- This topic has 1 reply, 2 voices, and was last updated 8 years, 2 months ago by .
- You must be logged in to reply to this topic.
Enjoy Part 2 of 3 in this series from regular EH-Net Columnist. Feel free to give feedback and make suggestions as to what you’d like to see next from Chris.
Permanent link: [Article]-Oracle Web Hacking Part II
Chris Gates, CISSP, CISA, GCIH, GPEN, C|EH
In the first article, Oracle Web Hacking Part I, I talked about scanning Oracle Application Servers for default content and how to use that content for information gathering. A pentester can utilize that information to run SQL queries and to gain a foothold into the network. I also talked about iSQLPlus and some fun things you can do with that application, if you are able to guess credentials for it. I also showed some Metasploit modules to help you accomplish all of it.
In Part 2 of 3 of this ongoing series of columns, I’ll dive into attacking the Oracle Application Server Portal (OracleAS Portal). I’ll focus on Oracle 9i and 10g up to Release 2. With 11g (10.3.x) Oracle moved to Weblogic, and it’s completely different and therefore out of the scope of this series. But there are plenty of shops out there still using 9i and 10g, which gives us plenty of opportunity for breaking stuff. So, let’s get to it.
Excellent stuff as always by Chris Gates. We have legacy IFS in our infrastructure and just did a massive migration from Solaris app server to Glassfish 3.0 (aka XSS hotbed) and have faced somewhat severe challenges w/ Oracle security. Apparently a lot of fixes in the version we’re upgrading to (3.1) but again thanks for the piece, scary insight.
– EH-Net Live! Join us on Wed Jan 29 @ 1:00 PM EST for “Shellcode for the Masses“ w/ John Hammond. Reg Open Now!
– EH-Net Live! December – Video & Deck Available Now! for “Burp-less Hacking – Learning Web Application Pentesting on a Budget” w/ Phillip Wylie from Dec 19.
– EH-Net Live! November – Video & Deck Available Now! for “All Things CTF!” w/ Ray Doyle of EverSecCTF from Nov 21.
– EH-Net Live! October – Video & Deck Available Now! for “Hacking Humans” w/ Hadnagy, Paul & Baron from Oct 29.
– EH-Net Live! August – Video & Deck Available Now! for “Wireshark for Hackers” w/ Laura Chappell from Aug 29.
See all EH-Net Live! Videos
More on the EH-Net YouTube Channel
Copyright ©2020 Caendra, Inc.