Monday, February 20, 2006

Hacking Oracle using Google Fu

A rather excitable young person has just posted to the OTN forums on the topic Oracle...Most Insecure Database!. The thrust of which is that they have read the AppSec white paper on using Google to identify vulnerable databases which can then be hacked using known passwords for the usual accounts and SQL injection.

The interesting part is that, if I have understood them correctly, they have actually used the techniques in this paper to hack databases. Hence their Chicken Licken schtick. From other postings I know this person is a relative beginner (they've done the OCA course a month ago but not taken the exams yet). So it is obviously pretty easy for anybody with a little knowledge to get into insecure Oracle databases through iSQL*Plus.

The poster draws one conclusion from this - that Oracle is inherently insecure - when perhaps a more valid conclusion is that many Oracle databases are set-up by people too ignorant or too lazy to put even token protections in place.

Update


I have clarified this with the original poster, and the database they have hacked is their own trial server and not someone else's.

5 Comments:

Anonymous Anonymous said...

Hi Andrew -funny the number of times I see this "Oracle is C**P because"...and it turn out that its "operator error"...

Well in the same vein I'd like to announce that Safeway are C**P because they sold me bread that burnt in my toaster while I was watching Holby City on TV.

20 February 2006 09:37:00 GMT-8  
Anonymous Pete Finnigan said...

Hi Andrew,

Interesting post that you have found. I just clicked on the link but found that its disapeared. Perhaps the post has been removed?

cheers

Pete

21 February 2006 04:52:00 GMT-8  
Blogger APC said...

>> Perhaps the post has been removed?

Nope. I've just checked and the thread is still there (and my link has the right URL). Actually it's vey hard to get any thread removed from the OTN forums.

Of course, the Forums might have been down for maintenance when you tried: they've been a bit flaky of late.

22 February 2006 04:45:00 GMT-8  
Anonymous Jens said...

>> Perhaps the post has been removed?

You need to remove the question mark at the end of the link
http://forums.oracle.com/forums/thread.jspa?messageID=1208969

22 February 2006 11:11:00 GMT-8  
Blogger Jerry said...

cheap wedding gowns
discount bridal gowns
China wedding dresses
discount designer wedding dresses
China wedding online store
plus size wedding dresses
cheap informal wedding dresses
junior bridesmaid dresses
cheap bridesmaid dresses
maternity bridesmaid dresses
discount flower girl gowns
cheap prom dresses
party dresses
evening dresses
mother of the bride dresses
special occasion dresses
cheap quinceanera dresses
hot red wedding dresses

18 June 2009 08:51:00 GMT-7  

Post a Comment

<< Home