Sumit Siddarth (Sid) has just published a really good whitepaper about „Hacking Oracle from the Web„.This is the most comprehensive published collection of different techniques for attacking Oracle from the web. Sid spent a lot of time composing the different techniques mentioned in various presentations and whitepapers.
Sid describes various techniques like data extraction (inband techniques like union or error messages, out-of-band techniques like heavy queries, blind, …), privilege escalation (sys.kupp$proc, dbms_repcat_rpc and dbms_export_extension) and OS code execution.
Well done Sid.