Contents
Chapter 1 Why Care About Database Security?
Which Database Is the Most Secure?
The State of Database Security Research
Classes of Database Security Flaws
Unauthenticated Flaws in Network Protocols
Authenticated Flaws in Network Protocols
Flaws in Authentication Protocols
Unauthenticated Access to Functionality
Arbitrary Code Execution in Intrinsic SQL Elements
Arbitrary Code Execution in Securable SQL Elements
Privilege Elevation via SQL Injection
Local Privilege Elevation Issues
Finding Flaws in Your Database Server
Don't Believe the Documentation
Debug the System to Understand How It Works
Identify Communication Protocols
Understand Arbitrary Code Execution Bugs
Chapter 2 The Oracle Architecture
Examining the Oracle Architecture
Oracle Processes and Oracle on the Network
Oracle Authentication and Authorization
GRANT ANY PRIVILEGE / ROLE / OBJECT PRIVILEGE
Injecting into SELECT Statements
Injecting Attacker-Defined Functions to Overcome Barriers
Injecting into DELETE, INSERT, and UPDATE Statements
Injecting into INSERT Statements
Injecting into Anonymous PL/SQL Blocks
Executing User-Supplied Queries with DBMS_SQL
PL/SQL Injection and Database Triggers
PL/SQL and Oracle Application Server
Chapter 4 Oracle: Moving Further into the Network
Running Operating System Commands
Running OS Commands with PL/SQL
Running OS Commands with DBMS_SCHEDULER
Oracle Security Recommendations
Turn on TCP Valid Node Checking
Lock and Expire Unused Accounts
PL/SQL Packages, Procedures, and Functions
Chapter 6 IBM DB2 Universal Database
DB2 Authentication and Authorization
Chapter 7 DB2: Discovery, Attack, and Defense
Buffer Overflows in DB2 Procedures and Functions
DB2 Set Locale LCTYPE Overflow
DB2 JDBC Applet Server Buffer Overflow
Gaining Access to the Filesystem Through DB2
Securing the DB2 Network Interface
Chapter 10 The Informix Architecture
Examining the Informix Architecture
Connecting to a Remote Informix Server
Understanding Authentication and Authorization
Privileges and Creating Procedures
Chapter 11 Informix: Discovery, Attack, and Defense
Attacking and Defending Informix
Shared Memory, Usernames, and Passwords
Attacking Informix with Stored Procedural Language (SPL)
Running Arbitrary Commands with SPL
Reading and Writing Arbitrary Files on the Server
SQL Buffer Overflows in Informix
Local Attacks Against Informix Running on Unix Platforms
Revoke the Connect Privilege from Public
Revoke Public Permissions on File Access Routines
Revoke Public Execute Permissions on Module Routines
Preventing Shared Memory from Being Dumped
Preventing Local Attacks on Unix-Based Servers
Chapter 13 Sybase Architecture
XML Support (Native and via Java)
Wider “Device” Support (for Raw Disk Partitions)
Support for Open Authentication Protocols
Firewall Implications for Sybase
Passwords and Password Complexity
Chapter 14 Sybase: Discovery, Attack, and Defense
MS SQL Server Injection Techniques in Sybase
Custom Extended Stored Procedures
CHAR Function to Bypass Quote Filters
Using Time Delays as a Communications Channel
VARBINARY Literal Encoding and Exec
Older Known Sybase ASE Security Bugs
CAN-2003-0327 — Remote Password Array Overflow
DBCC CHECKVERIFY Buffer Overflow
DROP DATABASE Buffer Overflow Vulnerability
Chapter 15 Sybase: Moving Further into the Network
Connecting to Other Servers with Sybase
Allow Direct Updates to System Tables, Grant Access to Selected System Tables
Examining the Physical Database Architecture
Default Usernames and Passwords
Bugs in the Authentication Protocol
Basic Cryptographic Weakness in the Authentication Protocol Prior to 4.1
Authentication Algorithm Prior to 3.23.11
Authentication Algorithm in 4.1.1, 4.1.2, and 5.0.0
Examining the Logical Database Architecture
MySQL Logical Database Architecture
Exploiting Architectural Design Flaws
Flaws in the Access Control System
Missing Features with Security Impact
Missing Features That Improve Security
Chapter 18 MySQL: Discovery, Attack, and Defense
Time Delays and the BENCHMARK Function
Modification of an Existing User's Privileges
Dangerous Extensions: MyLUA and MyPHP
The MySQL File Structure Revisited
Chapter 19 MySQL: Moving Further into the Network
MySQL Client Hash Authentication Patch
Running External Programs: User-Defined Functions
User-Defined Functions in Windows
Chapter 21 Microsoft SQL Server Architecture
Tabular Data Stream (TDS) Protocol
SQL Server Processes and Ports
Authentication and Authorization
Extended Stored Procedure Trojans
Global Temporary Stored Procedures
Chapter 22 SQL Server: Exploitation, Attack, and Defense
x08 Leading Byte Heap Overflow
Defending Against SQL Injection
Chapter 23 Securing SQL Server
Step 3: Operating System Lockdown
Step 4: Post-Installation Lockdown
Step 5: Configure Network Libraries
Step 6: Configure Auditing and Alerting
Step 8: Remove Unnecessary Features and Services
Step 9: Remove Stored Procedures
Step 10: Apply Security Patches
Chapter 24 The PostgreSQL Architecture
Examining the Physical Database Architecture
Chapter 25 PostgreSQL: Discovery and Attack
Network-Based Attacks Against PostgreSQL
ARP Spoofing and TCP Hijacking
Information Leakage from Compromised Resources
Code Execution Vulnerabilities
Vulnerabilities in PostgreSQL Components
Using Time Delay on PostgreSQL 8.0
SQL Injection in Stored Procedures
SQL Injection Vulnerabilities in Other Applications
Interacting with the Filesystem
Using Extensions via Shared Objects
Chapter 26 Securing PostgreSQL
Appendix A Example C Code for a Time-Delay SQL Injection Harness
Appendix B Dangerous Extended Stored Procedures