Penetration Testing mailing list archives

Re: [PEN-TEST] stacking SQL requests

From: Michael Owen <mowen () COSTCO COM>
Date: Wed, 30 Aug 2000 22:10:15 -0700

Emmanuel Gadaix wrote:

Anybody knows anything equivalent for _Oracle_ SQL ?

(sending mail, executing shell commands, etc.)

Thanks


The  UTL_SMTP package is used for sending emails from an Oracle database. I
believe it needs to be 8i, and have most/all of the jserver options
installed.

As far as server side executions, the various UTL_* packages will let you do
various server-side ops. UTL_FILE will let you read/write to files on the
local file system, but it requires the directories (or a * ) be explicitly
spelled out in the init.ora file. All file system access would be as the
oracle user, not root.

If a site has the Intelligent Agent installed, you can use the enterprise
manager client to scan the network for these agents, which will let you know
the names of the oracle servers, and possibly the SIDs as well. Using this,
you can then try the old "connect internal@sid" trick, as many places don't
set a password for the internal user (absolute control of the database).

HTH
Mike

---------------------------------------
Michael Owen
Costco Wholesale
Network Security

Current thread:

Re: [PEN-TEST] stacking SQL requests Andrew Lawton (Aug 30)
- <Possible follow-ups>
- Re: [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
  - Re: [PEN-TEST] stacking SQL requests Justin Shaffer (Aug 31)
    - Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Michael Owen (Aug 31)