Re: Interesting Hack

From: Bobby Curtis <curtisbl_at_gmail.com>
Date: Thu, 10 Jul 2014 13:17:18 -0400
Message-Id: <0D7FAD5F-08CD-4A25-806F-FCA9D5100DCD_at_gmail.com>

Seth,

Not harsh at all.

I thought it was an interesting hack as well. I think the point of this hack example was to highlight what not to do; but we are all human and don�t listen half the time.

Bobby

On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm_at_gmail.com> wrote:

> That is interesting except DBSNMP does not have a default password.
>
> If your application is not using bind variables (which would prevent this simple sql injection) and you are dumb enough to set your privileged DBSNMP account password to DBSNMP, you deserve to be hacked.
>
> Am I being too harsh?
>
> Seth
>
>
>
> On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle_at_1001111.com> wrote:
> Granted the database security was crap to begin with but I did not know the escape to shell trick.
>
> http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-link-privilege-for-fun-and-profit/
>
> Dave
>
> --
> Dave Morgan
> Senior Consultant, 1001111 Alberta Limited
> dave.morgan_at_1001111.com
> 403 399 2442
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jul 10 2014 - 19:17:18 CEST

This message: [ Message body ]
Next message: Seth Miller: "Re: OT: Linux df question"
Previous message: Sweetser, Joe: "OT: Linux df question"
In reply to: Seth Miller: "Re: Interesting Hack"
Next in thread: McPeak, Matt: "RE: Interesting Hack"
Reply: McPeak, Matt: "RE: Interesting Hack"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message