CN115632892B - Method for replacing user name and password in ORACLE10G authentication process based on proxy - Google Patents

Method for replacing user name and password in ORACLE10G authentication process based on proxy Download PDF

Info

Publication number
CN115632892B
CN115632892B CN202211663150.1A CN202211663150A CN115632892B CN 115632892 B CN115632892 B CN 115632892B CN 202211663150 A CN202211663150 A CN 202211663150A CN 115632892 B CN115632892 B CN 115632892B
Authority
CN
China
Prior art keywords
data packet
user name
data
packet
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211663150.1A
Other languages
Chinese (zh)
Other versions
CN115632892A (en
Inventor
熊鑫
朱燚
庄恩贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingan Yun Xin Technology Co ltd
Original Assignee
Beijing Jingan Yun Xin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingan Yun Xin Technology Co ltd filed Critical Beijing Jingan Yun Xin Technology Co ltd
Priority to CN202211663150.1A priority Critical patent/CN115632892B/en
Publication of CN115632892A publication Critical patent/CN115632892A/en
Application granted granted Critical
Publication of CN115632892B publication Critical patent/CN115632892B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention relates to the field of data communication, in particular to a method for replacing a user name and a password in an ORACLE10G authentication process based on an agent, which comprises the following steps: the agent application program issues a real user name and a real password for the client side, and issues a virtual user name; capturing a first data packet sent by a client; judging whether the user name in the first data packet is consistent with the real user name so as to replace the data value of the user name length and the user name and sending the data value to a server; capturing a return data packet, replacing a key of the return data packet to form a third data packet and sending the third data packet to the client; grabbing a fourth data packet; judging whether the virtual user names issued by the agent application program are consistent or not to replace the data values of the user name length and the user name, replacing a fourth data packet to form a fifth data packet, and sending the fifth data packet to a server; and capturing the returned data packet and judging whether the authentication is successful or not. The safety of the client and the server is improved.

