Alexander Kornbrust Oracle Security Blog » Print » Exploits for October 2008 CPU + whitepaper “Different ways to guess SIDs” published

Exploits for October 2008 CPU + whitepaper “Different ways to guess SIDs” published

Dieser Eintrag stammt von Alexander Kornbrust Am 15 Jan 2009 @ 20:31 In Exploit | Keine Kommentare

In the first week of January Alexandr Polyakov from [1] dsec.ru has published 3 exploits on the website of dsec.ru.

Alexandr has published also a really good [5] whitepaper how to guess the SID of Oracle databases. Some of the bugs (database control/database vault control) and techniques (like the concept sidguessing) were found / developed first by Red-Database-Security.

The whitepaper describes

Getting the SID and Servicename
Guessing the SID (default SID, typical SID, dictionary, Bruteforce)
Searching the SID (Database Control, XDB,…)
Getting the SAP SID
Getting the SID via SQL Injection
Getting the SID via the target system (Registry, FTP, MSSQL, OS account)
Getting the SID from the company network (Sniffing, another DB, …)

Dieser Artikel wurde ausgedruckt ab Alexander Kornbrust Oracle Security Blog: http://blog.red-database-security.com

URL zum Artikel: http://blog.red-database-security.com/2009/01/15/exploits-for-october-2008-cpu-whitepaper-different-ways-to-guess-sids-published/

URLs in this post:
[1] dsec.ru: http://www.dsecrg.com/pages/expl/
[2] SYS.LT.COMPRESSWORKSPACE: http://www.dsecrg.com/pages/expl/show.php?id=24
[3] SYS.LT.MERGEWORKSPACE: http://www.dsecrg.com/pages/expl/show.php?id=23
[4] SYS.LT.REMOVEWORKSPACE : http://www.dsecrg.com/pages/expl/show.php?id=22
[5] whitepaper: http://www.dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_
(eng).pdf

Klicken hier zum Drucken.