More JBOSS hacking
Last update data: 1 Jul 2009
First public release: 1 Jul 2009
Author: Maurizio Agazzini aka inode (inode at mediaservice dot net)
Ivan Verri aka raist (raist at mediaservice dot net)
Additional notes: Piergiovanni Cipolloni (piergiovanni at mediaservice.net)
Notes based on directory traversal works on jboss 4.0.4 GA and below (CVE-2006-5750)
JBOSS application deploy via web
Last update data: 22 Jan 2008
First public release: 22 Jan 2008
Author: Ivan Verri aka raist (raist at mediaservice dot net)
JBOSS is an application server/middleware that use Apache Tomcat as jsp engine; this paper explains how to deploy a custom application in order to operate (read, write, execute) with the underlying O.S.
MSSQL Tips
Last update data: 22 Jan 2008
First public release: 22 Jan 2008
Author: Maurizio Agazzini aka inode (inode at mediaservice dot net)
This article is nothing new, but it focalizes on giving all information needed to do a sql injection on a SQL SERVER (mssql). All queries will not modify or add anything to the database.
Oracle Portal for Friends
Last update data: 22 Jan 2008
First public release: 22 Jan 2008
Author: Ivan Verri aka raist (raist at mediaservice dot net)
Oracle 10g Application Server till 10.1.2 .1.0 remote exploiting of what described in:
This example makes use of injection in ORASSO.HOME but these path also work:
- JAVA_AUTONOMOUS_TRANSACTION.PUSH
- XMLGEN.USELOWERCASETAGNAMES
- PORTAL.WWV_HTP.CENTERCLOSE
- ORASSO.HOME
- WWC_VERSION.GET_HTTP_DATABASE_INFO