Description

Method for replacing user name and password in ORACLE10G authentication process based on proxy
Technical Field
The invention relates to the field of data communication, in particular to a method for replacing a user name and a password in an ORACLE10G authentication process based on an agent.
Background
At present, security audit becomes an indispensable component of enterprise information security construction, and increasingly complex IT systems and behaviors of operation and maintenance personnel with different backgrounds bring great risks to information system security, so that a bastion machine is generated, namely, in a specific network environment, in order to ensure that networks and data are not invaded and damaged by external and internal users, various technical means are used for monitoring and recording operation behaviors of the operation and maintenance personnel on devices such as servers, network devices, security devices and databases in the networks, and therefore centralized alarming, timely processing and audit responsibility determination are facilitated.
Chinese patent application publication No.: CN113641974A discloses a database access control method based on a cryptographic bridge, which includes: acquiring a database access request, wherein the database access request carries a first username and a first password, and the first username and the first password are usernames and passwords without database access authority; verifying the first user name and the first password with a user name and a password in a pre-stored password table, and passing the verification under the condition that the first user and the first password are consistent with the user name and the password in the pre-stored password table; after the first username and the first password pass verification, acquiring a second username and a second password corresponding to the first username and the first password, wherein the second username and the second password are a username and a password with the database access authority; replacing the first username and the first password in the database access request with the second username and the second password; and sending the replaced database access request to the database.
In the prior art, the database account is issued through the database, a large number of database accounts need to be created, the flexibility is poor, the authority of a database user is not controlled in place, and the user name and the password of the used account cannot be tampered when problems occur, so that the database account and the password have leakage risks and the safety is poor.
Disclosure of Invention
Therefore, the invention provides a method for replacing the user name and the password in the ORACLE10G authentication process based on the agent, which can solve the problems of leakage risk and poor safety of the database account and the password.
In order to achieve the above object, the present invention provides a method for replacing a user name and a password in an ORACLE10G authentication process based on a proxy, the method comprising:
the agent application program issues a real user name and a real password for the client, and issues a virtual user name which has a mapping relation with the real user name and the real password;
connecting the client with the agent application program according to the real user name and the real password;
capturing a first data packet sent by the client;
judging whether the user name in the first data packet is consistent with the real user name according to the real user name issued by the agent application program, if so, replacing the user name length and the data value of the user name in the first data packet to form a second data packet, and sending the second data packet to a server;
capturing a return data packet of the server for the second data packet, replacing a key of the return data packet to form a third data packet, and sending the third data packet to the client;
capturing a fourth data packet of the client;
judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the agent application program or not according to the user name in the fourth data packet, if so, replacing the user name length and the data value of the user name in the fourth data packet, replacing the data value of the parameter name in the parameter array with the data value of the parameter array of the secret key, forming the replaced fourth data packet into a fifth data packet, and sending the fifth data packet to a server;
and capturing a return data packet of the fifth data packet from the server side, judging whether the authentication is successful or not to record the authentication state, and sending the return data packet of the fifth data packet which is successfully authenticated to the client side.
Further, the agent application and the TNS protocol used by the client and the server each include: length, packetCheckSum, packetType, reserved, headerCheckSum and PacketData, wherein the data value of the Length is the Length of a complete TNS;
when the Data value of PacketType is 0x6, data is represented, and the Data structure of the PacketData packet includes: dataFlag, dataID, and DataContent;
when the data value of the DataID is 0x03, the data structure of the DataContent packet includes: callId, callSeq, and CallData.
Further, when the data value of the callld is 0x76 and the type of the packet is GetSessionKey, the first packet is captured, and the data structure of the first packet includes: ununsed 0, encryptedUsernameLength, ununsed 1, usernameLength, username, and Extratdata.
Further, when the user name in the first data packet is judged to be consistent with the real user name issued by the proxy application program according to the real user name issued by the proxy application program, comparing the Username in the GetSessionKey with the real user name issued by the proxy application program to judge whether the user name in the GetSessionKey is consistent with the real user name issued by the proxy application program, and if so, replacing the usernamenLength and the Username in the GetSessionKey data packet and sending the replaced data packet to the server.
Further, when the server side captures a return packet of the second packet, a basic structure of the return packet is PacketData, and when a data value of a DataID in the PacketData is 0x08, a data structure of a datacontent packet includes: numberOfParameters, parameters, and Payload.
Further, the Parameters comprise a plurality of Parameters, wherein the data structure of any Parameter data packet comprises: beforeFlag, parameterKey, parameterValue, and Flag.
Further, the data structure of the ParameterKey data packet includes: bigLength, length, and Value;
and when the AUTH _ SESSKEY of the returned data packet is replaced to form a third data packet, replacing the data Value of Value in the ParametereKey data packet with the data Value of ParametereValue of Parameter in the AUTH _ SESSKEY, calculating a virtual password for the virtual user name according to the real user name and the real password, replacing the real password with the virtual password, and sending the third data packet formed after replacement to the user side.
Further, a fourth data packet captured from the client is an authentication data packet, and a data structure of the fourth data packet includes: callId, callSeq, and CallData;
when the data value of the CallID is 0x73, the data structure of the CallData packet includes: placeholder, bigUsernameLength, flag, placeholder1, numOfParameters, placeholder2, placeholder3, usernameLength, username, parameters, and Payload.
Further, when judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the agent application program or not according to the user name in the fourth data packet, if so, replacing the data values of the Username and the Username Length of the CallData data packet, and calculating the data Value of Value in Parameters,
the Parameters comprise a plurality of Parameters, and the data structure of any Parameter data packet comprises: the BeforeFlag, parametereKey, parameterValue and Flag, wherein the data structure of the ParametereKey data packet comprises: the BigLength, the Length and the Value replace the Value data Value of the Parameter of the AUTH _ SESSKEY according to the calculated Value data Value to form a fifth data packet, and the fifth data packet is sent to the server.
Further, when a return data packet of the fifth data packet to the server side is captured, the authentication state is judged according to the data value of the PacketType, when the data value of the PacketType is 0x08, the authentication is judged to be successful, otherwise, the authentication is judged to be failed, the authentication result is recorded, and the authentication result is forwarded to the client side.
Compared with the prior art, the method has the advantages that the real user name and the real password are signed and issued by the agent application program, the virtual user name with the mapping relation is signed and issued, then the first data packet of the client is obtained, whether the user name is consistent with the real user name signed and issued by the agent application program is judged, the virtual user name is replaced by the virtual user name, the first data packet is sent to the server and the return data packet is obtained, the real password is replaced according to the return data packet, the replaced data packet is sent to the client and the fourth data packet of the client is obtained, whether the user name in the fourth data packet is consistent with the virtual user name signed and issued by the agent application program is judged, the virtual user name and the virtual password are replaced again and sent to the server, whether the authentication is successful or not is judged according to the return data packet of the server, the data packet which is authenticated is sent to the client, the Oracle communication protocol is analyzed through the agent application program, the real user name and the real password in the Oracle protocol handshake authentication process are tampered into the virtual user name and the virtual password in the virtual user name and the virtual password in the client are prevented from being leaked out, and the security of the client are improved.
Particularly, the communication protocol of Oracle is analyzed through the agent application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered with into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked is prevented, and therefore the safety of the client and the server is improved.
Particularly, the first data packet of the client is obtained through analysis, whether the user name is consistent with the real user name issued by the proxy application program or not is judged, the user name is replaced by the virtual user name, the real user name and the real password in the authentication process in the Oracle protocol handshake phase are replaced and tampered by the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked to cause low safety is prevented, and therefore safety of the client and the server is improved.
Particularly, when the user name in the first data packet of the client is judged to be consistent with the real user name signed by the proxy application program, the replaced data packet is sent to the server and a return data packet is obtained, the real password is replaced according to the return data packet, the communication protocol of the Oracle is analyzed through the proxy application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked is prevented from causing low safety, and therefore safety of the client and the server is improved.
Particularly, the return data packet sent to the server is analyzed, the real password is replaced according to the return data packet, the Oracle communication protocol is analyzed through the agent application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked is prevented, and therefore safety of the client and the server is improved.
Particularly, the returned data packet is analyzed, the real password is replaced according to the returned data packet, the Oracle communication protocol is analyzed through the agent application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked out to cause low safety is prevented, and therefore safety of the client and the server is improved.
Particularly, whether the user name in the fourth data packet is consistent with the virtual user name issued by the proxy application program or not is judged through analyzing the obtained fourth data packet of the client, so that the virtual user name and the virtual password are replaced again and sent to the server, the communication protocol of the Oracle is analyzed through the proxy application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked is prevented, and therefore safety of the client and the server is improved.
Particularly, through analyzing the acquired fourth data packet of the client, judging whether the user name in the fourth data packet is consistent with the virtual user name signed by the agent application program so as to replace the virtual user name and the virtual password again and send the virtual user name and the virtual password to the server, analyzing the communication protocol of Oracle through the agent application program, replacing and tampering the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, and preventing the real user name and the real password of the client from being leaked to cause low security, so that the security of the client and the server is improved.
Particularly, the returned data packet of the server is analyzed again, the successfully authenticated data packet is sent to the client, the Oracle communication protocol is analyzed through the agent application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked out to cause low safety is prevented, and therefore safety of the client and the server is improved.
Drawings
Fig. 1A is a schematic flowchart of a method for replacing a user name and a password in an ORACLE10G authentication process based on an agent according to an embodiment of the present invention;
fig. 1B is a flowchart illustrating another method for replacing a user name and a password in an ORACLE10G authentication process based on a proxy according to an embodiment of the present invention;
fig. 2 is a general data structure parameter diagram of the TNS protocol according to an embodiment of the present invention;
fig. 3 is a data structure parameter diagram of a PacketData packet according to an embodiment of the present invention;
fig. 4 is a data structure parameter diagram of a DataContent data packet according to an embodiment of the present invention;
fig. 5 is a data structure parameter diagram of a first data packet according to an embodiment of the present invention;
fig. 6 is a parameter diagram of another data structure of a DataContent packet according to an embodiment of the present invention;
fig. 7 is a data structure Parameter diagram of a Parameter data packet according to an embodiment of the present invention;
fig. 8 is a data structure parameter diagram of a ParameterKey data packet according to an embodiment of the present invention;
fig. 9 is a data structure parameter diagram of the CallData packet according to the embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and do not delimit the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principle of the present invention, and do not limit the scope of the present invention.
It should be noted that in the description of the present invention, the terms of direction or positional relationship indicated by the terms "upper", "lower", "left", "right", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, which are only for convenience of description, and do not indicate or imply that the device or element must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Referring to fig. 1A and fig. 1B, a method for replacing a user name and a password in an ORACLE10G authentication process based on a proxy according to an embodiment of the present invention includes:
step S110, the agent application program issues a real user name and a real password for the client, and issues a virtual user name which has a mapping relation with the real user name and the real password;
step S120, connecting the client with the agent application program according to the real user name and the real password;
step S130, capturing a first data packet sent by the client;
step S140, judging whether the user name in the first data packet is consistent with the real user name according to the real user name signed by the agent application program, if so, replacing the user name length and the data value of the user name in the first data packet to form a second data packet, and sending the second data packet to a server;
step S150, capturing a return data packet of the server to the second data packet, replacing a key of the return data packet to form a third data packet, and sending the third data packet to the client;
step S160, capturing a fourth data packet of the client;
step S170, judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the agent application program or not according to the user name in the fourth data packet, if so, replacing the user name length and the data value of the user name in the fourth data packet, replacing the data value of the parameter name in the parameter array with the data value of the parameter array of the secret key, forming a fifth data packet from the replaced fourth data packet, and sending the fifth data packet to the server;
and step S180, intercepting a return data packet of the fifth data packet from the server side, judging whether the authentication is successful or not to record the authentication state, and sending the return data packet of the fifth data packet which is successfully authenticated to the client side.
In particular, the Username length is denoted as usernamenlength, the Username is denoted as Username, the key is denoted as AUTH sesckey, the parameter array is denoted as Parameters, the parameter name is denoted as ParameterKey, the parameter value is denoted as ParameterValue; the server applies the ORACLE database.
Specifically, the embodiment of the invention signs a real user name and a real password through an agent application program and signs a virtual user name having a mapping relation with the real user name, then obtains a first data packet of a client and judges whether the user name is consistent with the real user name signed by the agent application program or not so as to replace the user name with the virtual user name, then sends the first data packet to the server and obtains a return data packet, replaces the real password according to the return data packet, then sends the replaced data packet to the client and obtains a fourth data packet of the client, judges whether the user name in the fourth data packet is consistent with the virtual user name signed by the agent application program or not so as to replace the virtual user name and the virtual password again and send the virtual user name and the virtual password to the server, judges whether the authentication is successful or not according to the return data packet of the server and sends the successfully authenticated data packet to the client, analyzes the communication protocol of Oracle through the agent application program, replaces the real user name and the real password in the authentication process of an Oracle protocol handshake authentication process with the virtual user name and the virtual password, thereby preventing the real user name and the real user name from being leaked to the client and the security of the server from being low, and improving the security of the client and the server.
Referring to fig. 2, the communication protocol used by the proxy application, the client and the server is the TNS protocol, and the common data structure of the TNS protocol includes: length, packetCheckSum, packetType, reserved, headerCheckSum and PacketData, wherein the data value of the Length is the Length of a complete TNS;
referring to fig. 3, when the Data value of PacketType is 0x6, the Data is represented, and the Data structure of the PacketData packet includes: dataFlag, dataID, and DataContent;
referring to fig. 4, when the data value of the DataID is 0x03, the data structure of the DataContent packet includes: callId, callSeq, and CallData.
Specifically, the embodiment of the invention replaces the virtual user name by acquiring the first data packet of the client and judging whether the user name is consistent with the real user name signed by the agent application program, analyzes the communication protocol of Oracle through the agent application program, replaces and tampers the real user name and the real password in the handshake phase authentication process of the Oracle protocol into the virtual user name and the virtual password, and prevents the leakage of the real user name and the real password of the client from causing low safety, thereby improving the safety of the client and the server.
Referring to fig. 5, when the data value of the CallId is 0x76 and the packet type is GetSessionKey, the first packet is captured, and the data structure of the first packet includes: unesed 0, encryptedUsernameLength, unesed 1, usernameLength, username, and Extratata.
Specifically, the embodiment of the invention analyzes and obtains the first data packet of the client, and then judges whether the user name is consistent with the real user name signed by the agent application program so as to replace the user name with the virtual user name, and further analyzes the communication protocol of Oracle through the agent application program, replaces and tampers the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, so that the real user name and the real password of the client are prevented from being leaked to cause low security, and the security of the client and the server is improved.
Specifically, when the user name in the first data packet is judged to be consistent with the real user name issued by the proxy application program according to the real user name issued by the proxy application program, the Username in the GetSessionKey is compared with the real user name issued by the proxy application program to judge whether the user name is consistent with the real user name issued by the proxy application program, if so, the usernamenength and the Username in the GetSessionKey data packet are replaced, and the replaced data packet is sent to the server.
Specifically, the embodiment of the invention replaces the user name signed by the proxy application program with the virtual user name by judging whether the user name in the first data packet of the client is consistent with the real user name signed by the proxy application program, then sends the virtual user name to the server and obtains the return data packet, replaces the real password according to the return data packet, further analyzes the communication protocol of Oracle through the proxy application program, replaces and tampers the real user name and the real password in the authentication process of the handshake phase of the Oracle protocol into the virtual user name and the virtual password, prevents the leakage of the real user name and the real password of the client from causing low security, and improves the security of the client and the server.
Referring to fig. 6, when the server side captures a return packet to the second packet, a basic structure of the return packet is PacketData, and when a data value of a DataID in the PacketData is 0 × 08, a data structure of a datacontent packet includes: numberOfParameters, parameters, and Payload.
Specifically, the embodiment of the invention analyzes the return data packet sent to the server, replaces the real password according to the return data packet, analyzes the Oracle communication protocol through the agent application program, replaces and tampers the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, and prevents the leakage of the real user name and the real password of the client from causing low safety, thereby improving the safety of the client and the server.
