Penetration Testing mailing list archives
Re: [PEN-TEST] stacking SQL requests
From: Michael Owen <mowen () COSTCO COM>
Date: Wed, 30 Aug 2000 22:10:15 -0700
Emmanuel Gadaix wrote:
Anybody knows anything equivalent for _Oracle_ SQL ? (sending mail, executing shell commands, etc.) Thanks
The UTL_SMTP package is used for sending emails from an Oracle database. I believe it needs to be 8i, and have most/all of the jserver options installed. As far as server side executions, the various UTL_* packages will let you do various server-side ops. UTL_FILE will let you read/write to files on the local file system, but it requires the directories (or a * ) be explicitly spelled out in the init.ora file. All file system access would be as the oracle user, not root. If a site has the Intelligent Agent installed, you can use the enterprise manager client to scan the network for these agents, which will let you know the names of the oracle servers, and possibly the SIDs as well. Using this, you can then try the old "connect internal@sid" trick, as many places don't set a password for the internal user (absolute control of the database). HTH Mike --------------------------------------- Michael Owen Costco Wholesale Network Security
Current thread:
- Re: [PEN-TEST] stacking SQL requests Andrew Lawton (Aug 30)
- <Possible follow-ups>
- Re: [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Justin Shaffer (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Justin Shaffer (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Michael Owen (Aug 31)