Breaking the “Unbreakable” Oracle with Metasploit
Loading ...Black Hat和Defcon黑客会议下周将在拉斯维加斯举行,已经有安全专家放出话来称他们将在会上发布一个用于闯入Oracle数据库的工具.
其实这两位安全人员Chris Gates和Mario Ceballo本身都是研究Metasploit project的专家.Defcon网站已经宣布了这一消息,安全人员表示他们已经准备好攻破甲骨文的Metasploit辅助模块,但发布工具的主要目 的是帮助企业确定自己的系统薄弱点.
Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the “unbreakable” Oracle as Metasploit auxiliary modules. We’ve created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks.
Chris Gates (CG), member of the Metasploit project, Penetration Tester (but everyone is these days), and regular security blogger (carnal0wnage.blogspot.com).
Mario Ceballos (MC) is a computer security analyst. He has a number of years of experience in vulnerability research and exploit development. He is an active contributor to the Metasploit Framework primarily focusing on the auxiliary and exploit modules.
Link: Breaking the “Unbreakable” Oracle with Metasploit
Like
