Penetration Testing mailing list archives
FW: Pen Testing a Oracle database. How to pull data?
From: "Ivan Buetler" <ivan.buetler () csnc ch>
Date: Wed, 27 Jun 2001 14:48:59 +0200
Hi all, I wrote my little dirthy article about Oracle security. Check out: http://www.csnc.ch/download/sources/Oracle-Security-Check-CSNC-V2.0.pdf When doing application security, we ask the client about permissions the transaction user (trx) has within an application. Does this user require insert/delete privileges? Do they split admin tasks from normal operations or does the trx user own all datas? Do they use stored-procedures or how does it work? Where does the db-client stores its credentials? The article above might helps you to perform database analysis. It's still a draft!! Feedback and tips how to increase the quality are welcomed. Ivan -----Original Message----- From: Aaron C. Newman [mailto:aaron () newman-family com] Sent: Tuesday, June 26, 2001 5:26 PM To: Osvaldo J . Filho; pen-test () securityfocus com Subject: RE: Pen Testing a Oracle database. How to pull data? Pretty simple from there. There is probably an account called oracle that is the software owner. su - oracle cd $ORACLE_HOME/bin ./svrmgrl connect / as sysdba spool results.log select * from dba_users; /*perform any other sql statements you would like now*/ /*to find the actual location of the database files run the following sql statement*/ select * from dba_data_files; Aaron C. Newman CTO/Founder Application Security, Inc. 212-490-6022 anewman () appsecinc com www.appsecinc.com -Protection Where It Counts- -----Original Message----- From: pen-test-return-405-aaron=newman-family.com () securityfocus com [mailto:pen-test-return-405-aaron=newman-family.com () securityfocus com]On Behalf Of Osvaldo J . Filho Sent: Monday, June 25, 2001 6:21 PM To: pen-test () securityfocus com Subject: Pen Testing a Oracle database. How to pull data? Hello, I am currently pen testing a DB server running Oracle. I already got root on it, and I would like a lil' help to gather info on human readable format. Is there a specific file/dir where all DB data are? How can I get/convert it to Human Readable or even edit the data without any external programs like SQLNet? The server is running AIX. Any help is appreciated. Thank you very much. Osvaldo J. Filho osvaldojaneri () uol com br ---------------------------------------------------------------------------- ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- FW: Pen Testing a Oracle database. How to pull data? Ivan Buetler (Jun 27)