Exploit the possiblities
Showing 1 - 25 of 128 RSS Feed

Files from David Litchfield

Email addressdavid at davidlitchfield.com
First Active1999-08-17
Last Active2017-09-14
Oracle XDB FTP Server Buffer Overflow
Posted Sep 14, 2017
Authored by David Litchfield, D7X

This is the original ngssoftware's (David Litchfield) exploit presented at blackhat 2003 with modified offsets.

tags | exploit, overflow
MD5 | 7723855857e211808b0b5927ee03b682
Oracle XDB FTP Service UNLOCK Buffer Overflow
Posted Aug 12, 2017
Authored by David Litchfield

Oracle XDB FTP service UNLOCK buffer overflow exploit.

tags | exploit, overflow
advisories | CVE-2003-0727
MD5 | 5f6ecab5d2c435896a9089d42a3ac395
Oracle Patches 27 Vulnerabilities
Posted Jul 20, 2016
Authored by David Litchfield

A total of 27 vulnerabilities have been patched by Oracle. These affect eBusiness Suite R12.x and 11.5, Apex, Primavera, OBIEE, and Agile DB components. These issues include SQL injection, cross site scripting, XXE injection, SSRF, failed access controls, and more.

tags | exploit, vulnerability, xss, sql injection
advisories | CVE-2016-3448, CVE-2016-3467
MD5 | ee51786f3fcbeed16c2224dbb1d9ae36
DBMS_XMLSTORE As An Auxiliary SQL Injection Function In Oracle 12c
Posted Jul 22, 2014
Authored by David Litchfield

The ability to execute arbitrary SQL on Oracle via a SQL injection flaw is hampered by the fact that the Oracle RDBMS will not batch multiple queries. Typically, a low privileged attacker with say only the CREATE SESSION privilege, must find a function they can inject that will allow them to execute a block of anonymous PL/SQL. These are known as auxiliary inject functions. Depending upon the version of Oracle and what components are installed auxiliary inject functions may be few and far between. For example, on Oracle 12c with the internal Java VM removed, there may be none. Indeed, during a recent client assessment the author of this paper was confronted with such a situation: a PL/SQL injection flaw but with no easy method for easy exploitation to gain full control of the database server. This paper presents a method around such a problem using DBMS_XMLSTORE and, co-incidentally, DBMS_XMLSAVE. This method can be used in web-based SQL injection attacks, as well.

tags | paper, java, web, arbitrary, sql injection
MD5 | d24504669a9cae4404a95a4af656e24a
Oracle Data Redaction Is Broken
Posted Jul 16, 2014
Authored by David Litchfield

Oracle data redaction is a simple but clever and innovative idea from Oracle. However, at present, there are weaknesses that undermine its effectiveness as a good security mechanism. These weaknesses can be exploited via web based SQL injection attacks and this paper details those weaknesses and provides suggestions on how it can be improved and made more secure.

tags | paper, web, sql injection
MD5 | f858111decb47b66b29d44d90b0f6a79
Oracle Job Scheduler Named Pipe Command Execution
Posted Dec 23, 2011
Authored by David Litchfield, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called "orcljsex<SID>" and execute arbitrary commands received throw this channel via CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required. This Metasploit module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler runs as SYSTEM on Windows but it's disabled by default.

tags | exploit, arbitrary
systems | windows
MD5 | b4e7d842beab7ffc75f28b136eb9d163
Exploiting PL/SQL Injection With Only Create Session Privileges In Oracle 11g
Posted Feb 12, 2010
Authored by David Litchfield

Whitepaper called Exploiting PL/SQL Injection With Only CREATE SESSION Privileges In Oracle 11g.

tags | paper, sql injection
MD5 | 75a7e84bbe63d77df2de7c8c3987df1a
Hacking Aurora In Oracle 11g
Posted Feb 12, 2010
Authored by David Litchfield

Whitepaper called Hacking Aurora In Oracle 11g.

tags | paper
MD5 | 1e813b206c2dc9804a2af5ad762bb878
Oracle 9i XDB FTP UNLOCK Overflow (win32)
Posted Nov 26, 2009
Authored by David Litchfield, MC | Site metasploit.com

By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs.

tags | exploit, overflow
advisories | CVE-2003-0727
MD5 | 7d14265dbae5952c543d354d372ba779
Oracle 11g Password History
Posted Aug 26, 2009
Authored by David Litchfield | Site ngssoftware.com

Oracle 11g has an issue where password history is broken if it is set to use 11g passwords exclusively.

tags | advisory
advisories | CVE-2009-0988
MD5 | 13f4128d513cc05f176c2b393b392aef
Bypassing Oracle DBMS_ASSERT
Posted Aug 25, 2009
Authored by David Litchfield | Site ngssoftware.com

Whitepaper called Bypassing Oracle DBMS_ASSERT (in certain situations). Originally written in July of 2008 but is just being released now.

tags | paper
MD5 | 2ebf0727b0106460bbbc700063cb4301
Oracle PL/SQL Injection
Posted Aug 25, 2009
Authored by David Litchfield | Site ngssoftware.com

Oracle suffers from a PL/SQL injection vulnerability in REPCAT_RPC.VALIDATE_REMOTE_RC.

tags | advisory, sql injection
advisories | CVE-2009-1021
MD5 | 4b3c2d9430fa71e97390bb95e4d59f40
NGSSoftware Insight Security Research Advisory NISR13012009
Posted Jan 14, 2009
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - Oracle has just released a fix for a flaw that, when exploited, allows a low privileged authenticated database user to gain MDSYS privileges. This can be abused by an attacker to perform actions as the MDSYS user. MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of the Oracle Spatial Application. It is vulnerable to SQL injection. When a user drops a table the trigger fires. The name of the table is embedded in a dynamic SQL query which is then executed by the trigger. Note that the Oracle advisory states that the attacker requires the DROP TABLE and CREATE PROCEDURE privileges. This is not the case and only CREATE SESSION privileges are required.

tags | advisory, sql injection
advisories | CVE-2008-3979
MD5 | 67ec9b9c82ddbbfab1ed69612d3792ec
cadfile.zip
Posted Nov 26, 2008
Authored by David Litchfield | Site databasesecurity.com

Orablock allows a forensic investigator the ability to dump data from a "cold" Oracle data file.There is no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence.Orablock can also be used to locate "stale" data - data that has been deleted or updated.

tags | tool, forensics
MD5 | 3b8a142db61bbcadd2e8d08bc5d69e14
oracle-forensics-scns.pdf
Posted Nov 26, 2008
Authored by David Litchfield | Site databasesecurity.com

Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Examinations.

tags | paper
MD5 | 10ed66d02ac64d20b0056b527c371b5a
lateral-sql-followup.txt
Posted Jul 18, 2008
Authored by David Litchfield | Site ngssoftware.com

Follow up information regarding a whitepaper about lateral SQL injection and how ALTER SESSION privileges are not needed.

tags | advisory, sql injection
MD5 | 18e62d117823ca0a5a0b55a02c6b4c8f
NISR15072008.txt
Posted Jul 16, 2008
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - Oracle Application Server installs a number of PLSQL packages in the backend database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user.

tags | advisory, sql injection
advisories | CVE-2008-2589
MD5 | c6bc69f8abb9b4ec0ab0dfecf8149c3d
lateral-sql-injection.pdf
Posted Apr 24, 2008
Authored by David Litchfield | Site ngssoftware.com

Lateral SQL Injection: A New Class of Vulnerability in Oracle.

tags | paper, sql injection
MD5 | d7b2c8e9e07fd070e5775af0e397dd1b
oracle-default.txt
Posted Nov 14, 2007
Authored by David Litchfield | Site ngssoftware.com

Oracle 11g and 10g have a default password vulnerability during the install process.

tags | advisory
MD5 | 6877588c15ae734aed258e5039993c83
NISR17102007E.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Oracle XML DB ftp service contains problems with auditing logins.

tags | advisory
MD5 | 03a2b4d2ce1e0e61066c4236c2f3932c
NISR17102007D.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Oracle RDBMS on receiving an invalid TNS data packet will use 100% of the CPU's time introducing a denial of service condition.

tags | advisory, denial of service
MD5 | a370f981cb7f34a8094c806a8b0dfddf
NISR17102007C.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Oracle TNS Listener suffers from denial of service and/or remote memory inspection vulnerabilities. Systems affected include Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9.

tags | advisory, remote, denial of service, vulnerability
MD5 | 4b1d5b9c9a68052baf1d1b81653d3661
NISR17102007B.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Workspace Manager in Oracle 10g release 1 and 2 and Oracle 9i is vulnerable to SQL injection. The Workspace Manager, owned by SYS, contains a package called LT. This package is owned and defined by the SYS user and can be executed by PUBLIC. LT contains a procedure called FINDRICSET which calls the FINDRICSET package in the LTRIC package. This is vulnerable to SQL injection and can be abused by an attacker to gain SYS privileges.

tags | advisory, sql injection
MD5 | 69edd82fa8cac473f288d4f330ee5ac6
NISR17102007A.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Intermedia application, owned by CTXSYS, contains a package called CTX_DOC. This package contains multiple SQL injection flaws.

tags | advisory, sql injection
MD5 | 6391108725892efacb180aa8e5d0112b
oracle-forensics-6.pdf
Posted Aug 17, 2007
Authored by David Litchfield | Site databasesecurity.com

Whitepaper: Oracle Forensics Part 6 - Examining Undo Segments, Flashback and the Oracle Recycle Bin.

tags | paper
MD5 | 9fd78e525fa001399046542dc5896853
Page 1 of 6
Back12345Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close