Chris, If you like to learn about severely owning Oracle a nice place to start might be my blog =). http://security.is.doomed.org/wordpress/
Also you can head over to a friend of mines site, http://pentestmonkey.net/cheat-sheets/ for all types of good SQL injection cheat info. =) There is a nice article on exploiting a few methods of oracle. One is implanting a ssh key in a log file you control ( you can change it to authorized_keys). The other method walks you through actually bruteforicing the database SID, cracking a login, then elevating to DB and running some Java programs to spawn a reverse connecting shell back to you. Honestly, If you ever respected Oracle .. You wont after learning how to own the product. Theres also some stuff on there about owning NFS, JBoss/Tomcat and a buncha other junk. Also some codes i wrote James On Wed, 25 May 2011 11:39:22 +0100, Chris Oakley wrote: > Thanks for the assistance guys. I'll inspect the contents of that > schema specifically in that case. I should have mentioned that I > used --exclude-sysdbs with the --dbs flag, I think I just had doubts > about the results even so! Unfortunately there are no ports other > than 80 and 443 open so access to this is strictly through the web > application we're testing. I definitely need to learn more about > Oracle. > > Chris > > On 25 May 2011 11:29, wrote: > >> Chris, >> >> Before bothering with Sqlmap for the injection it might be worth >> it to >> check if you can actually access the Oracle instance remotely. You >> can >> do this by connecting to the database on port 1521, this is >> 'tnslistener'. >> >> If you can connect to 1521/tcp there's a lot easier ways to >> manipulate/own the database without sqlmap. Probably quite faster. >> Also, >> having access to TNS increases your chances by 50% of owning the >> underlying OS. >> >> James >> >> On Wed, 25 May 2011 11:16:29 +0100, Chris Oakley wrote: >> > Hi All >> > >> > Not a sqlmap question as such, but maybe someone can help. I've >> > found an sqli flaw in a test that has resulted in the following: >> > >> > --- >> > banner: 'Oracle Database 10g Enterprise Edition Release >> > 10.2.0.4.0 - 64bi' >> > current user is DBA: 'False' >> > current user: 'IFSSYS' >> > >> > available databases [4]: >> > [*] CTXSYS >> > [*] IFSSYS >> > [*] SYS >> > [*] SYSTEM >> > --- >> > >> > These all seem to be system databases. I don't know enough >> about >> > Oracle to know if 1) they are all sys dbs 2) if there's anywhere >> I >> > can >> > go from here. The content of these databases seems to be all >> related >> > to privs and such within Oracle. What I'm looking for is the >> web app >> > data. Does anyone more familiar with Oracle know why it would >> only >> > be systems databases accessible through the sqli flaw? >> > >> > We can try other tactics later but I was just wondering if this >> is >> > normal from a data extraction point of view with Oracle. I've >> dumped >> > a fair amount of the data and there's none systems related so >> far... >> > >> > Cheers >> > >> > Chris >> >> > > ------------------------------------------------------------------------------ >> vRanger cuts backup time in half-while increasing security. >> With the market-leading solution for virtual backup and recovery, >> you get blazing-fast, flexible, and affordable data protection. >> Download your free trial now. >> http://p.sf.net/sfu/quest-d2dcopy1 [1] >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net [2] >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users [3] > > > > Links: > ------ > [1] http://p.sf.net/sfu/quest-d2dcopy1 > [2] mailto:sqlmap-users@lists.sourceforge.net > [3] https://lists.sourceforge.net/lists/listinfo/sqlmap-users > [4] mailto:ja...@ev6.net ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
