The first sequel of this paper was released in 2010 and it discussed the privileges needed to execute OS code when exploiting a SQL Injection in a web application which has an Oracle back-end.
This paper examines new techniques to execute multiple statements via SQL Injection. No special privileges are needed to use these techniques and they work for all versions of Oracle Database from Oracle 9i to 11g R2. The paper specifically outlines how to achieve privilege escalation and OS code execution when exploiting SQL Injection vulnerability in a web app which in-turns connect to an Oracle database.
Click to view (PDF)