Presentation Material

Abstract

The “turbo” talk will focus on exploiting SQL injections in web applications with oracle back-end. Mostly exploiting Oracle sql injections in web applications is considered to be restricted to extraction of data only. Oracle database does not offer hacker friendly functionalities such as openrowset or xp_cmdshell for privilege escalation and O.S code execution. Further, as web API do not support execution of multiple query in single statement, the exploitation is further restricted. The Talk will highlight attack vector to achieve privilege escalation (from Scott to SYS) and O.S code execution by exploiting Oracle SQL injections in web applications. Further, there will be demo of how a worm could target an Oracle back-end just as it targeted the SQL server applications.