For The Oracle Database To Power Leak The Cursor Type Injection Of Power Technology And Defense Research

With the rapid development of computer network, the attacks to aim for Web application background database has become an important way for the attackers to steal information inlegally. At the same time, Oracle database as the one of the world’s most mature relational database has been widely used in the financial and other important areas. Therefore, types of attacks to the Oracle database as the background data system becomes particularly common. This paper firstly analyzes the widespread Oracle database privilege escalation n vulnerability.Then come up with ideas about a class of injectiong attack and defense methods using cursor. Finally design of the automated attack tools based on cursor injection attacks. Specific works as follows:1) Summarized four ways to achieve injection attacks for Oracle database on the basis of analysis of SQL injection attack causes. It provides theoretical support for the way to defend the cursor class injection attacks.2) Analyzed three technology of the Oracle priviledge promotion which is widely used, including PL/SQL privilege escalation, Lateral sql injection and indirect privilege escalation attack. Through the studies to sum up the advantages and disadvantages of these technologies, and finally give corresponding defense plan.3) Studied two kinds of methods by using cursor to archieve privilege escalation. Analyzed the principle of privilege escalation from the experiment code, and use LOOP to improve cursor snarfing injection attacks. Meanwhile, using cursor injection technology to improve the methods of privilege escalation through DBMS_SQL package and SDO_DROP_USER_BEFORE trigger. And then, to prove the method can effectively defense the cursor injection through the experiment.4) This paper puts forward a method to defense cursor injection. This method by constructing restricted trigger to restrict user execute DDL statement. Then with the experiment proved that the method can be an effective defense method against the Oracle database system cursor injection attacks;5) According to the Oracle database in for background WEB application, design and implement a automation injection tools called AutoInject. This tool has a variety of practical function, such as inquires the WEB applications use database information, display the current user and access, read the database function and list of information and so on.