Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

SQL injection Simulation and recovery based on Oracle Database

2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Share

Shulou(Shulou.com)05/31 Report--

This article focuses on "Oracle database to achieve SQL injection simulation and recovery", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Now let the editor to take you to learn "Oracle database to achieve SQL injection simulation and recovery" bar!

1. Oracle SQL injection process 1.1.SQL injection mode

Download the infected media from the Internet, and when the database instance is created, the SQL injection script is executed and the corresponding triggers and encrypted stored procedures are created. This injection method does not require users who rely on DBA permissions in the database because the infected script file is run under the SYS account when the database instance is created. This injection method achieves the purpose of intrusion by adding an encryption process and a trigger creation script to the prvtsupp.plb file under $ORACLE_HOME/rdbms/admin, which will be executed when the user creates the instance. After decrypting the process in the prvtsupp.plb file, the content is as follows:

Another way to inject is to download the PL/SQL or Toad client tools infected by the virus on the Internet. If the user logs in to these tools using a user with dba authority, the tool will execute the corresponding virus script in the background and create the above process and trigger.

1.1.SQL injection behavior

The trigger executes the stored procedure after each database restart, and the stored procedure executes to determine whether the current time to the database creation time is greater than the specified number of days (I encountered it this time is 300 days). If it is greater than the specified number of days, the database dictionary base table TAB$ is backed up and emptied after the database restart.

If the database is not restarted after the TAB$ table is emptied, the database backend alert log will always report errors ORA-00604 and ORA-00957 after reporting a series of ORA-00600

2. Simulation of Oracle SQL injection process

Simulate the original encrypted stored procedure to be executed directly, as follows:

After executing the stored procedure, shut down the database and start again. The error ORA-00600 indicates that the bootstrap core object is damaged.

3. Emergency repair process testing

This simulation repair uses the shell script to call bbed to modify the corresponding blocks of the tab$ table in batch to restore the deleted records of the tab$ table. Because only the cluster table block corresponding to tab$ is modified, the index is not repaired (indexes can be disabled, repair is not recommended). Therefore, after the repair, the user data can only be exported through exp and the database can be rebuilt to recover the data.

Upload the SYSTEM tablespace data file corresponding to the damaged base table to the linux platform and execute the corresponding recovery script to recover as follows:

After the repair is completed, copy the file back to the windows platform, and then start the database (it is recommended to open the database in read only mode, I am lazy to execute the test environment here)

Export corresponding user data

4. Daily pre-inspection and treatment

It is recommended to check the virus characteristics of the production database on a regular basis. If the database is not restarted in time and the select * form tab$ query is not empty, you can use the corresponding stored procedures and triggers of manual drop (use the following statement to check whether the database has been infected with the corresponding SQL injection virus).

Select 'drop' | | object_type | |''| | owner | |'. | | object_name | |';'

From dba_objects

Where object_name in ('DBMS_SUPPORT_DBMONITOR',' DBMS_SUPPORT_DBMONITORP')

Secondly, you can replace the $ORACLE_HOME/rdbms/admin/prvtsupp.plb infected file with the normal prvtsupp.plb file of the same version of the database, so as to prevent the virus from being infected again when you follow the new recommended instance of the database.

At this point, I believe you have a deeper understanding of "SQL injection simulation and recovery in Oracle database". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Database

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report