Research Of Attack And Defence Technique Of Oracle Database

Nowadays, database-targeted attacks have become the mainstream of hackers, such as SQL injection attacks, privilege promotion attacks, and database-based system attacks. Oracle database, the most mature commericial database procuct, has the widest application in the world. Therefore, the research of oracle database security is one significant research topic in the area of communication security. The writer joined in one project on developing an automated hacking tool, which serves as the pratical basis of this paper.This paper will go in two main ways. It will first focus on attacking techniques targeting at Oracle database systems, and then talk about the corresponding defence mechanism.To the attacking techniques, it will have four parts: 1) how to get basic information of Oracle database (including database version); 2) research on data extraction in the process of SQL injection towards Oracle-based web page; 3) priviledge promotion problems in existing Oracle database procudes; 4) attacks towards operating system via Oracle database. Data extraction is a key part of webpage-based SQL injection. Webpage-based SQL injection cannot return SQL execution results directly, which is different from client-based SQL injection. This paper provides five data extraction techniques, which can be used in real attacks.Priviledge promotion is another key part of this paper. Becausee of the increasing security concerns of system administrators, more and more programs are run under low privildge database users. This paper introduces three main types of priviledge promotion, as well as their realization. Oracle-based system attack is the last attacking technique introduced in this paper, which means that attackers can invade server through Oracle databases. This paper provides three basic system attacks: executing command of operating systems, accessing file systems, accessing networks.To the defence techniques, this paper will talk about how to protect Oracle database from some of the listed attacks. For example, this paper will talk about how to prevent Oracle database from inconscious data extraction, and some existing protection frameworks provided by Oracle.In the end of this paper, it will introduce an automated SQL injection tool, which is coded by the author. This tool will actualize many pratical functions, such as viewing file system, executing commands of operating system, uploading files to servers. The implementation of this tool is the best proof of the theory in this paper.