Re: [PEN-TEST] hacking oracle questions

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Wed, 29 Nov 2000, anindya wrote:

> Hi folks,
>
>       I have some questions about hacking Oracle, specifically
> version 7.x or 8.x. I have a DBA access account, and can query
> the SYS.* tables no problem. I also have access to the tnsnames.ora
> file, so I know the SIDs and where the listeners are. I should
> mention the target is on an NT 4.0 box.

What's your goal?  To muck with the DB itself, the NT box it's on, or get
through it to something else?

> 1) How do I discover what table names exist in a particular Oracle database
>    i.e. the schema? Once I have the table names, I can use the
>    "describe" command in svrmgrl to get the columns in the
>    table , but apparently there is no easy way to get the
>    table names themselves..

http://www.oracle.com/oramag/code/cod10177.html

Also, nearly all DBs that support stored procedures give you a mechanism
for calling external programs:

http://www.oracle.com/oramag/oracle/99-Jan/19or8.html

Do you have rights to create stored procedures?

Also, completely unrelated, but while I was searching this stuff up, the
Oracle web pages kept popping up this kind of stuff in the page body:

Content-type: text/html Set-Cookie: ORA_UID=SEARCH_2881944;
expires=Friday, 30-Nov-2001 19:11:31 GMT; Content-type: text/html
Set-Cookie:
                                ORA_UID=SEARCH_2881945; expires=Friday,
30-Nov-2001 19:11:31 GMT;


I guess everybody screw up once in a while (it was gone a few minutes
later.) :)

                                        Ryan