Oracle Audit / Hardening
Security Training

Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Oracle Fact Sheets

News & Events



Search Red-Database-Security

Oracle Exploits / Exploit

This section "Oracle Exploits / Exploit" (or Proof-of-Concept code) contains information about Oracle security vulnerabilities in several products like database, webcache, tns listener, plsql function, plsql packages, forms, reports, isqlplus, ohs, .... This is not illegal or dangerous. If your database or application server is hardened, all the exploits mentioned here are WITHOUT any effect.
This page does not not contain 0day exploits.

All exploit code on this website is already out there, e.g. in newsgroups, on websites (like bugtraq). Hacker and script kiddies are using such code every day. DBAs and security professionals like pentester or auditors should know how to escalate privileges, become DBA, become root, decrypt data, crash a database or doing a denial of service attack.

A lot of proof-of-concept code can be found in Metalink if you know how to search in Metalink. Red-Database-Security GmbH will soon publish a document how to find exploit code in the knowledge base of Oracle (Metalink).

Listener Exploits - Learn why it is important to protect your TNS Listener. With a few simple commands everyone (with listener access) can overtake the listener first and after that your database.

Oracle 8i Exploits - There are a still Oracle instances out there (even if desupported). If you have an older version of 8i please try to update at least to plus the latest security patchsets. Check the Critical Patch Updates on from secalert on a regular bases for additional information.

Oracle 9i Exploits - Many customers are still using If you are not using the latest patchset / patchsets it is possible to become DBA with a single command (e.g. via CTXSYS.DRILOAD, DBMS_METADATA, DBMS_CDC_SUBSCRIBE)

Oracle 10g Exploits - More secure than 8i or 9i. Contains new features (like dbms_scheduler) with new security issues.

Oracle 11g Exploits. Latest version of the Oracle database

Oracle Application Server Exploits - Many software products like Oracle E-Business-Suite, Oracle Clinical, Oracle Collaboration Suite, custom development software ... are using OAS / iAS.

Oracle Application Express Exploits - The web application development tool APEX is used to develop and deploy applications that are hosted in the Oracle database.

Oracle Weblogic Exploits - WebLogic is a Java platform for developing, deploying, and integrating enterprise applications.

Other websites with Oracle exploit code
Oracle Metalink (Oracle Metalink account required)
Application Security Inc.
Argeniss Information Security
NGS Software

© 2005-2009 by Red-Database-Security GmbH - last update: 2-jul-2009

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.