In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets beat up on…errr security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code lets see what we can do with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. We’ll also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.
Chris Gates (CG/carnal0wnage) is currently a Sr Security Consultant for Rapid7 and is a member of the Metasploit Project and Attack Research. He enjoys business logic flaws, misconfigured databases and the occasional client-side attack. He has spoken at various other security conferences includimang BlackHat USA, Defcon, CSI 2009, Brucon, SOURCE Boston, Toorcon, Notacon, and Chicagocon. He is a regular security blogger at <a href="http://carnal0wnage.attackresearch.com" target="_blank">http://carnal0wnage.attackresearch.com</a> and securitytwit <a href="http://twitter.com/carnal0wnage" target="_blank">@carnal0wnage</a>