Friday December 25th

Friday December 18th

Thursday December 3rd

Tuesday December 1st

Monday November 16th

Sunday November 15th

Friday November 6th

Tuesday November 3rd

Wednesday October 14th

1 Kicks

Oracle PL/SQL Kungfu - Abusing UTL_FILE to gain Remote Code Execution

A little while ago, a database credential leak vulnerability was revealed in Oracle Demantra that allowed an attacker to gain access to the underlying Oracle database install. Exploitation of this vulnerability under Oracle 10g is trivial as it can be exploited by leaking the credentials, logging into the database and injecting PL/SQL into the GET_DOMAIN_INDEX_TABLES function in the 3rd parameter within the DBMS_EXPORT_EXTENSION package. Needless to say, this is a function that is owned by SYS and has public execute permissions so it can be exploited via an SQL Injection vulnerability within a web application.

0 comments

Commenting on Stories is limited for now and will open up to those recommended by the community. Learn how
Loading InfoSecKicks...
brought to you by the Kicks Network