RE: Interesting Hack
Date: Thu, 10 Jul 2014 19:03:11 +0000
Message-ID: <D7864FA3E7830B428CB2A5A5301B63EE01A3FA59A4_at_S7041VA005.soa.soaad.com>
The article casually mentions cracking the password hash to get the system password. I didn't know it was that easy!
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Bobby Curtis
Sent: Thursday, July 10, 2014 1:17 PM
To: sethmiller.sm_at_gmail.com
Cc: oracle_at_1001111.com; Oracle-L
Subject: Re: Interesting Hack
Seth,
Not harsh at all.
I thought it was an interesting hack as well. I think the point of this hack example was to highlight what not to do; but we are all human and don't listen half the time.
Bobby
On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm_at_gmail.com<mailto:sethmiller.sm_at_gmail.com>> wrote:
That is interesting except DBSNMP does not have a default password.
If your application is not using bind variables (which would prevent this simple sql injection) and you are dumb enough to set your privileged DBSNMP account password to DBSNMP, you deserve to be hacked.
Am I being too harsh?
Seth
On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle_at_1001111.com<mailto:oracle_at_1001111.com>> wrote: Granted the database security was crap to begin with but I did not know the escape to shell trick.
Dave
--
Dave Morgan
Senior Consultant, 1001111 Alberta Limited
dave.morgan_at_1001111.com<mailto:dave.morgan_at_1001111.com>
403 399 2442
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
Received on Thu Jul 10 2014 - 21:03:11 CEST