ODAT

REQUIRED PACKAGES

These packages are required prior to enumerating and interacting with the TNS listener.

root@oco:~$ cd ~
root@oco:~$ git clone https://github.com/quentinhardy/odat.git
root@oco:~$ cd odat/
root@oco:~$ pip install python-libnmap
root@oco:~$ git submodule init
root@oco:~$ git submodule update
root@oco:~$ pip3 install cx_Oracle
root@oco:~$ sudo apt-get install python3-scapy -y
root@oco:~$ sudo pip3 install colorlog termcolor passlib python-libnmap
root@oco:~$ sudo apt-get install build-essential libgmp-dev -y
root@oco:~$ pip3 install pycryptodome
 --2025-06-24 00:24:53--  https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-basic-linux.x64-21.4.0.0.0dbru.zip
 Resolving download.oracle.com (download.oracle.com)... 23.58.104.121
 Connecting to download.oracle.com (download.oracle.com)|23.58.104.121|:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 79386308 (76M) [application/zip]
 Saving to: ‘instantclient-basic-linux.x64-21.4.0.0.0dbru.zip’

 <SNIP>

ORACLE DATABASE ATTACKING TOOL (ODAT)

This is an open-source penetration testing tool written in Python and designed to enumerate and exploit vulnerabilities in Oracle databases. It can be used to identify and exploit various security flaws in Oracle databases, including SQL injection, remote code execution, and privilege escalation.

RETRIEVING USER ACCOUNTS, SID, ETC

The odat.py tool to perform a variety of scans to enumerate and gather information about the Oracle database services and its components. Those scans can retrieve database names, versions, running processes, user accounts, vulnerabilities, misconfigurations, etc.

UPLOADING MALICIOUS SHELL

This requires the server to run a web server and the exact location of the root directory for the webserver must be known for this to work

PreviousMSSQLCLIENTNextSQLPLUS

Last updated