Referring to fig. 7, the Parameters include several Parameters, wherein the data structure of any Parameter packet includes: beforeFlag, parameterKey, parameterValue, and Flag.
Specifically, the embodiment of the invention analyzes the returned data packet, replaces the real password according to the returned data packet, further analyzes the communication protocol of the Oracle through the agent application program, replaces and tampers the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, and prevents the leakage of the real user name and the real password of the client from causing low safety, thereby improving the safety of the client and the server.
Referring to fig. 8, the data structure of the ParameterKey packet includes: bigLength, length, and Value;
and when the AUTH _ SESSKEY of the returned data packet is replaced to form a third data packet, replacing the data Value of Value in the ParametereKey data packet with the data Value of ParametereValue of Parameter in the AUTH _ SESSKEY, calculating a virtual password for the virtual user name according to the real user name and the real password, replacing the real password with the virtual password, and sending the third data packet formed after replacement to the user side.
Specifically, the embodiment of the invention analyzes the acquired fourth data packet of the client, further judges whether the user name in the fourth data packet is consistent with the virtual user name signed by the agent application program so as to replace the virtual user name and the virtual password again and send the virtual user name and the virtual password to the server, further analyzes the communication protocol of the Oracle through the agent application program, replaces and tampers the real user name and the real password in the authentication process of the handshake phase of the Oracle protocol into the virtual user name and the virtual password, prevents the leakage of the real user name and the real password of the client from causing low security, and therefore improves the security of the client and the server.
Specifically, the fourth data packet fetched from the client is an authentication data packet, and the data structure of the fourth data packet includes: callId, callSeq, and CallData.
Referring to fig. 9, when the data value of the CallID is 0x73, the data structure of the CallData packet includes: placeholder, bigUsernameLength, flag, placeholder1, numOfParameters, placeholder2, placeholder3, usernameLength, username, parameters, and Payload;
when judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the proxy application program or not according to the user name in the fourth data packet, if so, replacing the data values of Username and Username Length of the CallData data packet, wherein,
the Parameters comprise a plurality of Parameters, and the data structure of any Parameter data packet comprises: beforeFlag, parameteKey, parameteValue and Flag, the data structure of the ParameteKey packet comprises: the BigLength, the Length and the Value replace the Value data Value of the Parameter of the AUTH _ SESSKEY according to the calculated Value data Value to form a fifth data packet, and the fifth data packet is sent to the server.
Specifically, the embodiment of the invention analyzes the acquired fourth data packet of the client, judges whether the user name in the fourth data packet is consistent with the virtual user name signed by the agent application program so as to replace the virtual user name and the virtual password again and sends the virtual user name and the virtual password to the server, further judges whether the authentication is successful according to the returned data packet of the server and sends the successfully authenticated data packet to the client, analyzes the communication protocol of Oracle through the agent application program, replaces the real user name and the real password in the authentication process of the handshake phase of the Oracle protocol and tampers the real user name and the real password into the virtual user name and the virtual password, prevents the leakage of the real user name and the real password of the client from causing low safety, and improves the safety of the client and the server.
Specifically, when capturing a return data packet of the fifth data packet from the server, the authentication state is determined according to the data value of the PacketType, and when the data value of the PacketType is 0x08, the authentication is determined to be successful, otherwise, the authentication is determined to be failed, an authentication result is recorded, and the authentication result is forwarded to the client.
Specifically, the embodiment of the invention judges whether the authentication is successful or not by analyzing the returned data packet of the server again and sends the successfully authenticated data packet to the client, analyzes the communication protocol of Oracle through the agent application program, replaces and tampers the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, and prevents the leakage of the real user name and the real password of the client from causing low safety, thereby improving the safety of the client and the server.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is apparent to those skilled in the art that the scope of the present invention is not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for replacing a user name and a password in an ORACLE10G authentication process based on a proxy is characterized by comprising the following steps:
the agent application program issues a real user name and a real password for the client side, and issues a virtual user name which has a mapping relation with the real user name and the real password;
connecting the client with the agent application program according to the real user name and the real password;
capturing a first data packet sent by the client;
judging whether the user name in the first data packet is consistent with the real user name according to the real user name issued by the agent application program, if so, replacing the user name length and the data value of the user name in the first data packet to form a second data packet, and sending the second data packet to a server;
capturing a return data packet of the server to the second data packet, replacing a key of the return data packet to form a third data packet, and sending the third data packet to the client;
capturing a fourth data packet of the client;
judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the agent application program or not according to the user name in the fourth data packet, if so, replacing the user name length and the data value of the user name in the fourth data packet, replacing the data value of the parameter name in the parameter array with the data value of the parameter array of the secret key, forming a fifth data packet from the replaced fourth data packet, and sending the fifth data packet to the server;
and capturing a return data packet of the fifth data packet from the server side, judging whether the authentication is successful or not to record the authentication state, and sending the return data packet of the fifth data packet which is successfully authenticated to the client side.
2. The method for replacing username and password in ORACLE10G proxy based authentication procedure according to claim 1, wherein the generic data structures of the TNS protocol used by the proxy application and the client and server each comprise: length, packetCheckSum, packetType, reserved, headerCheckSum and PacketData, wherein the data value of the Length is the Length of a complete TNS;
when the Data value of PacketType is 0x6, data is represented, and the Data structure of the PacketData packet includes: dataFlag, dataID, and DataContent;
when the data value of the DataID is 0x03, the data structure of the DataContent packet includes: callId, callSeq, and CallData.
3. The method as claimed in claim 2, wherein when the data value of the callld is 0x76 and the type of the packet is GetSessionKey, the first packet is captured, and the data structure of the first packet comprises: ununsed 0, encryptedUsernameLength, ununsed 1, usernameLength, username, and Extratdata.
4. The method as claimed in claim 3, wherein when the Username and the Username in the first data packet are determined to be consistent with the actual Username issued by the proxy application, the Username in the GetSessionKey is compared with the actual Username issued by the proxy application to determine whether the Username and the actual Username are consistent, and if so, the Username and the Username in the GetSessionKey are replaced and the replaced data packet is sent to the server.
5. The method as claimed in claim 4, wherein, when capturing the return packet of the second packet from the server, the basic structure of the return packet is PacketData, and when the data value of DataID in PacketData is 0 × 08, the data structure of the datacontent packet includes: numberOfParameters, parameters, and Payload.
6. The method of claim 5, wherein the Parameters comprise Parameters, and wherein the data structure of any Parameter packet comprises: beforeFlag, parameterKey, parameterValue, and Flag.
7. The method of claim 6, wherein the data structure of the ParameteKey packet comprises: bigLength, length, and Value;
when AUTH _ SESSKEY of the returned data packet is replaced to form a third data packet, replacing a data Value of Value in the ParametereKey data packet with a data Value of ParametereValue of Parameter in AUTH _ SESSKEY, calculating a virtual password for the virtual user name according to the real user name and the real password, replacing the real password with the virtual password, and sending the third data packet formed after replacement to the client.
8. The method of claim 7, wherein the fourth data packet captured from the client is an authentication data packet, and the data structure of the fourth data packet includes: callId, callSeq, and CallData;
when the data value of the CallID is 0x73, the data structure of the CallData packet includes: placeholder, bigUsernameLength, flag, placeholder1, numOfParameters, placeholder2, placeholder3, usernameLength, username, parameters, and Payload.
9. The method as claimed in claim 8, wherein when the Username in the fourth data packet is determined to be consistent with the virtual Username issued by the agent application, the Username and password in the fourth data packet are replaced with the data values of Username and Username Length of the CallData packet, wherein,
the Parameters comprise a plurality of Parameters, and the data structure of any Parameter data packet comprises: the BeforeFlag, parametereKey, parameterValue and Flag, wherein the data structure of the ParametereKey data packet comprises: bigLength, length and Value, replacing the Value data Value of Parameter of AUTH _ SESSKEY according to the Value data Value to form a fifth data packet, and sending the fifth data packet to the server.
10. The method for replacing the user name and the password in the ORACLE10G authentication process based on the agent as claimed in claim 9, wherein when capturing the returned data packet of the fifth data packet from the server, the authentication state is determined according to the data value of the PacketType, when the data value of the PacketType is 0x08, the authentication is determined to be successful, otherwise, the authentication is determined to be failed, the authentication result is recorded, and the authentication result is forwarded to the client.
CN202211663150.1A 2022-12-23 2022-12-23 Method for replacing user name and password in ORACLE10G authentication process based on proxy Active CN115632892B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211663150.1A CN115632892B (en) 2022-12-23 2022-12-23 Method for replacing user name and password in ORACLE10G authentication process based on proxy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211663150.1A CN115632892B (en) 2022-12-23 2022-12-23 Method for replacing user name and password in ORACLE10G authentication process based on proxy

