Exploiting Search Engines for Attacking Database Exposed to Internet

Document Type : Original Article

Authors

1 Computer & Network, Reactor Department Atomic, Energy Authority

2 Dept. of Computer Science and Eng., Faculty of Elect., Eng., Minufiya University

Abstract

Database security has recently become a victim of misused search engines. Hackers use search engines to find potentially vulnerable web applications to attack. The search engine doesn’t actually execute any attacks; rather it is used to quickly locate “soft targets” among the vast number of sites on the internet. Hackers have started to use search engines to find web facing database interfaces that can be used to mount attacks on databases placed behind a firewall. This is a significant new development, completely exposing previously “protected” databases to outside attack. This paper shows how hacker can target the vulnerable sites with attacks designed to exploit the specific holes discovered by the search engine

[1] "Google: Net Hacker Tool du Jour", Christopher, 2004. http://www.wired.com/news/infostructure/0,1377,57897,00.html [2] "ISQLPlus", [Online]. Available: http://www.orafaq.com/wiki/ISQLPlus, May 10, 2010. [3] "Oracle Database: a Security Perspective", Henrique Moniz Faculdade de Ciˆencias da Universidade de Lisboa Campo Grande, 1749-016 Lisboa Portugalhmoniz@di.fc.ul.pt ,January 23, 2006 [4] "Introduction to Oracle Security", Mikoláš Panský, March, 2007. Available: http://www.cleverlance.cz/NR/rdonlyres/27007B48- 9360-4158-BE9A-46F7DF62CE94/633/oracle2.pdf . [5] "Hacking Oracle from the Web Exploiting SQL Injection from Web Applications", Sumit Siddharth, 2009.
[6] "Oracle Security Alert 58", Severity: 1, Available: http://www.oracle.com/technetwork/topics/security/2003alert58- 128165.pdf, April 15, 2011. [7] "SQL Injection", Available: http://sec4app.com/download/SqlInjection.pdf, June 15, 2011. [8] "Oracle Tip: Beware of iSQL*Plus vulnerabilities", By Scott Stephens, May 24, 2004,http://www.techrepublic.com/article/oracletip-beware-of-isqlplus-vulnerabilities/5219056 [9] "Search engines used to attack databases", A. Newman, Technical report, Application Security, Inc. Available: http://www.appsecinc.com/presentations/Search_Engine_Attack_Da tabase.pdf, April 15, 2011. [10] "Oracle Default Password list", petefinnigan, Available: "http://www.petefinnigan.com/default/default_password_list.htm, May 4, 2011. [11] "Oracle RDBMS passwords solver", Available: http://ops.conus.info:669/, January 15, 2011. [12] Hardbeat How we defaced Available: www.apache.org. http://www.dataloss.nl/papers/how.defaced.apache.org.txt, July 13, 2011. [13] "Database Security - The Forgotten Threat", Available: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4123757, March 8, 201