Now that I have a Metasploit and Oracle demo environment, it is time to see what I can use to exploit an Oracle 11g Release 2 database. I have to tell you, most of the exploits are actually rather old. I was a bit disappointing.
When you do “search oracle” in Metasploit, you get a promising, long list of scans and exploits. But as you’ll quickly note, a lot is Java related. Because that’s also Oracle. It helps to do a smarter search, for example by looking up oracle in the name: “search name:oracle”. But this also gives you MySQL exploits. And exploits of every old Oracle version. I’m not looking for that now either. And I’ve tried grepping, but that is not interpreted as grepping and gives you really weird results.
So in the end I’m just giving you my list of Oracle database scans and exploits that do not have old version numbers in the description. All non-database products are removed from the list. And for good measure, I’ve also removed exploits with very old disclosure dates, because I assumed they were targeted at versions much older than Oracle 11g. Continue reading →