1. 程式人生 > >11GR2 Oracle資料庫的遠端投毒VNCR方式修復

11GR2 Oracle資料庫的遠端投毒VNCR方式修復

【環境介紹】

系統環境:Solaris + Oracle 11GR2 + 單機/RAC   【背景描述】 基於集團資料庫安全檢查項,需要資料庫的遠端投毒漏洞進行修復。 根據Oracle官方提供的修復文件: Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1) Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC (Doc ID 1340831.1) 對於低於11GR2版本的修復方法這裡不做介紹,單機比較簡單,但是RAC環境修復相對比較複雜,同時會觸發其他的BUG,在11GR2版本中建議使用VNCR的配置進行修復,且方法非常簡單。 Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1) listener.ora檔案新增如下內容(單機): VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(host的IP都列進來) listener.ora檔案新增如下內容(RAC): VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(兩臺host的IP都列進來) 該功能在12C以上的版本是預設開啟的,所以不存在該漏洞。 PS:新增白名單方式也可以修復改漏洞,前提是IP列表得是具體的IP,不是IP網段的方式。 sqlnet.ora檔案新增如下內容: tcp.validnode_checking=yes
tcp.invited_nodes=(具體的IP資訊,或者網段)
tcp.excluded_nodes=(具體的IP資訊,或者網段)   【問題處理】 這裡使用單機進行測試資訊: 資料庫主機:192.168.142.140 掃描工具主機:192.168.142.141(必須不在同一主機上) 遠端漏洞投毒掃描工具:metasploit-framework 是比較普遍的檢查工具 安裝方法: linux:https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers Windows:https://windows.metasploit.com/(32位) [
[email protected]
soft]# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5525  100  5525    0     0   2291      0  0:00:02  0:00:02 --:--:--  2291
[
[email protected]
soft]# ls -trl
總用量 5525
-rw-r--r-- 1 root root      5525 6月  15 18:00 msfinstall
[[email protected] soft]# chmod 755 msfinstall
[[email protected] soft]# ./msfinstall
Checking for and installing update..
Adding metasploit-framework to your repository list..已載入外掛:product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
base                                                                                                                                                                  | 4.1 kB  00:00:00    
metasploit                                                                                                                                                            | 2.9 kB  00:00:00    
metasploit/primary_db                                                                                                                                                 |  11 kB  00:00:05    
正在解決依賴關係
--> 正在檢查事務
---> 軟體包 metasploit-framework.x86_64.0.4.17.24+20181103093740~1rapid7-1.el6 將被 安裝
--> 解決依賴關係完成 依賴關係解決 =============================================================================================================================================================================================
 Package                                        架構                             版本                                                             源                                    大小
=============================================================================================================================================================================================
正在安裝:
 metasploit-framework                           x86_64                           4.17.24+20181103093740~1rapid7-1.el6                             metasploit                           158 M 事務概要
=============================================================================================================================================================================================
安裝  1 軟體包 總下載量:158 M
安裝大小:368 M
Downloading packages:
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm            31% [=====================-                                                ] 1.4 MB/s |  49 MB  00:01:16 ETA metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm            31% [======================    警告:/var/cache/yum/x86_64/7Server/metasploit/packages/metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm: 頭V4 RSA/SHA256 Signature, 金鑰 ID 2007b954: NOKEY
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm 的公鑰尚未安裝
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm                    | 158 MB  00:02:25    
從 file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit 檢索金鑰
匯入 GPG key 0x2007B954:
 使用者ID     : "Metasploit <
[email protected]
>"
 指紋       : 09e5 5faf 4f78 62cd 6d55 8997 cdfb 5fa5 2007 b954
 來自       : /etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在安裝    : metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64                                                                                                         1/1
Run msfconsole to get started
  驗證中      : metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64                                                                                                         1/1 已安裝:
  metasploit-framework.x86_64 0:4.17.24+20181103093740~1rapid7-1.el6                                                                                                                         完畢!
[[email protected] soft]#  驗證是否正常: [[email protected] soft]# msfconsole
.....》》》省略部分顯示        =[ metasploit v4.17.24-dev-                        ]
+ -- --=[ 1824 exploits - 1033 auxiliary - 318 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > msf > use auxiliary/scanner/oracle/tnspoison_checker
msf auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.142.140 》》》設定為需要測試的資料庫IP
rhosts => 192.168.142.140
msf auxiliary(scanner/oracle/tnspoison_checker) > show options Module options (auxiliary/scanner/oracle/tnspoison_checker):    Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.142.140  yes       The target address range or CIDR identifier
   RPORT    1521             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads
msf auxiliary(scanner/oracle/tnspoison_checker) > run [+] 192.168.142.140:1521 - 192.168.142.140:1521 is vulnerable 》》》說明遠端投毒漏洞存在
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed msf auxiliary(scanner/oracle/tnspoison_checker) > use auxiliary/admin/oracle/tnscmd 》》》具體進行滲透測試
msf auxiliary(admin/oracle/tnscmd) > set rhost 192.168.142.140
rhost => 192.168.142.140
msf auxiliary(admin/oracle/tnscmd) > show options Module options (auxiliary/admin/oracle/tnscmd):    Name   Current Setting                   Required  Description
   ----   ---------------                   --------  -----------
   CMD    (CONNECT_DATA=(COMMAND=VERSION))  no        Something like ping, version, status, etc..
   RHOST  192.168.142.140                   yes       The target address
   RPORT  1521                              yes       The target port (TCP) msf auxiliary(admin/oracle/tnscmd) > run [*] 192.168.142.140:1521 - Sending '(CONNECT_DATA=(COMMAND=VERSION))' to 192.168.142.140:1521
[*] 192.168.142.140:1521 - writing 90 bytes.
[*] 192.168.142.140:1521 - reading
[*] 192.168.142.140:1521 - .e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647552)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4))))
[*] Auxiliary module execution completed
msf auxiliary(admin/oracle/tnscmd) >   以上顯示該資料庫存在遠端投毒的漏洞。 現在對資料庫的配置進行修改: [[email protected] admin]$ cat listener.ora
# listener.ora Network Configuration File: /u01/app/oracle/product/12.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools. LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = mysqldb1)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  ) ADR_BASE_LISTENER = /u01/app/oracle VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(192.168.142.140)
[[email protected] admin]$ 然後重啟監聽即可。 現在再用軟體程序測試: [[email protected] ~]# msfconsole
.....》》》忽略部分顯示內容
       =[ metasploit v4.17.24-dev-                        ]
+ -- --=[ 1824 exploits - 1033 auxiliary - 318 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > use auxiliary/scanner/oracle/tnspoison_checker
msf auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.142.140
rhosts => 192.168.142.140
msf auxiliary(scanner/oracle/tnspoison_checker) > show options Module options (auxiliary/scanner/oracle/tnspoison_checker):    Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.142.140  yes       The target address range or CIDR identifier
   RPORT    1521             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads msf auxiliary(scanner/oracle/tnspoison_checker) > run [-] 192.168.142.140:1521 - 192.168.142.140:1521 is not vulnerable》》》已經不存在該漏洞
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/oracle/tnspoison_checker) >    PS:由於無法截圖,於是貼的文字較多。