Penetration Testing mailing list archives

Re: [PEN-TEST] Oracle

From: Vanja Hrustic <vanja () RELAYGROUP COM>
Date: Wed, 13 Dec 2000 01:59:12 +0700

On Mon, Dec 11, 2000 at 09:41:58AM +0100, D V wrote:

Hi,

Do someone know how to execute some shell command on
Unix OS using a SQL request via Oracle like :
select a from b where a=<here you can rite your
exploit>.

Is there a solution like the xp_cmdshell ?


Nothing that easy. There is a way, but it requires an administrator to create a shared library, 'plug it' into Oracle, 
and specifically enable user
to be able to use it in order to execute commands. I've also seen some info related to Java 'plugs' in Oracle (which 
are not there by default),
which could allow users to execute commands. Of course, only 'administrator approved' users :)

--

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time

Current thread:

[PEN-TEST] Oracle D V (Dec 13)
- Re: [PEN-TEST] Oracle Vanja Hrustic (Dec 13)
  - Re: [PEN-TEST] Oracle Jamie Lawrence (Dec 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Oracle Michael Owen (Dec 13)