Re: [sqlmap-users] Oracle Results
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Oracle Results
|
From: Chris O. <chr...@gm...> - 2011-05-25 11:13:48
|
Thanks James I'll take a look and also pass this on to the rest of the team. Cheers Chris On 25 May 2011 12:10, <ja...@ev...> wrote: > Chris, > > If you like to learn about severely owning Oracle a nice place to start > might be my blog =). http://security.is.doomed.org/wordpress/ > > Also you can head over to a friend of mines site, > http://pentestmonkey.net/cheat-sheets/ for all types of good SQL injection > cheat info. =) > > There is a nice article on exploiting a few methods of oracle. One is > implanting a ssh key in a log file you control ( you can change it to > authorized_keys). The other method walks you through actually bruteforicing > the database SID, cracking a login, then elevating to DB and running some > Java programs to spawn a reverse connecting shell back to you. > > Honestly, If you ever respected Oracle .. You wont after learning how to > own the product. > > Theres also some stuff on there about owning NFS, JBoss/Tomcat and a > buncha other junk. Also some codes i wrote > > James > > > > On Wed, 25 May 2011 11:39:22 +0100, Chris Oakley wrote: > >> Thanks for the assistance guys. I'll inspect the contents of that >> schema specifically in that case. I should have mentioned that I >> used --exclude-sysdbs with the --dbs flag, I think I just had doubts >> about the results even so! Unfortunately there are no ports other >> than 80 and 443 open so access to this is strictly through the web >> application we're testing. I definitely need to learn more about >> Oracle. >> >> Chris >> >> On 25 May 2011 11:29, wrote: >> >> >> Chris, >>> >>> Before bothering with Sqlmap for the injection it might be worth >>> it to >>> check if you can actually access the Oracle instance remotely. You >>> can >>> do this by connecting to the database on port 1521, this is >>> 'tnslistener'. >>> >>> If you can connect to 1521/tcp there's a lot easier ways to >>> manipulate/own the database without sqlmap. Probably quite faster. >>> Also, >>> having access to TNS increases your chances by 50% of owning the >>> underlying OS. >>> >>> James >>> >>> On Wed, 25 May 2011 11:16:29 +0100, Chris Oakley wrote: >>> > Hi All >>> > >>> > Not a sqlmap question as such, but maybe someone can help. I've >>> > found an sqli flaw in a test that has resulted in the following: >>> > >>> > --- >>> > banner: 'Oracle Database 10g Enterprise Edition Release >>> > 10.2.0.4.0 - 64bi' >>> > current user is DBA: 'False' >>> > current user: 'IFSSYS' >>> > >>> > available databases [4]: >>> > [*] CTXSYS >>> > [*] IFSSYS >>> > [*] SYS >>> > [*] SYSTEM >>> > --- >>> > >>> > These all seem to be system databases. I don't know enough >>> about >>> > Oracle to know if 1) they are all sys dbs 2) if there's anywhere >>> I >>> > can >>> > go from here. The content of these databases seems to be all >>> related >>> > to privs and such within Oracle. What I'm looking for is the >>> web app >>> > data. Does anyone more familiar with Oracle know why it would >>> only >>> > be systems databases accessible through the sqli flaw? >>> > >>> > We can try other tactics later but I was just wondering if this >>> is >>> > normal from a data extraction point of view with Oracle. I've >>> dumped >>> > a fair amount of the data and there's none systems related so >>> far... >>> > >>> > Cheers >>> > >>> > Chris >>> >>> >>> >> >> ------------------------------------------------------------------------------ >> >>> vRanger cuts backup time in half-while increasing security. >>> With the market-leading solution for virtual backup and recovery, >>> you get blazing-fast, flexible, and affordable data protection. >>> Download your free trial now. >>> http://p.sf.net/sfu/quest-d2dcopy1 [1] >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... [2] >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users [3] >>> >> >> >> >> Links: >> ------ >> [1] http://p.sf.net/sfu/quest-d2dcopy1 >> [2] mailto:sql...@li... >> [3] https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> [4] mailto:ja...@ev... >> > > |
