Perl - Script to run OS commands via Oracle based Web Apps released
Dieser Eintrag stammt von Alexander Kornbrust Am 1 Mai 2009 @ 15:55 In Tools, Exploit, SQL Injection | Keine Kommentare
Sumit Siddarth from [1] www.notsosecure.com has released a small perl script to [2] run OS commands via Oracle based Web Apps. Sumit is using the bug in dbms_export_extension. This problem was fixed with CPU July 2006 but all databases without this (or higher CPU or patchset) are affected (Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE) . More details are available in my [3] updated tutorial.
I tested the script together with him against several of my test database.
The script is easy to use. Under MacOS I had to install p5-libwww-perl to run it.
At the moment the script does not work against Oracle databases without java but I am sure sooner or later this will be changed. In my opinion the most generic way to run OS commands (as user Oracle) is PL/SQL native ([4] Oracle 9i, [5] Oracle 10g/11g).
Dieser Artikel wurde ausgedruckt ab Alexander Kornbrust Oracle Security Blog: http://blog.red-database-security.com
URL zum Artikel: http://blog.red-database-security.com/2009/05/01/perl-script-to-run-os-commands-via-oracle-based-web-apps-released/
URLs in this post:
[1] www.notsosecure.com: http://www.notsosecure.com
[2] run OS commands: http://www.notsosecure.com/folder2/ora_cmd_exec.pl
[3] updated tutorial: http://www.red-database-security.com/tutorial/run_os_commands_via_webapp.htmlR
[4] Oracle 9i: http://www.red-database-security.com/tutorial/run_os_commands_via_plsql_native_9
i.html
[5] Oracle 10g/11g: http://www.red-database-security.com/tutorial/run_os_commands_via_plsql_native_1
0g11g.html
Klicken hier zum Drucken.