 2.7.15rc1 (default, Apr 15 2018, 21:51:34) [GCC 7.3.0] on linux2 Type "help", "copyright", "credits" or "license" for more information.

import cx_Oracle user = "scott" password = "tiger" hostname = "10.10.10.82" port = 1521 db = "XE" dsn = cx_Oracle.makedsn(hostname, port, db) connector = cx_Oracle.connect(dsn=dsn, user=user, password=password) db.version connector.version '11.2.0.2.0'

I looked into that link you mentioned but not understanding what needs to be changed. It seems like its just asking for the latest version of sqlalchemy which i've installed, or is it referencing something else?

Thanks again.

[capnspacehook]

@Art21XX what version is cx_Oracle and sqlalchemy on your box?

I tried the same thing as you did but couldn't make a successful connection. Don't know what is wrong

[Art21XX]

import sqlalchemy sqlalchemy.version '1.2.7' import cx_Oracle cx_Oracle.version '6.2.1'

[stamparm]

Leaving this here for my future self (sudo pip install sqlalchemy cx_Oracle):

import cx_Oracle
import sqlalchemy

conn_string = 'oracle://{username}:{password}@{hostname}:{port}/{database}?mode={mode}'
engine = sqlalchemy.create_engine(
    conn_string.format(
        username='SYS',
        password='testpass',
        hostname='debiandev',
        port='1521',
        database='testdb',
    mode='SYSDBA'
    )
)
conn = engine.connect()

print "sqlalchemy:", sqlalchemy.__version__
print "cx_Oracle:", cx_Oracle.version
print "---"

query = "SELECT 1 FROM DUAL"
result = conn.execute(query)
print "%s:" % query, result.next()[0]
conn.close()

[stamparm]

Please update to the latest revision and retry. I was able to reproduce the problem in my setup (sqlalchemy: 1.2.7; cx_Oracle: 6.1). Latest commit/revision solves it.

[Art21XX]

Hey sorry for the delayed response. Yup that did the job thank you very much.