Bsqlbf v2.4

September 9, 2009

This is an updated version of bsqlbf. This now has the VALIDATE_REMOTE_RC() exploit which David Litchfield discussed in his paper

6: Type 6 is O.S code execution [ORACLE DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit]

This vulnerability was patched by Oracle in July 2009 Critical Patch Update. In a nutshell, if you have identified a SQL injection as ‘SYS’ user than this version of bsqlbf will let you execute OS code on remote Oracle database host.

I will be giving a demo of this at Sec-T on 11th September.
Download it Here


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.