Penetration Testing mailing list archives
Port 1521 aka "Unbreakable" Oracle Server
From: patrik.karlsson () ixsecurity com
Date: Wed, 16 Jan 2002 11:01:18 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After reading some posts on the lists and looking at the scripts at http://www.pentest-limited.com I found that CREATE LIBRARY could be really useful when doing a PenTest. This is used to be able to create extended procedures. To do this you specifiy which library (dll file) you want to use. Then by creating a FUNCTION in Oracle you point out the function in the dll you want to run. So one could actually create a library pointing to %windir%\system32\kernel32.dll and specify the winexec as function. Your chances of having that dll on a Windows system are quite big :) Using the function created one could actually execute code on the server with the same privileges as the user which started the server, in Windows this is usually the LocalSystem. The above could only be done with a user with CREATE LIBRARY permissions. On a default installed Oracle (8.1.5 for Windows) there are 5 of 15 default accounts which can do this. You also need to know a SID to connect to. This is done easy by querying the Oracle Listener using the services query. If someone has applied a listener password, do a status query, you'll get enough info there. If this is common knowledge to everyone, sorry for bothering you ! To be able to do all this smoothly, without having to have the Oracle Client installed one could use these java based tools, which run on Windows and/or Linux. http://www.cqure.net/tools07.html - -- Patrik Karlsson, iXsecurity -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPEVPnI118uy6FU2iEQLUNACcCCJtj5+FJWktfaaDDMmFz/zmtYwAniJ4 13dE8HSw4a4sikkvrzMdusUl =3YBq -----END PGP SIGNATURE-----
Attachment:
pgp.rtf.asc
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Port 1521 aka "Unbreakable" Oracle Server patrik . karlsson (Jan 16)
- Re: Port 1521 aka "Unbreakable" Oracle Server Pete Finnigan (Jan 17)