Oracle Injection Vulnerability

The ORACLE tutorial is: Oracle also has the injection vulnerability. Recently, well-known websites such as MSN and Jiangmin have been threatened and attacked by hackers. The editorial department of this newspaper received a call from the author of this article, who detailed the discovery of website vulnerabilities by the largest domain name provider in China (hereinafter referred to as "X Network. Our editorial department immediately communicated with the chief engineer of X Network, confirmed the authenticity of the vulnerability, and the engineer fixed the vulnerability in time.

Current

In October 18, after my project was completed, I chatted with my online friend Tian Nan Haibei. I was very envious of hearing the opening of my friend's website.
When can I own my host and domain name ...... To apply for a host and a domain name, I naturally think of X Network (which is too famous in China ). When I opened the homepage, I suddenly saw the member logon interface in the upper-right corner of the homepage, which made the author "thief" Feel New-if I could discover any vulnerabilities, I would be fine, but now I have nothing to do.
I took out a port scanning tool and scanned the server on the X network. No vulnerabilities were found, which is really depressing! After thinking about it, X network has been doing so for more than 10 years. I am afraid there will be no fewer security measures for these large website servers- ing, and IDS and firewalls. Patches will certainly be available soon, maybe there's a honeypot program waiting for you!
After a while, I suddenly found out that the X network was originally written in ASP. Some time ago, the injection vulnerability of ASP + MSSQL was very popular, and many websites suffered. Is there such a problem? No, try again first. I found a page for purchasing a VM: http: // www .???. Cn/HAS_Client/buy/vir_host/vir _ host1_SB.asp? PackageID = 10341. First, we tested it using the classic method. The returned types all do not match: 'cdbl' error. What database does X network use? The author adds a single quotation mark to the parameter and submits the request. An error message is returned on the page.

Oracle is used in the past. Generally, such errors may occur in Oracle databases. This is similar to an error returned when MSSQL does not close the quotation marks. However, when MSSQL prompts such an error, we can almost certainly have an injection vulnerability, while Oracle needs to be further determined.

Confirm

The following steps are very important for intrusion. In IE, enter:
Http: // www .???. Cn/HAS_Client/buy/vir _ host/vir_host1_SB.asp? PackageID = 10341 'and % 200 <> (select % 20 count (*) % 20 from % 20all_tables) % 20and % 20 '1' = '1;
Http: // www .???. Cn/HAS_Client/buy/vir _ host/vir_host1_SB.asp? PackageID = 10341 'and % 200 <> (select % 20 count (*) % 20 from % 20user_tables) % 20and % 20 '1' = '1;
Http: // www .???. Cn/HAS_Client/buy/vir _ host/vir_host1_SB.asp? PackageID = 10341 'and % 200 <> (select % 20 count (*) % 20 from % 20user_tab_columns) % 20and % 20 '1' = '1;
These are the Oracle system tables that I have guessed: all_tables, user_tables, and user_tab_col umns. If there is no, there will be no drama.
I did not expect all the pages to return success. This shows that the system tables I have guessed exist. It also shows that the submitted SQL statements have been processed by the program.
So far, I have confirmed that X has the injection vulnerability.

Use

Databases can be said to be the top priority of a site. With this vulnerability discovered by the author, we can access and modify all data in the database. It is not just a user account. We can retrieve and modify all data in the database.

When the UTL_File permission of the Public group is opened, Union can be used to query and read files on the server. This is similar to load_file () in the PHP + MYSQL injection vulnerability, of course, you can also execute Update and so on. I am still a newbie in Oracle injection vulnerability research. I have not been able to insert data and perform more advanced injection attacks. During the entire vulnerability testing process, NBSI's background scanning function and WPE are used to greatly improve the efficiency.
Now, I can get the information of all users of X network. As long as I log in, I can easily change the Domain Name Pointing to them. If the author is a malicious attacker, as long as the domain name of a commercial site directs to a fake site, the user's account information for logging on to the commercial site is no longer secure. In fact, this vulnerability is similar to Domain Name Hijacking. As long as you are a user of X network, I will be able to hack your website. For Internet X, all its services may be affected, and data can be obtained and tampered.
The other dangers are also obvious, so we will not detail them.

Repair and supplement

To prevent such injection vulnerabilities, you only need to strictly filter the parameters submitted in the URL and remove some characters such as single quotes and SQL keywords. Practice: Use the program to check the string after the question mark in the submitted URL. Once special characters such as single quotation marks, semicolons, and SQL keywords are found, a custom Error page will be displayed.
It takes less than five minutes to solve the problem for the network administrator of network X. In addition, Internet X should also strengthen the data security in the database. add at least one secret!
By the way, many sites in China have such injection vulnerabilities.

After editing

Since many worms and viruses have been attacked, we have been very concerned about server security. Some sites have even opened port 80. Nowadays, the security of the code running on the server is especially important. A small negligence on the Code may cause a global crash.

Today, there is a database injection vulnerability. What will happen tomorrow?