13
Apr
I have updated bsqlbf and the latest version (2.5), has the following 2 additions:
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), with DBA Privs (11g R1 and R2)
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions (10g R2, 11g R1 and R2)
For more details about these 2 attack vectors, please refer to the paper, Hacking Oracle From Web
Enjoy!
9:15 am on April 16th, 2010
This is a very good script
I have just a small note, I find it unfortunate that there is no feature to find bases, tables or columns names.
So you must query the database manually
3:43 am on April 21st, 2010
[...] bsqlbf v2.5 – notsosecure.com SYS.KUPP$PROC.CREATE_MASTER_PROCESS() and BMS_JAVA_TEST.FUNCALL now included. [...]