Monday, February 20, 2006

Hacking Oracle using Google Fu

A rather excitable young person has just posted to the OTN forums on the topic Oracle...Most Insecure Database!. The thrust of which is that they have read the AppSec white paper on using Google to identify vulnerable databases which can then be hacked using known passwords for the usual accounts and SQL injection.

The interesting part is that, if I have understood them correctly, they have actually used the techniques in this paper to hack databases. Hence their Chicken Licken schtick. From other postings I know this person is a relative beginner (they've done the OCA course a month ago but not taken the exams yet). So it is obviously pretty easy for anybody with a little knowledge to get into insecure Oracle databases through iSQL*Plus.

The poster draws one conclusion from this - that Oracle is inherently insecure - when perhaps a more valid conclusion is that many Oracle databases are set-up by people too ignorant or too lazy to put even token protections in place.

Update


I have clarified this with the original poster, and the database they have hacked is their own trial server and not someone else's.

4 comments:

Anonymous said...

Hi Andrew -funny the number of times I see this "Oracle is C**P because"...and it turn out that its "operator error"...

Well in the same vein I'd like to announce that Safeway are C**P because they sold me bread that burnt in my toaster while I was watching Holby City on TV.

Anonymous said...

Hi Andrew,

Interesting post that you have found. I just clicked on the link but found that its disapeared. Perhaps the post has been removed?

cheers

Pete

APC said...

>> Perhaps the post has been removed?

Nope. I've just checked and the thread is still there (and my link has the right URL). Actually it's vey hard to get any thread removed from the OTN forums.

Of course, the Forums might have been down for maintenance when you tried: they've been a bit flaky of late.

Anonymous said...

>> Perhaps the post has been removed?

You need to remove the question mark at the end of the link
http://forums.oracle.com/forums/thread.jspa?messageID=1208969