I have updated bsqlbf and the latest version (2.5), has the following 2 additions:
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), with DBA Privs (11g R1 and R2)
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions (10g R2, 11g R1 and R2)
For more details about these 2 attack vectors, please refer to the paper, Hacking Oracle From Web
Enjoy!
Comments
2 Comments
This is a very good script 🙂
I have just a small note, I find it unfortunate that there is no feature to find bases, tables or columns names.
So you must query the database manually 🙁
1 Trackback
Trackback
[…] bsqlbf v2.5 – http://www.notsosecure.com SYS.KUPP$PROC.CREATE_MASTER_PROCESS() and BMS_JAVA_TEST.FUNCALL now included. […]