@bonjourpancake It worked fine for me! I installed and tested sqlplus first, checked that this works, then installed odat, following their checklist (where several steps were not required anymore as already covered by the sqlplus setup).
But I modified the code to make it exploit the ‘loophole’ I found without odat. Would be interested to know myself if this was really necessary or if I missed some config option. I rather used odat more like a checklist - cross-checking if there is something else to be tested. I had already checked the ‘known security issues’ without odat before. I think when the tool tests for the weakness of a certain library it does something that’s not really necessary in this case but this action requires too much privileges and then it fails completely… and results falsely indicate that the attacked component is not vulnerable. But again, I can’t rule out I missed some option to test for my intended attack vector.
I found the interesting issue with sqlplus, tested a simple version of my exploit idea with sqlplus, and then used a modifed version of the odat script to exploit it more conveniently. But maybe writing the same thing in sqlplus would have taken about the same time as making the modification in Python.