It depends on the length and complexity of the password used. Any combination of eight characters or less is sitting in a rainbow table you can download right now and is already cracked. Longer passwords without sufficient complexity will be cracked as well. If you think you have outwitted a hacker by using l33t to come up with "70rchw00d", you deserve to be hacked. #BrokenRecord Seth On Thu, Jul 10, 2014 at 2:03 PM, McPeak, Matt <vxsmimmcp@xxxxxxxxxx> wrote: > The article casually mentions cracking the password hash to get the > system password. I didn’t know it was that easy! > > > > > > > > *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto: > oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Bobby Curtis > *Sent:* Thursday, July 10, 2014 1:17 PM > *To:* sethmiller.sm@xxxxxxxxx > *Cc:* oracle@xxxxxxxxxxx; Oracle-L > *Subject:* Re: Interesting Hack > > > > Seth, > > > > Not harsh at all. > > > > I thought it was an interesting hack as well. I think the point of this > hack example was to highlight what not to do; but we are all human and > don’t listen half the time. > > > > Bobby > > > > > > On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm@xxxxxxxxx> wrote: > > > > That is interesting except DBSNMP does not have a default password. > > If your application is not using bind variables (which would prevent this > simple sql injection) and you are dumb enough to set your privileged DBSNMP > account password to DBSNMP, you deserve to be hacked. > > Am I being too harsh? > > Seth > > > > On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle@xxxxxxxxxxx> wrote: > > Granted the database security was crap to begin with but I did not know > the escape to shell trick. > > > http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-link-privilege-for-fun-and-profit/ > > Dave > > -- > Dave Morgan > Senior Consultant, 1001111 Alberta Limited > dave.morgan@xxxxxxxxxxx > 403 399 2442 > -- > //www.freelists.org/webpage/oracle-l > > > > >