The Oracle Hacker's Handbook (eBook)

Hacking and Defending Oracle
eBook Download: PDF
2007 | 1. Auflage
216 Seiten
John Wiley & Sons (Verlag)
978-0-470-13370-5 (ISBN)

Lese- und Medienproben

The Oracle Hacker's Handbook - David Litchfield
Systemvoraussetzungen
30,99 inkl. MwSt
  • Download sofort lieferbar
  • Zahlungsarten anzeigen
David Litchfield has devoted years to relentlessly searching out the flaws in the Oracle database system and creating defenses against them. Now he offers you his complete arsenal to assess and defend your own Oracle systems. This in-depth guide explores every technique and tool used by black hat hackers to invade and compromise Oracle and then it shows you how to find the weak spots and defend them. Without that knowledge, you have little chance of keeping your databases truly secure.

DAVID LITCHFIELD is founder and chief research scientist of NGSSoftware Ltd., a UK-based security solutions provider. He has been recognized as the world's premier expert on Oracle database security, and is the designer of NGSSQuirreL, a powerful tool for identifying and assessing database vulnerability. David is a regular conference speaker and has lectured government agencies on security topics.

About the Author.

Acknowledgments.

Introduction.

Code Samples from the Book.

Oracle and Security.

The "Unbreakable" Marketing Campaign.

Independent Security Assessments.

The Future.

Chapter 1 Overview of the Oracle RDBMS.

Architecture.

Processes.

The File System.

The Network.

Database Objects.

Users and Roles.

Privileges.

Oracle Patching.

Wrapping Up.

Chapter 2 The Oracle Network Architecture.

The TNS Protocol.

The TNS Header.

Inside the Packet.

Getting the Oracle Version.

The Listener Version and Status Command.

Using the TNS Protocol Version.

Using the XML Database Version.

Using TNS Error Text.

Using the TNS Version TTC Function.

Wrapping Up.

Chapter 3 Attacking the TNS Listener and Dispatchers.

Attacking the TNS Listener.

Bypassing 10g Listener Restrictions.

The Aurora GIOP Server.

The XML Database.

Wrapping Up.

Chapter 4 Attacking the Authentication Process.

How Authentication Works.

Attacks Against the Crypto Aspects.

Default Usernames and Passwords.

Looking in Files for Passwords.

Account Enumeration and Brute Force.

Long Username Buffer Overflows.

Wrapping Up.

Chapter 5 Oracle and PL/SQL.

What Is PL/SQL?

PL/SQL Execution Privileges.

Wrapped PL/SQL.

Wrapping and Unwrapping on 10g.

Wrapping and Unwrapping on 9i and Earlier.

Working without the Source.

PL/SQL Injection.

Injection into SELECT Statements to Get More Data.

Injecting Functions.

Injecting into Anonymous PL/SQL Blocks.

The Holy Grail of PLSQL Injection.

Investigating Flaws.

Direct SQL Execution Flaws.

PL/SQL Race Conditions.

Auditing PL/SQL Code.

The DBMS_ASSERT Package.

Some Real-World Examples.

Exploiting DBMS_CDC_IMPDP.

Exploiting LT.

Exploiting DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE.

PLSQL and Triggers.

Wrapping Up.

Chapter 6 Triggers.

Trigger Happy: Exploiting Triggers for Fun and Profit.

Examples of Exploiting Triggers.

The MDSYS.SDO_GEOM_TRIG_INS1 and SDO_GEOM_TRIG_INS1 Triggers.

The MDSYS SDO_CMT_CBK_TRIG Trigger.

The SYS.CDC_DROP_CTABLE_BEFORE Trigger.

The MDSYS.SDO_DROP_USER_BEFORE Trigger.

Wrapping Up.

Chapter 7 Indirect Privilege Escalation.

AHop, a Step, and a Jump: Getting DBA Privileges Indirectly.

Getting DBA from CREATE ANY TRIGGER.

Getting DBA from CREATE ANY VIEW.

Getting DBA from EXECUTE ANY PROCEDURE.

Getting DBA from Just CREATE PROCEDURE.

Wrapping Up.

Chapter 8 Defeating Virtual Private Databases.

Tricking Oracle into Dropping a Policy.

Defeating VPDs with Raw File Access.

General Privileges.

Wrapping Up.

Chapter 9 Attacking Oracle PL/SQL Web Applications.

Oracle PL/SQL Gateway Architecture.

Recognizing the Oracle PL/SQL Gateway.

PL/SQL Gateway URLs.

Oracle Portal.

Verifying the Existence of the Oracle PL/SQL Gateway.

The Web Server HTTP Server Response Header.

How the Oracle PL/SQL Gateway Communicates with the Database Server.

Attacking the PL/SQL Gateway.

The PLSQL Exclusion List.

Wrapping Up.

Chapter 10 Running Operating System Commands.

Running OS Commands through PL/SQL.

Running OS Commands through Java.

Running OS Commands Using DBMS_SCHEDULER.

Running OS Commands Directly with the Job Scheduler.

Running OS Commands Using ALTER SYSTEM.

Wrapping Up.

Chapter 11 Accessing the File System.

Accessing the File System Using the UTL_FILE Package.

Accessing the File System Using Java.

Accessing Binary Files.

Exploring Operating System Environment Variables.

Wrapping Up.

Chapter 12 Accessing the Network.

Data Exfiltration.

Using UTL_TCP.

Using UTL_HTTP.

Using DNS Queries and UTL_INADDR.

Encrypting Data Prior to Exfiltrating.

Attacking Other Systems on the Network.

Java and the Network.

Database Links.

Wrapping Up.

Appendix A Default Usernames and Passwords.

Index.

Erscheint lt. Verlag 27.6.2007
Sprache englisch
Themenwelt Informatik Datenbanken Oracle
Informatik Netzwerke Sicherheit / Firewall
Schlagworte Computer Science • Informatik • Networking / Security • Netzwerke / Sicherheit • Netzwerksicherheit
ISBN-10 0-470-13370-8 / 0470133708
ISBN-13 978-0-470-13370-5 / 9780470133705
Haben Sie eine Frage zum Produkt?
PDFPDF (Adobe DRM)
Größe: 1,3 MB

Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM

Dateiformat: PDF (Portable Document Format)
Mit einem festen Seiten­layout eignet sich die PDF besonders für Fach­bücher mit Spalten, Tabellen und Abbild­ungen. Eine PDF kann auf fast allen Geräten ange­zeigt werden, ist aber für kleine Displays (Smart­phone, eReader) nur einge­schränkt geeignet.

Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine Adobe-ID und die Software Adobe Digital Editions (kostenlos). Von der Benutzung der OverDrive Media Console raten wir Ihnen ab. Erfahrungsgemäß treten hier gehäuft Probleme mit dem Adobe DRM auf.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine Adobe-ID sowie eine kostenlose App.
Geräteliste und zusätzliche Hinweise

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

Mehr entdecken
aus dem Bereich