After reading ?Google Hacking for Penetration Testers?, Oracle
professionals will come-away, eyes wide-open to the exposures at
internet-enabled Oracle databases. If you have a web-enabled Oracle
database, you need to take-heed!
When the powerful Googlebot crawls a web site it can expose many
Oracle-related vulnerabilities and exposures. For example, just run
the Google search below to identify dozens of web-sites with a iSQL*Plus
interface, the first-step by a hacker who is interested in launching
a buffer overflow attack on your Oracle database:
http://www.google.com/search?hl=en&lr=&c2coff=1&q=intitle%3AiSQL+intitle%3ARelease+inurl%3Aisqlplus&btnG=Search
On the heels of the bestselling book ?Google Hacking for Penetration
Testers?, Johnny Long?s idea has opened many people?s eyes about the
power of Google when placed in the wrong hands. This is one of the
best computer books of 2005, a novel concept with widespread
ramifications for the Oracle DBA:
http://www.bookpool.com/sm/1931836361
You may also enjoy Johnny Longs web site, and be sure to check-out
the user-contributed Oracle Google searches:
http://johnny.ihackstuff.com/
If you want the short-course, in this presentation we see the Johnny
Long expose the huge power of Google as an intrusion tool:
http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf
There is also an excellent discussion of Google hacking for
penetration testers at the red-database-security web site:
http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf
The most frightening section from the above link are the Google
searches that can be used to detect if a web site is hosting
SQL*Forms, Oracle Discoverer of Oracle Reports, the first-step in a
hack attack:
Oracle Application Server:
iAS Demopages
http://www.google.de/search?num=100&q=++%22inurl%3A%2FiASDemos.htm%22
http://www.google.de/search?num=100&q=++%22inurl%3A%2FJ2EEandIA.htm%22
Oracle Forms
Oracle Forms 6i (using CGI)
http://www.google.com/search?q=+inurl%3Af60cgi&btnG=Search&num=100
http://www.google.com/search?num=100&hl=de&c2coff=1&q=+inurl%3Aifcgi60
Oracle Forms 6i (using Servlets)
http://www.google.com/search?num=100&hl=en&lr=&c2coff=1&q=inurl%3Af60servlet
Oracle Forms
http://www.google.com/search?num=100&hl=en&lr=&c2coff=1&q=inurl%3Af90servlet
Oracle Reports
Oracle Reports 6i
http://www.google.com/search?num=100&q=+inurl%3Arwcgi60
Oracle Reports
http://www.google.com/search?q=%22inurl%3Arwservlet%22+%22inurl%3Areports%22&num=100
Oracle Discoverer
Oracle Discoverer Viewer
http://www.google.com/search?num=100&q=%22inurl%3Adiscoverer%2Fviewer%22
Oracle Discoverer Plus
http://www.google.com/search?num=100&q=%22inurl%3Adiscoverer%2Fplus%22
Oracle Discoverer 10g
http://www.google.com/search?num=100&q=%22inurl%3Adiscoverer%2Fapp%22
This is an extremely powerful technique, and every Oracle
professional should run these Google commands to see if a improper
permission setting (e.g. 744) might expose your Oracle database to a
hack attack: