Skip to content

Commit 52c7424

Browse files
committed
Adding support for Oracle 12C password hashes
1 parent 827ec0a commit 52c7424

4 files changed

Lines changed: 24 additions & 4 deletions

File tree

data/xml/queries.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -280,8 +280,8 @@
280280
<blind query="SELECT USERNAME FROM (SELECT USERNAME,ROWNUM AS CAP FROM SYS.ALL_USERS) WHERE CAP=%d" count="SELECT COUNT(USERNAME) FROM SYS.ALL_USERS"/>
281281
</users>
282282
<passwords>
283-
<inband query="SELECT NAME,PASSWORD FROM SYS.USER$" condition="NAME"/>
284-
<blind query="SELECT PASSWORD FROM (SELECT PASSWORD,ROWNUM AS CAP FROM SYS.USER$ WHERE NAME='%s') WHERE CAP=%d" count="SELECT COUNT(PASSWORD) FROM SYS.USER$ WHERE NAME='%s'"/>
283+
<inband query="SELECT NAME,COALESCE(REGEXP_SUBSTR(SPARE4,'S:[0-9A-F]{60}'),REGEXP_SUBSTR(SPARE4,'T:[0-9A-F]{160}'),PASSWORD) FROM SYS.USER$" condition="NAME"/>
284+
<blind query="SELECT COALESCE(REGEXP_SUBSTR(SPARE4,'S:[0-9A-F]{60}'),REGEXP_SUBSTR(SPARE4,'T:[0-9A-F]{160}'),PASSWORD) FROM (SELECT SPARE4,PASSWORD,ROWNUM AS CAP FROM SYS.USER$ WHERE NAME='%s') WHERE CAP=%d" count="SELECT COUNT(*) FROM SYS.USER$ WHERE NAME='%s'"/>
285285
</passwords>
286286
<!--
287287
NOTE: in Oracle to enumerate the privileges for the session user you can use:

lib/core/enums.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,7 @@ class HASH(object):
188188
MSSQL_OLD = r'(?i)\A0x0100[0-9a-f]{8}[0-9a-f]{80}\Z'
189189
MSSQL_NEW = r'(?i)\A0x0200[0-9a-f]{8}[0-9a-f]{128}\Z'
190190
ORACLE = r'(?i)\As:[0-9a-f]{60}\Z'
191+
ORACLE_12C = r'(?i)\At:[0-9a-f]{160}\Z'
191192
ORACLE_OLD = r'(?i)\A[0-9a-f]{16}\Z'
192193
MD5_GENERIC = r'(?i)\A(0x)?[0-9a-f]{32}\Z'
193194
SHA1_GENERIC = r'(?i)\A(0x)?[0-9a-f]{40}\Z'

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
from thirdparty import six
2121

2222
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
23-
VERSION = "1.10.7.71"
23+
VERSION = "1.10.7.72"
2424
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2525
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2626
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/utils/hash.py

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,22 @@ def oracle_passwd(password, salt, uppercase=True):
240240

241241
return retVal.upper() if uppercase else retVal.lower()
242242

243+
def oracle_12c_passwd(password, salt, uppercase=False, **kwargs): # 'T:' verifier since version '12c' (PBKDF2-HMAC-SHA512 then SHA-512)
244+
"""
245+
Reference(s):
246+
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/
247+
https://hashcat.net/wiki/doku.php?id=example_hashes (mode 12300)
248+
249+
>>> oracle_12c_passwd(password='hashcat', salt='34141655046766111066420254008225', uppercase=True)
250+
'T:78281A9C0CF626BD05EFC4F41B515B61D6C4D95A250CD4A605CA0EF97168D670EBCB5673B6F5A2FB9CC4E0C0101E659C0C4E3B9B3BEDA846CD15508E88685A2334141655046766111066420254008225'
251+
"""
252+
253+
binsalt = decodeHex(salt)
254+
key = pbkdf2_hmac("sha512", getBytes(password), binsalt + b"AUTH_PBKDF2_SPEEDY_KEY", 4096, 64)
255+
retVal = "t:%s%s" % (sha512(key + binsalt).hexdigest(), salt)
256+
257+
return retVal.upper() if uppercase else retVal.lower()
258+
243259
def oracle_old_passwd(password, username, uppercase=True): # prior to version '11g'
244260
"""
245261
Reference(s):
@@ -753,6 +769,7 @@ def _encode64(input_, count):
753769
HASH.MSSQL_OLD: mssql_old_passwd,
754770
HASH.MSSQL_NEW: mssql_new_passwd,
755771
HASH.ORACLE: oracle_passwd,
772+
HASH.ORACLE_12C: oracle_12c_passwd,
756773
HASH.ORACLE_OLD: oracle_old_passwd,
757774
HASH.MD5_GENERIC: md5_generic_passwd,
758775
HASH.SHA1_GENERIC: sha1_generic_passwd,
@@ -1273,6 +1290,8 @@ def dictionaryAttack(attack_dict):
12731290
item = [(user, hash_), {'username': user}]
12741291
elif hash_regex in (HASH.ORACLE,):
12751292
item = [(user, hash_), {"salt": hash_[-20:]}]
1293+
elif hash_regex in (HASH.ORACLE_12C,):
1294+
item = [(user, hash_), {"salt": hash_[-32:]}]
12761295
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD, HASH.MSSQL_NEW):
12771296
item = [(user, hash_), {"salt": hash_[6:14]}]
12781297
elif hash_regex in (HASH.CRYPT_GENERIC,):
@@ -1335,7 +1354,7 @@ def dictionaryAttack(attack_dict):
13351354
while not kb.wordlists:
13361355

13371356
# the slowest of all methods hence smaller default dict
1338-
if hash_regex in (HASH.ORACLE_OLD, HASH.PHPASS, HASH.SHA256_UNIX_CRYPT, HASH.SHA512_UNIX_CRYPT, HASH.WERKZEUG_SCRYPT, HASH.BCRYPT, HASH.WORDPRESS_BCRYPT, HASH.MYSQL_SHA2):
1357+
if hash_regex in (HASH.ORACLE_OLD, HASH.ORACLE_12C, HASH.PHPASS, HASH.SHA256_UNIX_CRYPT, HASH.SHA512_UNIX_CRYPT, HASH.WERKZEUG_SCRYPT, HASH.BCRYPT, HASH.WORDPRESS_BCRYPT, HASH.MYSQL_SHA2):
13391358
dictPaths = [paths.SMALL_DICT]
13401359
else:
13411360
dictPaths = [paths.WORDLIST]

0 commit comments

Comments
 (0)