Showing posts with label oracle. Show all posts
Showing posts with label oracle. Show all posts

Sunday, July 29, 2007

Oracle 9i/10g Views exploit

A quick one for the weekend: Rawlab released a nice little SQL exploit for a recently-patched Oracle 9i/10g vulnerability involving specially crafted Views. This flaw gives database users the ability to update/insert/delete records with SYSTEM privileges. The exploit updates a specified user account in SYS.USER$ with a new password; the code is straightforward enough to be easily modified if you wanted to mess with other records in system tables. I've hit a streak of insecure Oracle databases over the last few pen-tests, so this might be a useful tool to add to my collection.

Friday, July 6, 2007

Hacking Oracle Application Servers

A recent post on Darknet turned me on to a new tool for testing Oracle Application Servers called OAPScan. This neat little Perl script is similar to Nikto - it does a "dumb" crawl of web servers based on a scan database and uses pattern matching and server responses to determine whether certain files, paths, and vulnerabilities exist. But unlike Nikto, OAPScan's database has a robust number of checks specific to Oracle Application Servers, which I encounter frequently on both external and internal pen-tests.

Oracle AS has all sorts of default files, scripts, Data Access Descriptors (DADs), and other features that people forget to turn off when deploying these servers. In some cases, they can provide valuable information about the server or even be useful attack vectors for more serious vulnerabilities like SQL injection and file disclosure.

In the past I've always had to manually crawl through these servers, and would perform manual tests based on guidance from two excellent whitepapers:
(Method #6 in the OWASP guide for bypassing PL/SQL exclusion list to perform SQL injection almost always works for me - I don't think it wasn't patched until late last year)

OAPScan will automate a lot of those testing steps for me, albeit as noisily as any other tool that crawls/scans web servers. If nothing else, it's scan database can be a good reference if you want to learn about what things to manually check for, in concert with the whitepapers I mentioned above.