Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle
From: Michael Owen <mowen () COSTCO COM>
Date: Tue, 12 Dec 2000 09:46:51 -0800
Do someone know how to execute some shell command on Unix OS using a SQL request via Oracle like : select a from b where a=<here you can rite your exploit>.
From sqlplus, you can use "!command" to run commands.
This will only run on the client machine ie. yours. If you are running off of a shell on the server, then it would execute on the local server, under your permissions. You do not gain elevated permissions from it, but if all you want to do is run shell code, then it might work for you.
Is there a solution like the xp_cmdshell ?
With 8i, there are options for running java and c code in the database, but I haven't played around with it enough to know what context it runs in, or what permissions you need. AFAIK, there is no hole as easy as the xp_cmdshell sql server one. Mike ---------------------------------- Michael Owen Costco Wholesale Network Security (425) 313-2957
Current thread:
- [PEN-TEST] Oracle D V (Dec 13)
- Re: [PEN-TEST] Oracle Vanja Hrustic (Dec 13)
- Re: [PEN-TEST] Oracle Jamie Lawrence (Dec 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Oracle Michael Owen (Dec 13)
- Re: [PEN-TEST] Oracle Vanja Hrustic (Dec 13)