Nytro Posted November 23, 2011 Report Posted November 23, 2011 Oracle Web Hacking Part I and IIBy Chris Gates, CISSP, GCIH, C|EH, CPTSPart I:Oracle applications are not what you’d call simple. I think any DBA or Oracle Application Server Administrator will be the first to attest to that fact. Oracle, with its great products, comes with some un-pleasantries. These are:1. Oracle applications are complicated (hopefully we all agree on this).2. They come with loads of default content and no clear way to remove that content. There is no IISLockdown equivalent for Oracle applications. Content you don’t want must be removed manually. Some of this content can be used to run database queries, read documents, gather information via information leakage on the pages or perform XSS attacks.3. Users have to pay for patches and extended advisory information (even then, no Proof of Concept code is released by Oracle).4. And lastly, you have a fairly complicated patch/upgrade process which leads to an "it’s working, don’t touch it" mentality by a fair amount of admins.This provides a target rich environment for pentesters and bad guys. Let’s take a look.Part II:In the first article, Oracle Web Hacking Part I, I talked about scanning Oracle Application Servers for default content and how to use that content for information gathering. A pentester can utilize that information to run SQL queries and to gain a foothold into the network. I also talked about iSQLPlus and some fun things you can do with that application, if you are able to guess credentials for it. I also showed some Metasploit modules to help you accomplish all of it.In Part 2 of 3 of this ongoing series of columns, I’ll dive into attacking the Oracle Application Server Portal (OracleAS Portal). I’ll focus on Oracle 9i and 10g up to Release 2. With 11g (10.3.x) Oracle moved to Weblogic, and it’s completely different and therefore out of the scope of this series. But there are plenty of shops out there still using 9i and 10g, which gives us plenty of opportunity for breaking stuff. So, let’s get to it.Part I:http://www.ethicalhacker.net/content/view/363/24/Part II:http://www.ethicalhacker.net/content/view/399/24/Imi e lene sa le copiez si aranjez. Quote
