CHAPTER 4

Oracle: Moving Further into the Network

The Oracle RDBMS could almost be considered as a shell like bash or the Windows Command Prompt; it's not only capable of storing data but can also be used to completely access the file system, run operating system commands and, what's more, some of the default PL/SQL packages and procedures can access the network. As far as the latter is concerned, if you had the time or inclination you could write a PL/SQL package that could even communicate with an RPC server somewhere else on the network. Of course, all of this functionality exists to make the RDBMS as flexible as possible for business use but once compromised, the Oracle RDBMS becomes a dangerous and powerful tool in the hands of a skillful attacker with nefarious intent. Combine this with the fact that the RDBMS has Java built into it and it becomes clear that the attacker can use the server as a launch pad into the rest of the network.