| Oracle数据库权限提升漏洞的挖掘研究 |
| |
| 引用本文: | 赵力涵,薛质,王轶骏. Oracle数据库权限提升漏洞的挖掘研究[J]. 信息安全与通信保密, 2012, 0(1): 97-99 |
| |
| 作者姓名: | 赵力涵 薛质 王轶骏 |
| |
| 作者单位: | 上海交通大学信息安全工程学院。上海200240 |
| |
| 摘 要: | Oracle作为商用的大型数据库,被很多跨国公司甚至政府部门使用。因此,也有更多的黑客由于各种原因攻击Oracle。由于Oracle执行其本身SQL语句的权限机制,攻击者可以通过SYS高权限用户执行攻击者自己创建的恶意函数或者恶意匿名块,使得攻击者账号能获得DBA权限,从来获得对Oracle数据库乃至操作系统的控制,这对于Oracle数据库的安全是一个很大的挑战,所以,Oracle在不断修复旧漏洞。因此,去不断发掘新漏洞,也成为攻击者的主要目标之一。
|
| 关 键 词: | Oracle数据库 权限提升 漏洞挖掘 信息安全 |
Study on Flaws Investigation and Privilege Escalation of Oracle |
| |
| ZHAO Li-han,XUE Zhi,WANG Yi-jun. Study on Flaws Investigation and Privilege Escalation of Oracle[J]. China Information Security, 2012, 0(1): 97-99 |
| |
| Authors: | ZHAO Li-han XUE Zhi WANG Yi-jun |
| |
| Affiliation: | (School of Information Security Engineering, Shanghai Jiaotong University, Shanghai 200240, China) |
| |
| Abstract: | As a large database for business use, Oracle is widely-used in many multinational corporations and even government departments. So, many hackers attack Oracle for different purposes. For the mechanism that Oracle executes its own SQL procedure with different privileges, attackers could implement malicious functions or anonymous block created by themselves with SYS privilege. Thus the attackers could acquire DBA privilege and then implement full control on Oracle or even OS, this is a big challenge to Oracle database, and so Oracle has to continuously repair the old flaw. Thus how to continuously investigate the new flaw becomes the principal target of those attackers. |
| |
| Keywords: | Oracle database privilege escalation flaw investigation information security |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
