1 Oracle It is easy to introduce Oracle as a relatively early RDBMS database with a relatively large market share and often used in some very large databases. In addition to its good support for various SQL languages, it also provides a variety of rich packages, stored procedures, and even supports java and library creation. Such powerful functions provide good convenience for Hacking.
Oracle itself has many default accounts and many stored procedures. These stored procedures are created by the system. Many default accounts are open to the public. In the past few years, many Oracle vulnerabilities have been released, including overflow and SQL There are many flaws including injections. Here, the SQL injection vulnerability is particularly important, because in Oracle, without adding other keywords AUTHID CURRENT_USER, the created stored process runs as the creator when running, and public has no access to these stored processes. All have permissions to call, so if there is an injection in the built-in stored process, it is easy for ordinary users to upgrade to Oracle system permissions. Oracle itself has many built-in accounts, some of which have default passwords and have CONNECT permissions. In this way, if the Oracle port is not protected by a firewall and can be connected remotely, the default account can be used. If you log in to the system remotely and then use the SQL of the stored process in the system to inject a vulnerability, the system will crash. Of course, logging into Oracle requires a SID, but it is not difficult. Oracle's tnslintener does not set a password by default, so you can use tnscmd .pl uses the services command to find out the SID of the system (in newer versions, this flaw has been fixed). This is also a very classic mode of invading Oracle.
2 Oracle Web Hacking Technical Background
Oracle's rich system tables. Almost all information in Oracle is stored in system tables. The current status of database operation, current user information, current database information, information on databases and tables that users can access... system tables are The core part of the entire database can almost obtain all the information by querying the urgently needed system tables. For example, sys.v_$option contains some information about the current database, such as whether it supports java, etc., all_tables contains all table information, all_tab_colmuns contains all column information, etc., which provides us with a very large way to obtain information. Convenience, later will be related to the description of how to use system tables to obtain sensitive information.
Among the various vulnerabilities of Oracle, it is urgent to talk about the injection of stored procedures. In fact, there is no mystery. Stored procedures and functions also receive user input and then send it to the database server for analysis and execution. If it is selected If the schema is constructed into a SQL string and implemented, it is easy to mix data and commands, resulting in SQL injection. But depending on where the injection occurs, the nature of the injection vulnerability is also different. Oracle uses PL/SQL, and the vulnerability occurs in DML languages such as select. Since it does not support the implementation of multiple languages, if you want to run your own languages such as GRANT DBA TO LOVEHSELL and other DDL languages, you must create your own. Functions or stored procedures, if you do not have the relevant permissions, you can also use cursor injection and use the dbms_sql package to circumvent restrictions. Most of the injections are the above limited injections. You must rely on some other packages or cursors created by yourself to achieve the purpose of increasing permissions. However, there are still some very common vulnerabilities but the injection environment is very loose, which is user input. The injection of the anonymous pl/sql block placed between begin and end. In this case, the injection can be directly injected into multiple words, with almost no restrictions. It can be seen that it is this kind of shining vulnerability that creates the problem for our web. Injection technology has brought back such brilliance.
Okay, the above mentioned are some of Oracle's offensive technologies, but in many current environments, web services are open to the outside world, and the backend boss database is protected by a firewall. It is impossible to lose too much detailed information of the database, and it is no longer possible to log in directly. The database is in operation. At this time, it is time to consider using web-stopped vulnerabilities to attack the backing database. Now let’s take a look at how to develop injections in Oracle web environment! Oracle can work well in various web environments, and the impact of various web environments on our injections is not great. In asp, .net, and jsp, it is The incoming parameters are not filtered at all, but because .net and jsp languages are strong category languages, even if the SQL language is not filtered when it comes to numerical injections, errors may occur when accepting parameters. The reason why injections appear in The string class has more parameters. In the php environment, all ' will be escaped as ', in the oracle environment ' will not be escaped (the correct escape in the oracle environment should be ''), but in our own The use of 'in injection discourse can be damaged by being converted to ', so it cannot be used during injection'. Except, there are no restrictions in the web environment. In terms of database, if the discourse is executed in parameter mode, it cannot be injected unless the string connection mode is used (because the string connection mode is relatively simple, and due to some historical reasons, many programmers This form is often preferred,). The string connection mode will also be divided into two types. The parameters are in the DML words such as select, update, and insert, and the parameters are in the pl/sql anonymous block. If the web program does not catch the error, Then we can easily judge the category of the current discourse based on the error, which will be discussed later. It is relatively rare in the pl/sql anonymous block, but it is not ruled out that there is no limit to such an injection. You can implement multiple conversations and do anything, which is no different from local login.
3 Basic ideas of Oracle Web Hacking
The next part talks about how to determine the target. The determination of the injection parameters is up to everyone. The main thing is how to determine whether the database belongs to Oracle. It is easy to determine based on the characteristics of the database. Oracle supports --category interpretation, but does not support it; separate implementation Many words, Oracle has many system tables, such as all_tables. By accessing these tables, you can also determine whether it belongs to Oracle. In addition, some functions in Oracle can also be used to determine, such as utl_http.request, language Small details can also be used to distinguish systems. For example, || is a join symbol in Oracle, but not in other databases. The reason why and chr(123)||chr(123)=chr(123)| |chr(123) If it can be successfully executed, it should be Oracle. In addition, some scripts do not handle the error message when a database query error occurs, and can also leak the real backing database. This can be seen clearly.
The next thing that needs to be determined urgently is the type of injection point. Usually, the parameters we enter are either numeric or simply character (what many other people call search-type injection should actually be classified as character). , as for the numeral category, don’t think about anything at all. It is very simple to add -- interpretation characters to make the utterance accurately closed. If it is the character category, you will have to think about how to make the entire utterance accurate, usually adding ' and - these injection characters. To organize your own injection situation. In some complex situations, such as a parameter appearing in multiple sql words and logic, you will have to carefully structure the injection words that suit the situation. Remember, we only need a complete environment that can easily arrange various sql commands. :)