Penetration Testing mailing list archives
RE: Oracle?
From: "Majed Al-Masari" <malmassari () hotmail com>
Date: Fri, 25 Sep 2009 00:05:28 +0300
There are numerous exploits relating to Oracle 10/11g @ milw0rm.org mostly SQL Injection techniques: 2009-09-14 Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit 4922 R D ikki 2009-07-02 Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit 5452 R D Sumit Siddharth 2009-04-21 Oracle RDBMS 10.2.0.3/11.1.0.6 TNS Listener PoC (CVE-2009-0991) 2934 R D Dennis Yurichev 2009-04-16 Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes 2958 R D Alexander Kornbrust 2009-04-01 Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit 7458 R D Guido Landi 2009-02-18 Oracle 10g MDSYS.SDO_TOPO_DROP_FTBL SQL Injection Exploit (meta) 11105 R D Sh2kerr 2009-01-14 Oracle TimesTen Remote Format String PoC 3880 R D Joxean Koret 2009-01-14 Oracle Secure Backup 10g exec_qr() Command Injection Vulnerability 6587 R D Joxean Koret 2009-01-06 Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit 3998 R D Sh2kerr 2009-01-06 Oracle 10g SYS.LT.MERGEWORKSPACE SQL Injection Exploit 2900 R D Sh2kerr 2009-01-06 Oracle 10g SYS.LT.REMOVEWORKSPACE SQL Injection Exploit 2814 R D Sh2kerr 2008-11-20 Oracle Database Vault ptrace(2) Privilege Escalation Exploit 6095 R D Jakub Wartak 2008-07-19 Oracle Internet Directory 10.1.4 Remote Preauth DoS Exploit 5612 R D Joxean Koret 2008-01-28 Oracle 10g R1 xdb.xdb_pitrig_pkg Buffer Overflow Exploit (PoC) 6657 R D Sh2kerr 2008-01-28 Oracle 10g R1 xdb.xdb_pitrig_pkg PLSQL Injection (change sys password) 8045 R D Sh2kerr 2008-01-28 Oracle 10g R1 pitrig_truncate PLSQL Injection (get users hash) 6555 R D Sh2kerr 2008-01-28 Oracle 10g R1 pitrig_drop PLSQL Injection (get users hash) 6240 R D Sh2kerr 2007-10-27 Oracle 10g LT.FINDRICSET Local SQL Injection Exploit (IDS evasion) 8361 R D Sh2kerr 2007-10-27 Oracle 10g/11g SYS.LT.FINDRICSET Local SQL Injection Exploit (2) 6877 R D bunker 2007-10-27 Oracle 10g/11g SYS.LT.FINDRICSET Local SQL Injection Exploit 5378 R D bunker 2007-10-23 Oracle 10g CTX_DOC.MARKUP SQL Injection Exploit 8921 R D Sh2kerr Best Regards, Eng. Majed Al-Masari -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Xavier Mertens Sent: Thursday, September 24, 2009 12:14 AM To: pen-test () securityfocus com Subject: Oracle? Hi *, I'll perform a pentest against an Oracle DB. Anybody has a list of classic tests to be performed against a version 10 & 11 ? Tx! Xavier -- The computer revolution is over. The computers won. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Oracle? Xavier Mertens (Sep 24)
- Re: Oracle? Claudio "BlackFire" Criscione (Sep 25)
- Re: Oracle? Sebastiaan (Sep 25)
- Re: Oracle? Robert Portvliet (Sep 28)
- Re: Oracle? Jirka Vejrazka (Sep 25)
- RE: Oracle? Majed Al-Masari (Sep 25)
- Re: Oracle? Nikhil Wagholikar (Sep 25)
- Re: Oracle? Jerome Athias (Sep 28)