Windows emergency response and system reinforcement (12) — SQL Server / MySQL / Oracle log extraction and security analysis


MS SQL Server / MySQL / Oracle log extraction and security analysis

1、 MS SQL Server Log Analysis:

1. Introduction to MS SQL Server database:

Microsoft SQL server is a relational database management system (RDBMS) developed by Microsoft. It has the advantages of easy to use, good scalability and high degree of integration with related software, so it is widely used.

Microsoft SQL Server Features: graphical operation, management, easy to use, high maintenance efficiency, is one of the most popular commercial databases, which can span from the laptop running Microsoft Windows 98 to the large multi processor server running Microsoft Windows 2012.

MS SQL Server enables logging by default, but only for failed logins. Therefore, we should modify the log to “failed and successful logins”, as shown in the figure below:

In this way, the user’s login behavior can be audited.

2. MS SQL Server database common vulnerability analysis:

The classic vulnerability type of Microsoft SQL Server: SP_ Replwritetovarbin remote heap overflow vulnerability (cve-2008-5416), lyris listmanager MSDE SA weak password vulnerability (cve-2005-4145).



Microsoft SQL server has a wide range of vulnerability types: buffer overflow vulnerability, weak password, privilege promotion, denial of service, SQL injection and so on.

xp_ Cmdshell, which allows people to execute the specified command string in the way of OS command line interpreter and return any output in the way of text line, is a very powerful extended storage process. However, this instruction can be used to claim rights later, so it is turned off by default.

3. MS SQL Server Log Analysis:

<1> Through SQL Server profiler, the efficiency and statement problems of SQL execution can be found;

<2> Combined with the web application firewall (WAF) log, we can check the size of the log file, analyze the specific content of the log, and comprehensively judge whether the DBMS is attacked by SQL injection vulnerability;

<3> It can audit and analyze the log of MS SQL Server with the help of the third party tool (Apex SQL)


2、 MySQL log analysis:

1. Introduction to MySQL database:

Mysql, developed by Swedish MySQL AB company, belongs to Oracle’s small and medium-sized relational database management system, RDBMS, using standardized SQL query language;

Mysql database features: small size, fast speed, low overall deployment cost, superior performance, with PHP, Perl, Apache, Tomcat, forming an excellent development and integration environment, therefore, the world famous, is one of the most widely used databases in the world;

2. Common vulnerability analysis of MySQL database:

MySQL SQL injection, UDF / MOF privilege raising, root identity privilege bypass, webshell getshell, LPK hijacking, remote code execution rce and other vulnerabilities.

3. MySQL log analysis:

<1> . command to view log configuration information: Show variables like% general%. The general storage format of log file is “host name. Log”;

<2> In log analysis, we need to pay special attention to some sensitive operations, such as deleting tables, preparing databases, and reading and writing files_ For example, the following keywords should be noted: drop table, drop function, lock tables, unlock tables

load_file() 、into outfile、into dumpfile……

For example: webshell attack: use the into outfile() function to write a sentence to the Trojan horse, take webshell:

        1′ union select 1,”” into outfile ‘C:\\phpStudy\\PHPTutorial\\WWW\\dvwa2019\\ana.php’#

<3> . MySQL read / write file configuration: show global variables like% secure% (when secure)_ file_ When the priv value has no specific value, it means that there are no restrictions on the import and export of mysqld).


3、 Oracle log analysis:

1. Introduction to Oracle Database:

Oracle DBMS is a relational database management system of Oracle. It has a high market share and plays an extremely important role in the database field. It is a popular relational database management system in the world;

Oracle DBMS database is the first relational database supporting SQL language in the world;

Oracle DBMS provides rich packages and stored procedures, supports java to run and create library, and has rich system tables. Almost all information is stored in system tables;

Oracle is widely used in finance, posts and telecommunications, electric power, civil aviation and other important enterprises and institutions with large data throughput and complex network structure;

Common versions: 9i, 10g, 11g, 12C, 18C.

2. Analysis of common vulnerabilities in Oracle Database:

In terms of security, although Oracle has developed a sound security policy and provided detailed security mechanisms, with the continuous release of the new version of Oracle RDBMS, new problems still emerge in endlessly, such as weak password problem, Sid guessing, SQL injection, improper permission configuration, denial of service attack and so on

The whole problem.

3. Oracle database log analysis:

<1> . Oracle audit and log record can record the user’s operation on the database. By default, the administrator’s permission is used to connect the instance. Opening and closing the database will force the audit, no matter whether the audit function of the database is opened or not (other basic operations are not available)

Audit. ), Oracle will store the audit and trace results (whether to enable the audit record function) in the OS file. The default location is $oracle_ BASE/admin/$ORACLE_ SID / adump / or stored in the database table (stored in the system table space) SYS.AUD In the $table, you can

View DBA_ audit_ You can use the “show parameter audit” command to view the relevant settings.

<2>.”show parameter audit_ Introduction to “trail” instruction (setting of log audit)

audit_ Setting value of Trail:

None: not open;

DB: enable the audit function (all audit records stored in the database audit trial (AUD $));

OS: the audit record is written to an operating system file (AUDIT)_ FILE_ DEST);

True: same as parameter dB;

DB_ Extended: the audit results are put in the database table, and the SQL is recorded additionally_ Bind and SQL_ Text (specific execution statement);

False: do not open the audit function;

XML: enable the audit function, and write the audit information to the operating system file in XML format.

<3> Other audit types of. Oracle:

Statement auditing: audit records specific SQL statements without specifying specific objects;

Privilege Auditing: audit the usage of specific system permissions;

Object Auditing: audit and record specific statements executed on specific schema objects;

Network Auditing: audit and record network protocol errors and network layer internal errors.


In addition, according to whether the user has successfully executed it, it can be divided into:

Audit the successful statements;

Audit the unsuccessful statements;

Audit whether it is successful or not.

According to the audit times of the same statement, it can be divided into session audit and access audit.

Session audit: for a user or all users, the same statement is audited only once to form an audit record;

Access audit: for a user or all users, the same statement is audited every time it is executed, forming multiple audit records.


4、 Third party database audit records:

Database audit can record the database activity on the network in real time, audit the database operation in a fine-grained way, manage the compliance, warn the risk behavior and vulnerability attack behavior of the database, and block the attack behavior.

By recording, analyzing and reporting the user’s access to the database, the compliance report is generated afterwards, the accident is tracked and traced, the network behavior records of internal and external databases are strengthened, and the data security is improved.