SCF Advanced Search



  • Total Posts: 38465
  • Total Topics: 13015
  • Online Today: 1209
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)


Author Topic: Researchers offer tool for breaking into Oracle databases  (Read 1770 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum

During their presentation at the Black Hat and Defcon hacker conferences next week in Las Vegas, security experts will release a tool that can be used to break into Oracle databases.

Chris Gates and Mario Ceballos will present Oracle Pentesting Methodology and give out "all the tools to break the 'unbreakable' Oracle as Metasploit auxiliary modules," according to a summary of their presentation on the Defcon Web site:

The tools are designed to help companies determine whether their systems are vulnerable, Gates said in an e-mail response to questions from Builder AU sister site CNET News. "There wasn't a good set of (free) tools for auditing Oracle databases," he said.

Gates said he did not contact Oracle about his presentation because none of the exploits or exploitation methods are new and information about ways to mitigate the attacks has been public for some time.

"If administrators haven't applied the patches, then the databases were/are vulnerable," he said when asked if the release of his tool will expose companies running Oracle databases to attack. "Plenty of other tools exist to do exactly what we are releasing. These tools just help streamline the penetration testing process."

Gates is a member of the Metasploit project, an open-source platform used for developing, testing, and using exploit code and sharing information related to finding vulnerabilities.

"Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access," the presentation summary says.

"We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks," the summary says.

An Oracle spokesperson said the company had no comment.


Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising