Hi all, I wrote my little dirthy article about Oracle security. Check out: http://www.csnc.ch/download/sources/Oracle-Security-Check-CSNC-V2.0.pdf When doing application security, we ask the client about permissions the transaction user (trx) has within an application. Does this user require insert/delete privileges? Do they split admin tasks from normal operations or does the trx user own all datas? Do they use stored-procedures or how does it work? Where does the db-client stores its credentials? The article above might helps you to perform database analysis. It's still a draft!! Feedback and tips how to increase the quality are welcomed. Ivan -----Original Message----- From: Aaron C. Newman [mailto:aaron@newman-family.com] Sent: Tuesday, June 26, 2001 5:26 PM To: Osvaldo J . Filho; pen-testat_private Subject: RE: Pen Testing a Oracle database. How to pull data? Pretty simple from there. There is probably an account called oracle that is the software owner. su - oracle cd $ORACLE_HOME/bin ./svrmgrl connect / as sysdba spool results.log select * from dba_users; /*perform any other sql statements you would like now*/ /*to find the actual location of the database files run the following sql statement*/ select * from dba_data_files; Aaron C. Newman CTO/Founder Application Security, Inc. 212-490-6022 anewmanat_private www.appsecinc.com -Protection Where It Counts- -----Original Message----- From: pen-test-return-405-aaron=newman-family.comat_private [mailto:pen-test-return-405-aaron=newman-family.comat_private]On Behalf Of Osvaldo J . Filho Sent: Monday, June 25, 2001 6:21 PM To: pen-testat_private Subject: Pen Testing a Oracle database. How to pull data? Hello, I am currently pen testing a DB server running Oracle. I already got root on it, and I would like a lil' help to gather info on human readable format. Is there a specific file/dir where all DB data are? How can I get/convert it to Human Readable or even edit the data without any external programs like SQLNet? The server is running AIX. Any help is appreciated. Thank you very much. Osvaldo J. Filho osvaldojaneriat_private ---------------------------------------------------------------------------- ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 21:36:20 PDT