Thanks James
I'll take a look and also pass this on to the rest of the team.
Cheers
Chris
On 25 May 2011 12:10, <ja...@ev6.net> wrote:
> Chris,
>
> If you like to learn about severely owning Oracle a nice place to start
> might be my blog =). http://security.is.doomed.org/wordpress/
>
> Also you can head over to a friend of mines site,
> http://pentestmonkey.net/cheat-sheets/ for all types of good SQL injection
> cheat info. =)
>
> There is a nice article on exploiting a few methods of oracle. One is
> implanting a ssh key in a log file you control ( you can change it to
> authorized_keys). The other method walks you through actually bruteforicing
> the database SID, cracking a login, then elevating to DB and running some
> Java programs to spawn a reverse connecting shell back to you.
>
> Honestly, If you ever respected Oracle .. You wont after learning how to
> own the product.
>
> Theres also some stuff on there about owning NFS, JBoss/Tomcat and a
> buncha other junk. Also some codes i wrote
>
> James
>
>
>
> On Wed, 25 May 2011 11:39:22 +0100, Chris Oakley wrote:
>
>> Thanks for the assistance guys. I'll inspect the contents of that
>> schema specifically in that case. I should have mentioned that I
>> used --exclude-sysdbs with the --dbs flag, I think I just had doubts
>> about the results even so! Unfortunately there are no ports other
>> than 80 and 443 open so access to this is strictly through the web
>> application we're testing. I definitely need to learn more about
>> Oracle.
>>
>> Chris
>>
>> On 25 May 2011 11:29, wrote:
>>
>>
>> Chris,
>>>
>>> Before bothering with Sqlmap for the injection it might be worth
>>> it to
>>> check if you can actually access the Oracle instance remotely. You
>>> can
>>> do this by connecting to the database on port 1521, this is
>>> 'tnslistener'.
>>>
>>> If you can connect to 1521/tcp there's a lot easier ways to
>>> manipulate/own the database without sqlmap. Probably quite faster.
>>> Also,
>>> having access to TNS increases your chances by 50% of owning the
>>> underlying OS.
>>>
>>> James
>>>
>>> On Wed, 25 May 2011 11:16:29 +0100, Chris Oakley wrote:
>>> > Hi All
>>> >
>>> > Not a sqlmap question as such, but maybe someone can help. I've
>>> > found an sqli flaw in a test that has resulted in the following:
>>> >
>>> > ---
>>> > banner: 'Oracle Database 10g Enterprise Edition Release
>>> > 10.2.0.4.0 - 64bi'
>>> > current user is DBA: 'False'
>>> > current user: 'IFSSYS'
>>> >
>>> > available databases [4]:
>>> > [*] CTXSYS
>>> > [*] IFSSYS
>>> > [*] SYS
>>> > [*] SYSTEM
>>> > ---
>>> >
>>> > These all seem to be system databases. I don't know enough
>>> about
>>> > Oracle to know if 1) they are all sys dbs 2) if there's anywhere
>>> I
>>> > can
>>> > go from here. The content of these databases seems to be all
>>> related
>>> > to privs and such within Oracle. What I'm looking for is the
>>> web app
>>> > data. Does anyone more familiar with Oracle know why it would
>>> only
>>> > be systems databases accessible through the sqli flaw?
>>> >
>>> > We can try other tactics later but I was just wondering if this
>>> is
>>> > normal from a data extraction point of view with Oracle. I've
>>> dumped
>>> > a fair amount of the data and there's none systems related so
>>> far...
>>> >
>>> > Cheers
>>> >
>>> > Chris
>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>>
>>> vRanger cuts backup time in half-while increasing security.
>>> With the market-leading solution for virtual backup and recovery,
>>> you get blazing-fast, flexible, and affordable data protection.
>>> Download your free trial now.
>>> http://p.sf.net/sfu/quest-d2dcopy1 [1]
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net [2]
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users [3]
>>>
>>
>>
>>
>> Links:
>> ------
>> [1] http://p.sf.net/sfu/quest-d2dcopy1
>> [2] mailto:sqlmap-users@lists.sourceforge.net
>> [3] https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> [4] mailto:ja...@ev6.net
>>
>
>
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
