7Safe asked:

penetration-testing.7safe.com Sumit Siddharth (Sid) of 7Safe Penetration Testing, discusses the release of his new paper on Hacking Oracle via web applications. This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database. Most of the techniques available over the Internet are based on exploitation when attacker has interactive access to the Oracle database, ie he can connect to the database via a SQL client. While some of these techniques can be directly applied when exploiting SQL injection in web applications, this is not always true. Unlike MS-SQL, Oracle neither supports nested queries, nor has any direct functionality like xp_cmdshell to allow execution of operating system commands. Extraction of sensitive data from a back-end database by exploiting SQL injection in Oracle web applications is well known. Performing privilege escalation and executing operating system commands from web applications is not widely known, and is the subject of this paper.

Tagged with →  
Share →

Leave a Reply

Your email address will not be published. Required fields are marked *

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop us a note so we can take care of it!

Set your Twitter account name in your settings to use the TwitterBar Section.