Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Pen Testing a Oracle database. How to pull data?

From: "Ivan Buetler" <ivan.buetler () csnc ch>
Date: Wed, 27 Jun 2001 14:48:59 +0200
Hi all,

I wrote my little dirthy article about Oracle security. Check out:

http://www.csnc.ch/download/sources/Oracle-Security-Check-CSNC-V2.0.pdf


When doing application security, we ask the client about permissions the
transaction user (trx) has within an application. Does this user require
insert/delete privileges? Do they split admin tasks from normal operations
or does the trx user own all datas? Do they use stored-procedures or how
does it work? Where does the db-client stores its credentials? The article
above might helps you to perform database analysis. It's still a draft!!

Feedback and tips how to increase the quality are welcomed.

Ivan



-----Original Message-----
From: Aaron C. Newman [mailto:aaron () newman-family com]
Sent: Tuesday, June 26, 2001 5:26 PM
To: Osvaldo J . Filho; pen-test () securityfocus com
Subject: RE: Pen Testing a Oracle database. How to pull data?


Pretty simple from there. There is probably an account called oracle that is
the software owner.

su - oracle
cd $ORACLE_HOME/bin
./svrmgrl
connect / as sysdba
spool results.log
select * from dba_users;
/*perform any other sql statements you would like now*/
/*to find the actual location of the database files run the following sql
statement*/
select * from dba_data_files;



Aaron C. Newman
CTO/Founder
Application Security, Inc.
212-490-6022
anewman () appsecinc com
www.appsecinc.com
-Protection Where It Counts-

-----Original Message-----
From: pen-test-return-405-aaron=newman-family.com () securityfocus com
[mailto:pen-test-return-405-aaron=newman-family.com () securityfocus com]On
Behalf Of Osvaldo J . Filho
Sent: Monday, June 25, 2001 6:21 PM
To: pen-test () securityfocus com
Subject: Pen Testing a Oracle database. How to pull data?


        Hello,

        I am currently pen testing a DB server running Oracle. I already
got root on it, and I would like a lil' help to gather info on human
readable format. Is there a specific file/dir where all DB data are? How
can I get/convert it to Human Readable or even edit the data without any
external programs like SQLNet? The server is running AIX. Any help is
appreciated.

        Thank you very much.

        Osvaldo J. Filho
        osvaldojaneri () uol com br



----------------------------------------------------------------------------
----------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service
For more information on SecurityFocus' SIA service which automatically
alerts you to
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/



--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: