An ORACLE Security Detection clip

ORACLE Database Detection
1. content to be detected
In ORACLE detection, you need to check database users, permissions, sensitive tables, packages, and processes. If you have permissions, you can check the passwords of ORACLE database users and try to crack them.
During the detection process, first check the database version, then check three important system tables and the current user permissions, and finally check the access permissions for other tables.
Ii. Detection Methods
1. Database Version Detection
Version Check includes the database version, PL/SQL version, CORE version, TNS version, and NLSRTL version. The check statement is:
SELECT * FROM (SELECT * FROM v $ version order by 1ASC) where rownum (select count (*) from dba_users)
And 0 (select count (*) from user_users)
If the page returns normal, you are authorized to perform the check.
Dba_users stores the tables of all users, and user_users stores only the information of the current user. Their table structure is almost the same, but there is no PASSWORD column in user_users, and the user PASSWORD is not hashed.
The following uses dba_users detection as an example to describe how to detect user information.
The content to be checked includes user data volume, user name, password (encrypted), remote connection, and user group.
First, check the user data volume:
And 52> = ascii (substr (select count (*) FROM dba_users), 1, 1) bitscn.com
Determine the first data volume and change dba_users), numbers in, for example, dba_users), can detect the second data volume.
After detecting the amount of data, you can check other data.
Detection Username:
First, judge the length of the first user name
0 (select count (*) from dba_objects)
There is a difference here. If all the ORACLE Objects are detected and there are more than 40 thousand objects, the speed may be greatly affected. If only important content is detected, when an ORACLE vulnerability exists in an unexpected range, it cannot be detected. Only the software code can be modified. If you detect all vulnerabilities, you can only describe them in the vulnerability library. Another method is feasible: to list all the processes and package names, let the user select which packages and processes to detect and return the test results.
During all detection, you must check the owner, name, and type of the process and package.
You need to perform detection one by one and then list the detection content. For example, the following package exists:
UTL_HTTP
UTL_HTT_LIB
UTL_XML
UTL_TCP
To detect UTL_HTTP, use the following methods:
First, determine whether it can be accessed (whether it has access permissions, whether it exists, and so on ):
And 0 (select count (*) from dba_objects where OBJECT_NAME = UTL_HTTP)
If the page returns normally, you can confirm that you have the access permission. On this basis, you can detect other information, including the owner name and type. Bitscn.com
One problem that needs to be noted here is that the OBJECT_NAME column is not unique. For example, there are two UTL_HTTP columns in it, so it must be extremely accurate when locating. In the process of determining the data, no proper method was found to distinguish them from the unique data. Therefore, we can only perform a simple test to determine whether or not they have the right to access, but not the specific permission name. In the compromise, you should first specify the relevant permission names and then correspond accordingly. For example, the permissions in the table include SYS and PUBLIC, which can be accessed through the following statement:
And 0 (select count (*) from dba_objects where OBJECT_NAME = UTL_HTTP and OWNER = 'sys ')
If the SYS owner exists, the system returns the normal page. If the SYS owner does not exist, the system returns the error page.
The methods for detecting user_objects are the same.
4. Database Table Detection
Before checking database tables, you must first check whether three major system tables have access permissions. They are:
All_tables, user_tables, and user_tab_columns.
Check Method:
And 0 (select count (*) from all_tables)
If yes, the returned page is normal and cannot be accessed. The returned page is abnormal.
After determining the access permissions for these three system tables, you can guess the database tables. All accessible tables of the current user are placed in all_tables, and the tables of the current user are placed in user_tables. The methods for guessing are identical, that is, the system table that the current user can access is missing in user_tables.
BitsCN. nET China Network Management blog

Take user_tables as an example:
First, determine the data volume.
The number of data tables that can be guessed first:
And 52 = ascii (substr (select count (*) FROM USER_TABLES), 1, 1 ))
After determining the data size, you must determine the length of the first table.
And 0