hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
setthesun
Mar 25 2004, 08:20 PM
I'm doing pen-test to an Oracle database, is there any known possibility execute code in remote by SQL Injeciton just like SQL Servers;

Also any other good tip to exploit Oracle SQL Injections.
brOmstar
Mar 25 2004, 09:09 PM
i used google for you wink.gif

http://www.net-security.org/dl/articles/In...tionAttacks.pdf
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
http://www.ciac.org/ciac/bulletins/o-017.shtml
http://www.linuxsecurity.com/articles/serv...ticle-8807.html


hope this helps you..

btw. 1800secs time flood control is a long time, is this only for trial members?
setthesun
Mar 25 2004, 10:08 PM
Thank you for googling for me cool.gif

"An Introduction To SQL Injection Attacks For Oracle Developers" paper is very good and simple answer to my question is here;

QUOTE

Oracle has generally faired well against SQL injection attacks as there is no multiple SQL statement support (SQL Server and PostgreSQL), no EXECUTE statement (SQL Server), and no INTO OUTFILE function (MySQL). Also, use of bind variables in Oracle environments for performance reasons provides strong protection against SQL injection attacks.


So we just can delete databases smile.gif

Also last version of Oracle support well known Union operations (not just old plus "+" style unions).
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.