Eight common practices for hackers to attack the Oracle System (1)

　Oracle DatabaseDespite being a powerful database systemHackerThat is to say, no matter what computer system, people can always find a way to attack it, Oracle is no exception. This article will discuss with you how hackers reach out to the data you thought they could not touch, it is hoped that the database administrator of Oracle can clearly clarify which regions of its infrastructure are vulnerable to attacks.

1. SQL injection attacks

Today, most Oracle databases have backend data storage zones for certain types of network application services. Web applications make databases more vulnerable to attacks in three aspects. First, these application interfaces are complex and have multiple components, making it difficult for database administrators to thoroughly check them. Second, the barrier to prevent programmers from interfering is very low. Even if it is not a C language programming expert, it can also attack some pages. Next we will briefly explain why this is so important to us. The third reason is the priority issue. Web applications have been developing, so they are constantly changing and innovating. In this way, security issues are not a matter of priority.

SQL injection is a simple attack. You can enter information in the page form and quietly add some special code to entice the application to execute the code in the database, and return some unexpected results from programmers. For example, if you have a user login form that requires you to enter the user name and password to log on, enter the following code in the user name column:

Cyw'); select username, password from all_users ;--

If the database programmer is not smart enough to check similar information and "clean" our input, the code will be executed in the remote database system, then the sensitive data about all user names and passwords will be returned to our browser.

You may think this is an alarmist, but it is more powerful. In his book Oracle Hacker's Handbook, David Litchfield injects a special pl/SQL injection attack, which is named holy grail ), it used to kill all Oracle database versions from Oracle 8 to Oracle10g. I 'd like to know how it works. You can use a package called DBMS_EXPORT_EXTENSION to use injection attacks to obtain the code for executing an exception handling program. This program grants the user or all relevant user database administrators the privilege.

This vulnerability is targeted at Security upgrade patch Security Alert 68 released by Oracle. However, according to Litchfield, these vulnerabilities cannot be completely repaired.

Methods to prevent such attacks

All in all, although there is no omnipotent bullet-proof clothing, in view of this problem involving all network-oriented application software, we still need to do our best to prevent it. There are various SQL Injection detection technologies available on the market. Refer to the detailed introduction of the http://www.securityfocus.com/infocus/1704 series.

You can also use different intrusion detection tools to detect SQL injection attacks at different levels. Visit the security website http://www.petefinnigan.com/orasec.htm, which specializes in Oracle Security Research, and search for “SQL injection on the webpage. For more information, see. Pete Finnigan reported on his blog that Steven Feurstein is currently compiling a pl/SQL package called SQL Guard to prevent SQL injection attacks. For more information, see the following webpage: http://www.petefinnigan.com/weblog/archives/4261115.htm.

For software developers, many software packages can help you "clean" input information. If you call to process each value accepted from the page form, you can call the cleansing routine to protect your system more closely. However, it is best to use SQL Injection tools to test and verify the software to ensure that nothing is lost.

2. default password

Oracle Database is a huge system that provides a mode for creating everything. The default password is provided for logon to most built-in users. Want to know if the database administrator is diligent enough? Here is a way to find the answer. Check whether the following common preset usernames and passwords can be used to log on to the database:

Username Password

Applsys apps

Ctxsys change_on_install

Dbsnmp

Outln

Owa

Perfstat

Scott tiger

System change_on_install

System manager

Sys change_on_install

Sys manager

Even if the database administrator has worked hard to change these default pairs, it is not difficult to guess the login password, try "oracle", "oracle4", "oracle8i", and "oracle11g" one by one to see if one of them can log on.

Pete Finnigan provides a list of default users and their corresponding passwords. The list is comprehensive and up-to-date, and includes encrypted passwords. If you use all_users for query, you can try and compare the list. For more information about the list, see http://www.petefinnigan.com/default/default_password_list.htm.

Methods to prevent such attacks

As a database administrator, you should review all database passwords on a regular basis. If some commercial resistance makes it difficult for you to easily change the password that is easily guessed, you can try to calmly explain it to relevant personnel, use some intuitive examples to illustrate what will happen if you do not change the password and what risks will happen.

Oracle also provides a password security profile. You can activate this profile to enhance the complexity of the Database Password at a certain level. You can also execute regular password failures. You must set this function to only apply to events logged on through the network server or intermediate layer application server.

3. Brute Force)

A brute-force attack, as its name implies, is a method that keeps cracking until the lock is opened. An Oracle database uses an automatic process to crack the user name and password by combining all letters and numbers.

A Unix administrator can use a password cracking software named John the Ripper to perform such attacks. Now, if you download a patch, you can use the software to launch a brute force attack on Oracle and open the password. However, depending on the complexity of the password, this may be a very time-consuming process. If you want to speed up this process, you can prepare a table containing all the password encryption in advance, such a table is called a Rainbow table. You can prepare a different rainbow table for each user name, because the password encryption algorithm uses the user name as the fuel. I will not go into more details here. For more information, see http://www.antsight.com/zsl/rainbowcrack.

The default setting of the Oracle server is that the account is automatically locked when an incorrect password is entered for a specific account for up to 10 times. However, the "sys as sysdba" permission usually does not have this restriction, probably because if you lock the administrator, everyone will be locked. This setting opens a path for our hacking software (OraBrute), which keeps hitting the front door of your database until it is opened.

Methods to prevent such attacks

To defend against such attacks, you can use the methods mentioned earlier to defend against preset password attacks. However, curious database administrators may also download the tools mentioned above to intrude into their systems. This shows where your real risk comes from.