All Questions
15 questions
0votes
2answers
246views
Post Exploitation in Oracle web logic server 10.35 (Oracle Linux Server 3.8)
Web Server : Oracle WebLogic 10.35 Machine : Oracle Linux Server 3.8 I was able to partially exploit this CVE. I can execute any command on server using HTTP request and redirecting its output to a ...
5votes
1answer
1kviews
Is the most recent version of ojdbc7 still vulnerable to CVE-2016-3506?
Looking at the Oracle security advisory page here: https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Oracle in 2016 disclosed vulnerabilites in their OJDBC7 versions 12.1.0....
- 51
0votes
1answer
736views
Verifying Encryption at Rest with Oracle 11g
I have a big giant database that is basically human resources related. As such, it contains all the PII in the world (SSN, medical related stuff, bank payment info, etc). If you do not request PII ...
- 101
4votes
1answer
876views
What is the best practice for giving Oracle DB credentials to a Java Application?
I have Java applications (using Spring running in Jetty Servlet containers) that need to access an Oracle database. What is the best practice for giving the DB credentials to the applications? I came ...
- 143
1vote
1answer
1kviews
Is it ok to have GRANT ANY ROLE privilege granted to an Oracle account which is expired & locked?
I know it's not considered secure to grant GRANT ANY ROLE privilege to other users apart from admins. But what if the user is expired & locked? In particular, I see these 2 users having this ...
- 279
2votes
0answers
1kviews
How to identify column types during sql injection with "union all select" construct?
Situation is following: I have identified sql injection attack vector, and have following information about target table: It has six columns. (Identified using "order by"). I can see output of 3 of ...
1vote
1answer
1kviews
Difference between Oracle Label Security and Oracle Virtual Private Database?
I am working on a class project, and our lecturer ask a question with this title, I searched in net but I could not find a clear answer. if there is difference what are they? thanks
- 31
2votes
3answers
4kviews
How do attackers find the database technology used by a web application?
These days there are several database technologies are available for data storage purpose. While performing injection attacks, how do attackers actually identify the database used by a website? If ...
- 2,097
1vote
1answer
544views
Connecting to Oracle Database from VBScript - Hiding Credentials
At work our first level support uses a ticket management system that allows us to add extra functionality via VBScripts that the application invokes. First level support also receives quite a few ...
- 323
4votes
1answer
513views
Does the Oracle Database Built-in Password Protections prevent pass-the-hash or replay attacks?
Does the Oracle Database Built-in Password Protections prevent pass-the-hash or replay attacks? Reading the "What Are the Oracle Database Built-in Password Protections?" from http://docs.oracle.com/...
- 141
1vote
1answer
218views
Oracle database privileges [closed]
I have a 10.2.0.5.0 Oracle Database and a list of users who i need to grant some privileges to (Mainly to generate reports and so on). I used impersonation, which means i created one Oracle user so ...
3votes
4answers
3kviews
Code, Data and Passwd encrypted? sqlplus $USER/$PASSWORD@$ORACLE_REMOTE_SID
Lots of our *NIX scripts use "sqlplus $USER/$PASSWORD@$ORACLE_REMOTE_SID" I know that not good to have clear text password in scripts (there is no alternative at the moment). But question is the ...
- 1,491
7votes
1answer
792views
What evaluation criteria would you use for an Oracle scanning tool?
What evaluation criteria would you use to select the right Oracle scanning tool? Context: To deploy an automated scanning tool (nessus / SQuirreL etc) for use by both development teams and security ...
- 2,896
15votes
1answer
2kviews
Is there a list of default, standard or third-party "users" for Oracle?
When installed, and depending on which options it is installed with, there are a bunch of standard users pre-created in Oracle. Additionally, third-party software often has its own set of schemas/...
- 894
11votes
2answers
4kviews
Is there a benefit in using Oracle's WRAP to obfuscate PL/SQL Code
Oracle stored program units (procedures, functions, packages and types) can be obfuscated using the WRAP functionality. Apart from the generic arguments about 'security through obscurity' are there ...
- 894
