Re: Interesting Hack

From: Seth Miller <sethmiller.sm_at_gmail.com>
Date: Thu, 10 Jul 2014 11:36:04 -0500
Message-ID: <CAEueRAVhDiQY5C6FKhcm3X4cF_etcU=wcfW6sP+0eNzqqz6pdA_at_mail.gmail.com>

That is interesting except DBSNMP does not have a default password.

If your application is not using bind variables (which would prevent this simple sql injection) and you are dumb enough to set your privileged DBSNMP account password to DBSNMP, you deserve to be hacked.

Am I being too harsh?

Seth

On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle_at_1001111.com> wrote:

> Granted the database security was crap to begin with but I did not know
> the escape to shell trick.
>
> http://www.notsosecure.com/blog/2014/07/08/abusing-
> oracles-create-database-link-privilege-for-fun-and-profit/
>
> Dave
>
> --
> Dave Morgan
> Senior Consultant, 1001111 Alberta Limited
> dave.morgan_at_1001111.com
> 403 399 2442
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jul 10 2014 - 18:36:04 CEST

This message: [ Message body ]
Next message: Sweetser, Joe: "OT: Linux df question"
Previous message: Anton: "Re: move table with securefiles extremely slow"
In reply to: Dave Morgan: "Interesting Hack"
Next in thread: Bobby Curtis: "Re: Interesting Hack"
Reply: Bobby Curtis: "Re: Interesting Hack"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message