Hi Patrik You can also use CREATE LIBRARY or CREATE ANY LIBRARY to access the system() function under Unix and then use it to run "sh" or bash or whatever and get a shell prompt as the owner of ExtProc ( usually the owner of the oracle software ). Also you may want to look at tnscmd, a perl script on http://www.jammed. com/~jwa/hacks/security/tnscmd/ that allows you to access the Oracle listener and send various packets to it. It can be used to determine what databases a listener is listening on. cheers Pete Finnigan www.pentest-limited.com In article <41256B43.00370DF5.00at_private>, patrik.karlssonat_private writes > > >After reading some posts on the lists and looking at the scripts at >http://www.pentest-limited.com I found that CREATE LIBRARY could be >really useful when doing a PenTest. This is used to be able to >create extended procedures. To do this you specifiy which library >(dll file) you want to use. Then by creating a FUNCTION in Oracle >you point out the function in the dll you want to run. So one >could actually create a library pointing to >%windir%\system32\kernel32.dll and specify the winexec as function. >Your chances of having that dll on a Windows system are quite big :) >Using the function created one could actually execute code on the >server with the same privileges as the user which started the server, >in Windows this is usually the LocalSystem. > >The above could only be done with a user with CREATE LIBRARY >permissions. On a default installed Oracle (8.1.5 for Windows) there >are 5 of 15 default accounts which can do this. You also need to >know a SID to connect to. This is done easy by querying the Oracle >Listener using the services query. If someone has applied a listener >password, do a status query, you'll get enough info there. > >If this is common knowledge to everyone, sorry for bothering you ! > >To be able to do all this smoothly, without having to have the >Oracle Client installed one could use these java based tools, which >run on Windows and/or Linux. > >http://www.cqure.net/tools07.html > >-- >Patrik Karlsson, iXsecurity > > >[ A MIME application / octet-stream part was included here. ] > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at admin@pentest-limited.com -- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan@pentest-limited.com www.pentest-limited.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 17:30:14 PST