Penetration Testing mailing list archives
Re: Oracle?
From: Jirka Vejrazka <jirka.vejrazka () gmail com>
Date: Thu, 24 Sep 2009 19:19:35 +0200
Hi Xavier, check out Pete Finnigan's site (google for it :), there is a bunch of useful tools there. It's up to you and your working methodology to choose which ones will suit your style and technologies you use. The methodology we typically use (and you'll find it on Pete's site too): - determine running database instances (easy on 8i, moderate on 9i, can be difficult on 10g or 11g) - check out default database users - quite often results in a quick access to a database - lots of tools on Pete's site will do that - grant DBA access if desired. Odd are you'd already have it from the previous step. Crack password hashes if you have access to those - try some more advanced techniques such as SQL injection or OS command execution - play with internal packages, e.g. utl_http, utl_tcp, utl_file, ... There is a lot of things you could do once you've gained access, but I'd suggest you check out Pete's site first :) HTH Jirka ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Oracle? Xavier Mertens (Sep 24)
- Re: Oracle? Claudio "BlackFire" Criscione (Sep 25)
- Re: Oracle? Sebastiaan (Sep 25)
- Re: Oracle? Robert Portvliet (Sep 28)
- Re: Oracle? Jirka Vejrazka (Sep 25)
- RE: Oracle? Majed Al-Masari (Sep 25)
- Re: Oracle? Nikhil Wagholikar (Sep 25)
- Re: Oracle? Jerome Athias (Sep 28)