Publications (2)

Publication Number Publication Date
CN115632892A CN115632892A (en) 2023-01-20
CN115632892B true CN115632892B (en) 2023-03-10

Family

ID=84910604

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211663150.1A Active CN115632892B (en) 2022-12-23 2022-12-23 Method for replacing user name and password in ORACLE10G authentication process based on proxy

Country Status (1)

Country Link
CN (1) CN115632892B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330972A (en) * 2016-10-27 2017-01-11 成都知道创宇信息技术有限公司 Method for protecting website password of user
CN112749182A (en) * 2019-10-30 2021-05-04 深圳市傲冠软件股份有限公司 Method, audit terminal, device and storage medium for agent access to Oracle database
CN113630387A (en) * 2021-07-21 2021-11-09 北京景安云信科技有限公司 Method for realizing user name and password replacement in MySQL protocol authentication process based on proxy
CN113641974A (en) * 2021-10-18 2021-11-12 北京安华金和科技有限公司 Database access control method and system based on cryptographic bridge

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8307433B2 (en) * 2009-11-20 2012-11-06 College Of William And Mary Client side username/password credential protection
US10454921B1 (en) * 2014-09-18 2019-10-22 Trend Micro Inc. Protection of authentication credentials of cloud services

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330972A (en) * 2016-10-27 2017-01-11 成都知道创宇信息技术有限公司 Method for protecting website password of user
CN112749182A (en) * 2019-10-30 2021-05-04 深圳市傲冠软件股份有限公司 Method, audit terminal, device and storage medium for agent access to Oracle database
CN113630387A (en) * 2021-07-21 2021-11-09 北京景安云信科技有限公司 Method for realizing user name and password replacement in MySQL protocol authentication process based on proxy
CN113641974A (en) * 2021-10-18 2021-11-12 北京安华金和科技有限公司 Database access control method and system based on cryptographic bridge

Also Published As

Publication number Publication date
CN115632892A (en) 2023-01-20

Similar Documents

Publication Publication Date Title
CN111092869B (en) Security management and control method for terminal access to office network and authentication server
CN114598540B (en) Access control system, method, device and storage medium
CN114978584A (en) Network security protection safety method and system based on unit cell
US8219496B2 (en) Method of and apparatus for ascertaining the status of a data processing environment
US20060048228A1 (en) Communication system and security assurance device
CN110049141A (en) Internet of Things distributed authentication method and its framework based on block chain
CN111917714B (en) Zero trust architecture system and use method thereof
CN113868659B (en) Vulnerability detection method and system
CN111314381A (en) Safety isolation gateway
CN113468075A (en) Security testing method and system for server-side software
CN114553471A (en) Tenant safety management system
Terplan Intranet performance management
CN112019330A (en) Intranet security audit data storage method and system based on alliance chain
WO2001033359A1 (en) Netcentric computer security framework
CN112347440B (en) User access authority division system of industrial control equipment and application method thereof
CN113868669A (en) Vulnerability detection method and system
CN112015111A (en) Industrial control equipment safety protection system and method based on active immunity mechanism
CN115632892B (en) Method for replacing user name and password in ORACLE10G authentication process based on proxy
CN113922975A (en) Security control method, server, terminal, system and storage medium
CN115189958B (en) Method for realizing authentication roaming and authentication between multi-level architectures
JP3737594B2 (en) Network management system, security management device, and security management method
CN113868670A (en) Vulnerability detection flow inspection method and system
CN113886837A (en) Vulnerability detection tool credibility verification method and system
KR102156359B1 (en) A Method for Checking Vulnerability Diagnosis Command Execution through Sending Pre-Command and Its System
JP4039361B2 (en) Analysis system using network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant