Penetration Testing: Hacking Oracle via Web Applications

http://penetration-testing.7safe.com

Sumit Siddharth (Sid) of 7Safe Penetration Testing, discusses the release of his new paper on Hacking Oracle via web applications.

This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database. Most of the techniques available over the Internet are based on exploitation when attacker has interactive access to the Oracle database, i.e. he can connect to the database via a SQL client. While some of these techniques can be directly applied when exploiting SQL injection in web applications, this is not always true. Unlike MS-SQL, Oracle neither supports nested queries, nor has any direct functionality like xp_cmdshell to allow execution of operating system commands. Extraction of sensitive data from a back-end database by exploiting SQL injection in Oracle web applications is well known. Performing privilege escalation and executing operating system commands from web applications is not widely known, and is the subject of this paper.

Category:

Science & Technology

Tags:

• Sid interview
• pen testing
• penetration testing
• web application security
• 7safe

License:

Standard YouTube License