A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:
Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Think differently about database hacking Derbycon 2012 (Hacking Illustrated Series InfoSec Tutorial Videos)

Think differently about database hacking
Derbycon 2012

The typical database hacking follows a well known way. Find a SQL injection in the application or enumerate the databases (portscan, sid enumeration, sql ping), find a weak password or a password in a configuration file etc. and if we have a high privilege access let’s escalate to the operating system. But what happens if you do not have these attack paths? This is the case when you have to think differently. In the presentation we will show how to hijack the connection to MSSQL and ORACLE. Which function is worth hijacking with a DLL injection at Oracle clients and if you have the access how to use the oradebug command in creative ways? Of course everything will be demonstrated and the tools will be released.
Speaker(s):

Laszlo Toth / Ferenc Spala

László Tóth
László has more than 10 years experience in information security (penetration testing, security audit, incident response). As a researcher his focus is Oracle Database security. He published several research papers and tools in this subject. László is the developer of the woraauthbf tool which was one of the fastest Oracle password crackers at the time of its release. He also released several unique research papers about vulnerabilities of the Oracle authentication protocols and post-exploitation techniques. His name was mentioned in several CPUs released by Oracle. You can check out the technical deepness of his presentations at http://www.soonerorlater.hu

Spala Ferenc
Ferenc has been working as a security consultant for 5 years. He gave several talks on Hungarian and international itsec conferences and workshops. He is also the member of program committee of Hacktivity conference. The story of Hacktivity started in 2003 when a group of security experts were looking for a forum to meet and exchange experience and has become the largest and oldest independent Hungarian hacker event. He is former blogger of a Hungarian IT security blog called “Alice and Bob”. He reported several vulnerabilities in different software such as IBM Cognos Business Intelligence.

Back to Derbycon 2012 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast