CN115632892B - Method for replacing user name and password in ORACLE10G authentication process based on proxy - Google Patents
Method for replacing user name and password in ORACLE10G authentication process based on proxy Download PDFInfo
- Publication number
- CN115632892B CN115632892B CN202211663150.1A CN202211663150A CN115632892B CN 115632892 B CN115632892 B CN 115632892B CN 202211663150 A CN202211663150 A CN 202211663150A CN 115632892 B CN115632892 B CN 115632892B
- Authority
- CN
- China
- Prior art keywords
- data packet
- user name
- data
- packet
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention relates to the field of data communication, in particular to a method for replacing a user name and a password in an ORACLE10G authentication process based on an agent, which comprises the following steps: the agent application program issues a real user name and a real password for the client side, and issues a virtual user name; capturing a first data packet sent by a client; judging whether the user name in the first data packet is consistent with the real user name so as to replace the data value of the user name length and the user name and sending the data value to a server; capturing a return data packet, replacing a key of the return data packet to form a third data packet and sending the third data packet to the client; grabbing a fourth data packet; judging whether the virtual user names issued by the agent application program are consistent or not to replace the data values of the user name length and the user name, replacing a fourth data packet to form a fifth data packet, and sending the fifth data packet to a server; and capturing the returned data packet and judging whether the authentication is successful or not. The safety of the client and the server is improved.
Description
Technical Field
The invention relates to the field of data communication, in particular to a method for replacing a user name and a password in an ORACLE10G authentication process based on an agent.
Background
At present, security audit becomes an indispensable component of enterprise information security construction, and increasingly complex IT systems and behaviors of operation and maintenance personnel with different backgrounds bring great risks to information system security, so that a bastion machine is generated, namely, in a specific network environment, in order to ensure that networks and data are not invaded and damaged by external and internal users, various technical means are used for monitoring and recording operation behaviors of the operation and maintenance personnel on devices such as servers, network devices, security devices and databases in the networks, and therefore centralized alarming, timely processing and audit responsibility determination are facilitated.
Chinese patent application publication No.: CN113641974A discloses a database access control method based on a cryptographic bridge, which includes: acquiring a database access request, wherein the database access request carries a first username and a first password, and the first username and the first password are usernames and passwords without database access authority; verifying the first user name and the first password with a user name and a password in a pre-stored password table, and passing the verification under the condition that the first user and the first password are consistent with the user name and the password in the pre-stored password table; after the first username and the first password pass verification, acquiring a second username and a second password corresponding to the first username and the first password, wherein the second username and the second password are a username and a password with the database access authority; replacing the first username and the first password in the database access request with the second username and the second password; and sending the replaced database access request to the database.
In the prior art, the database account is issued through the database, a large number of database accounts need to be created, the flexibility is poor, the authority of a database user is not controlled in place, and the user name and the password of the used account cannot be tampered when problems occur, so that the database account and the password have leakage risks and the safety is poor.
Disclosure of Invention
Therefore, the invention provides a method for replacing the user name and the password in the ORACLE10G authentication process based on the agent, which can solve the problems of leakage risk and poor safety of the database account and the password.
In order to achieve the above object, the present invention provides a method for replacing a user name and a password in an ORACLE10G authentication process based on a proxy, the method comprising:
the agent application program issues a real user name and a real password for the client, and issues a virtual user name which has a mapping relation with the real user name and the real password;
connecting the client with the agent application program according to the real user name and the real password;
capturing a first data packet sent by the client;
judging whether the user name in the first data packet is consistent with the real user name according to the real user name issued by the agent application program, if so, replacing the user name length and the data value of the user name in the first data packet to form a second data packet, and sending the second data packet to a server;
capturing a return data packet of the server for the second data packet, replacing a key of the return data packet to form a third data packet, and sending the third data packet to the client;
capturing a fourth data packet of the client;
judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the agent application program or not according to the user name in the fourth data packet, if so, replacing the user name length and the data value of the user name in the fourth data packet, replacing the data value of the parameter name in the parameter array with the data value of the parameter array of the secret key, forming the replaced fourth data packet into a fifth data packet, and sending the fifth data packet to a server;
and capturing a return data packet of the fifth data packet from the server side, judging whether the authentication is successful or not to record the authentication state, and sending the return data packet of the fifth data packet which is successfully authenticated to the client side.
Further, the agent application and the TNS protocol used by the client and the server each include: length, packetCheckSum, packetType, reserved, headerCheckSum and PacketData, wherein the data value of the Length is the Length of a complete TNS;
when the Data value of PacketType is 0x6, data is represented, and the Data structure of the PacketData packet includes: dataFlag, dataID, and DataContent;
when the data value of the DataID is 0x03, the data structure of the DataContent packet includes: callId, callSeq, and CallData.
Further, when the data value of the callld is 0x76 and the type of the packet is GetSessionKey, the first packet is captured, and the data structure of the first packet includes: ununsed 0, encryptedUsernameLength, ununsed 1, usernameLength, username, and Extratdata.
Further, when the user name in the first data packet is judged to be consistent with the real user name issued by the proxy application program according to the real user name issued by the proxy application program, comparing the Username in the GetSessionKey with the real user name issued by the proxy application program to judge whether the user name in the GetSessionKey is consistent with the real user name issued by the proxy application program, and if so, replacing the usernamenLength and the Username in the GetSessionKey data packet and sending the replaced data packet to the server.
Further, when the server side captures a return packet of the second packet, a basic structure of the return packet is PacketData, and when a data value of a DataID in the PacketData is 0x08, a data structure of a datacontent packet includes: numberOfParameters, parameters, and Payload.
Further, the Parameters comprise a plurality of Parameters, wherein the data structure of any Parameter data packet comprises: beforeFlag, parameterKey, parameterValue, and Flag.
Further, the data structure of the ParameterKey data packet includes: bigLength, length, and Value;
and when the AUTH _ SESSKEY of the returned data packet is replaced to form a third data packet, replacing the data Value of Value in the ParametereKey data packet with the data Value of ParametereValue of Parameter in the AUTH _ SESSKEY, calculating a virtual password for the virtual user name according to the real user name and the real password, replacing the real password with the virtual password, and sending the third data packet formed after replacement to the user side.
Further, a fourth data packet captured from the client is an authentication data packet, and a data structure of the fourth data packet includes: callId, callSeq, and CallData;
when the data value of the CallID is 0x73, the data structure of the CallData packet includes: placeholder, bigUsernameLength, flag, placeholder1, numOfParameters, placeholder2, placeholder3, usernameLength, username, parameters, and Payload.
Further, when judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the agent application program or not according to the user name in the fourth data packet, if so, replacing the data values of the Username and the Username Length of the CallData data packet, and calculating the data Value of Value in Parameters,
the Parameters comprise a plurality of Parameters, and the data structure of any Parameter data packet comprises: the BeforeFlag, parametereKey, parameterValue and Flag, wherein the data structure of the ParametereKey data packet comprises: the BigLength, the Length and the Value replace the Value data Value of the Parameter of the AUTH _ SESSKEY according to the calculated Value data Value to form a fifth data packet, and the fifth data packet is sent to the server.
Further, when a return data packet of the fifth data packet to the server side is captured, the authentication state is judged according to the data value of the PacketType, when the data value of the PacketType is 0x08, the authentication is judged to be successful, otherwise, the authentication is judged to be failed, the authentication result is recorded, and the authentication result is forwarded to the client side.
Compared with the prior art, the method has the advantages that the real user name and the real password are signed and issued by the agent application program, the virtual user name with the mapping relation is signed and issued, then the first data packet of the client is obtained, whether the user name is consistent with the real user name signed and issued by the agent application program is judged, the virtual user name is replaced by the virtual user name, the first data packet is sent to the server and the return data packet is obtained, the real password is replaced according to the return data packet, the replaced data packet is sent to the client and the fourth data packet of the client is obtained, whether the user name in the fourth data packet is consistent with the virtual user name signed and issued by the agent application program is judged, the virtual user name and the virtual password are replaced again and sent to the server, whether the authentication is successful or not is judged according to the return data packet of the server, the data packet which is authenticated is sent to the client, the Oracle communication protocol is analyzed through the agent application program, the real user name and the real password in the Oracle protocol handshake authentication process are tampered into the virtual user name and the virtual password in the virtual user name and the virtual password in the client are prevented from being leaked out, and the security of the client are improved.
Particularly, the communication protocol of Oracle is analyzed through the agent application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered with into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked is prevented, and therefore the safety of the client and the server is improved.
Particularly, the first data packet of the client is obtained through analysis, whether the user name is consistent with the real user name issued by the proxy application program or not is judged, the user name is replaced by the virtual user name, the real user name and the real password in the authentication process in the Oracle protocol handshake phase are replaced and tampered by the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked to cause low safety is prevented, and therefore safety of the client and the server is improved.
Particularly, when the user name in the first data packet of the client is judged to be consistent with the real user name signed by the proxy application program, the replaced data packet is sent to the server and a return data packet is obtained, the real password is replaced according to the return data packet, the communication protocol of the Oracle is analyzed through the proxy application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked is prevented from causing low safety, and therefore safety of the client and the server is improved.
Particularly, the return data packet sent to the server is analyzed, the real password is replaced according to the return data packet, the Oracle communication protocol is analyzed through the agent application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked is prevented, and therefore safety of the client and the server is improved.
Particularly, the returned data packet is analyzed, the real password is replaced according to the returned data packet, the Oracle communication protocol is analyzed through the agent application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked out to cause low safety is prevented, and therefore safety of the client and the server is improved.
Particularly, whether the user name in the fourth data packet is consistent with the virtual user name issued by the proxy application program or not is judged through analyzing the obtained fourth data packet of the client, so that the virtual user name and the virtual password are replaced again and sent to the server, the communication protocol of the Oracle is analyzed through the proxy application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked is prevented, and therefore safety of the client and the server is improved.
Particularly, through analyzing the acquired fourth data packet of the client, judging whether the user name in the fourth data packet is consistent with the virtual user name signed by the agent application program so as to replace the virtual user name and the virtual password again and send the virtual user name and the virtual password to the server, analyzing the communication protocol of Oracle through the agent application program, replacing and tampering the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, and preventing the real user name and the real password of the client from being leaked to cause low security, so that the security of the client and the server is improved.
Particularly, the returned data packet of the server is analyzed again, the successfully authenticated data packet is sent to the client, the Oracle communication protocol is analyzed through the agent application program, the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol are replaced and tampered into the virtual user name and the virtual password, the fact that the real user name and the real password of the client are leaked out to cause low safety is prevented, and therefore safety of the client and the server is improved.
Drawings
Fig. 1A is a schematic flowchart of a method for replacing a user name and a password in an ORACLE10G authentication process based on an agent according to an embodiment of the present invention;
fig. 1B is a flowchart illustrating another method for replacing a user name and a password in an ORACLE10G authentication process based on a proxy according to an embodiment of the present invention;
fig. 2 is a general data structure parameter diagram of the TNS protocol according to an embodiment of the present invention;
fig. 3 is a data structure parameter diagram of a PacketData packet according to an embodiment of the present invention;
fig. 4 is a data structure parameter diagram of a DataContent data packet according to an embodiment of the present invention;
fig. 5 is a data structure parameter diagram of a first data packet according to an embodiment of the present invention;
fig. 6 is a parameter diagram of another data structure of a DataContent packet according to an embodiment of the present invention;
fig. 7 is a data structure Parameter diagram of a Parameter data packet according to an embodiment of the present invention;
fig. 8 is a data structure parameter diagram of a ParameterKey data packet according to an embodiment of the present invention;
fig. 9 is a data structure parameter diagram of the CallData packet according to the embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and do not delimit the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principle of the present invention, and do not limit the scope of the present invention.
It should be noted that in the description of the present invention, the terms of direction or positional relationship indicated by the terms "upper", "lower", "left", "right", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, which are only for convenience of description, and do not indicate or imply that the device or element must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Referring to fig. 1A and fig. 1B, a method for replacing a user name and a password in an ORACLE10G authentication process based on a proxy according to an embodiment of the present invention includes:
step S110, the agent application program issues a real user name and a real password for the client, and issues a virtual user name which has a mapping relation with the real user name and the real password;
step S120, connecting the client with the agent application program according to the real user name and the real password;
step S130, capturing a first data packet sent by the client;
step S140, judging whether the user name in the first data packet is consistent with the real user name according to the real user name signed by the agent application program, if so, replacing the user name length and the data value of the user name in the first data packet to form a second data packet, and sending the second data packet to a server;
step S150, capturing a return data packet of the server to the second data packet, replacing a key of the return data packet to form a third data packet, and sending the third data packet to the client;
step S160, capturing a fourth data packet of the client;
step S170, judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the agent application program or not according to the user name in the fourth data packet, if so, replacing the user name length and the data value of the user name in the fourth data packet, replacing the data value of the parameter name in the parameter array with the data value of the parameter array of the secret key, forming a fifth data packet from the replaced fourth data packet, and sending the fifth data packet to the server;
and step S180, intercepting a return data packet of the fifth data packet from the server side, judging whether the authentication is successful or not to record the authentication state, and sending the return data packet of the fifth data packet which is successfully authenticated to the client side.
In particular, the Username length is denoted as usernamenlength, the Username is denoted as Username, the key is denoted as AUTH sesckey, the parameter array is denoted as Parameters, the parameter name is denoted as ParameterKey, the parameter value is denoted as ParameterValue; the server applies the ORACLE database.
Specifically, the embodiment of the invention signs a real user name and a real password through an agent application program and signs a virtual user name having a mapping relation with the real user name, then obtains a first data packet of a client and judges whether the user name is consistent with the real user name signed by the agent application program or not so as to replace the user name with the virtual user name, then sends the first data packet to the server and obtains a return data packet, replaces the real password according to the return data packet, then sends the replaced data packet to the client and obtains a fourth data packet of the client, judges whether the user name in the fourth data packet is consistent with the virtual user name signed by the agent application program or not so as to replace the virtual user name and the virtual password again and send the virtual user name and the virtual password to the server, judges whether the authentication is successful or not according to the return data packet of the server and sends the successfully authenticated data packet to the client, analyzes the communication protocol of Oracle through the agent application program, replaces the real user name and the real password in the authentication process of an Oracle protocol handshake authentication process with the virtual user name and the virtual password, thereby preventing the real user name and the real user name from being leaked to the client and the security of the server from being low, and improving the security of the client and the server.
Referring to fig. 2, the communication protocol used by the proxy application, the client and the server is the TNS protocol, and the common data structure of the TNS protocol includes: length, packetCheckSum, packetType, reserved, headerCheckSum and PacketData, wherein the data value of the Length is the Length of a complete TNS;
referring to fig. 3, when the Data value of PacketType is 0x6, the Data is represented, and the Data structure of the PacketData packet includes: dataFlag, dataID, and DataContent;
referring to fig. 4, when the data value of the DataID is 0x03, the data structure of the DataContent packet includes: callId, callSeq, and CallData.
Specifically, the embodiment of the invention replaces the virtual user name by acquiring the first data packet of the client and judging whether the user name is consistent with the real user name signed by the agent application program, analyzes the communication protocol of Oracle through the agent application program, replaces and tampers the real user name and the real password in the handshake phase authentication process of the Oracle protocol into the virtual user name and the virtual password, and prevents the leakage of the real user name and the real password of the client from causing low safety, thereby improving the safety of the client and the server.
Referring to fig. 5, when the data value of the CallId is 0x76 and the packet type is GetSessionKey, the first packet is captured, and the data structure of the first packet includes: unesed 0, encryptedUsernameLength, unesed 1, usernameLength, username, and Extratata.
Specifically, the embodiment of the invention analyzes and obtains the first data packet of the client, and then judges whether the user name is consistent with the real user name signed by the agent application program so as to replace the user name with the virtual user name, and further analyzes the communication protocol of Oracle through the agent application program, replaces and tampers the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, so that the real user name and the real password of the client are prevented from being leaked to cause low security, and the security of the client and the server is improved.
Specifically, when the user name in the first data packet is judged to be consistent with the real user name issued by the proxy application program according to the real user name issued by the proxy application program, the Username in the GetSessionKey is compared with the real user name issued by the proxy application program to judge whether the user name is consistent with the real user name issued by the proxy application program, if so, the usernamenength and the Username in the GetSessionKey data packet are replaced, and the replaced data packet is sent to the server.
Specifically, the embodiment of the invention replaces the user name signed by the proxy application program with the virtual user name by judging whether the user name in the first data packet of the client is consistent with the real user name signed by the proxy application program, then sends the virtual user name to the server and obtains the return data packet, replaces the real password according to the return data packet, further analyzes the communication protocol of Oracle through the proxy application program, replaces and tampers the real user name and the real password in the authentication process of the handshake phase of the Oracle protocol into the virtual user name and the virtual password, prevents the leakage of the real user name and the real password of the client from causing low security, and improves the security of the client and the server.
Referring to fig. 6, when the server side captures a return packet to the second packet, a basic structure of the return packet is PacketData, and when a data value of a DataID in the PacketData is 0 × 08, a data structure of a datacontent packet includes: numberOfParameters, parameters, and Payload.
Specifically, the embodiment of the invention analyzes the return data packet sent to the server, replaces the real password according to the return data packet, analyzes the Oracle communication protocol through the agent application program, replaces and tampers the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, and prevents the leakage of the real user name and the real password of the client from causing low safety, thereby improving the safety of the client and the server.
Referring to fig. 7, the Parameters include several Parameters, wherein the data structure of any Parameter packet includes: beforeFlag, parameterKey, parameterValue, and Flag.
Specifically, the embodiment of the invention analyzes the returned data packet, replaces the real password according to the returned data packet, further analyzes the communication protocol of the Oracle through the agent application program, replaces and tampers the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, and prevents the leakage of the real user name and the real password of the client from causing low safety, thereby improving the safety of the client and the server.
Referring to fig. 8, the data structure of the ParameterKey packet includes: bigLength, length, and Value;
and when the AUTH _ SESSKEY of the returned data packet is replaced to form a third data packet, replacing the data Value of Value in the ParametereKey data packet with the data Value of ParametereValue of Parameter in the AUTH _ SESSKEY, calculating a virtual password for the virtual user name according to the real user name and the real password, replacing the real password with the virtual password, and sending the third data packet formed after replacement to the user side.
Specifically, the embodiment of the invention analyzes the acquired fourth data packet of the client, further judges whether the user name in the fourth data packet is consistent with the virtual user name signed by the agent application program so as to replace the virtual user name and the virtual password again and send the virtual user name and the virtual password to the server, further analyzes the communication protocol of the Oracle through the agent application program, replaces and tampers the real user name and the real password in the authentication process of the handshake phase of the Oracle protocol into the virtual user name and the virtual password, prevents the leakage of the real user name and the real password of the client from causing low security, and therefore improves the security of the client and the server.
Specifically, the fourth data packet fetched from the client is an authentication data packet, and the data structure of the fourth data packet includes: callId, callSeq, and CallData.
Referring to fig. 9, when the data value of the CallID is 0x73, the data structure of the CallData packet includes: placeholder, bigUsernameLength, flag, placeholder1, numOfParameters, placeholder2, placeholder3, usernameLength, username, parameters, and Payload;
when judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the proxy application program or not according to the user name in the fourth data packet, if so, replacing the data values of Username and Username Length of the CallData data packet, wherein,
the Parameters comprise a plurality of Parameters, and the data structure of any Parameter data packet comprises: beforeFlag, parameteKey, parameteValue and Flag, the data structure of the ParameteKey packet comprises: the BigLength, the Length and the Value replace the Value data Value of the Parameter of the AUTH _ SESSKEY according to the calculated Value data Value to form a fifth data packet, and the fifth data packet is sent to the server.
Specifically, the embodiment of the invention analyzes the acquired fourth data packet of the client, judges whether the user name in the fourth data packet is consistent with the virtual user name signed by the agent application program so as to replace the virtual user name and the virtual password again and sends the virtual user name and the virtual password to the server, further judges whether the authentication is successful according to the returned data packet of the server and sends the successfully authenticated data packet to the client, analyzes the communication protocol of Oracle through the agent application program, replaces the real user name and the real password in the authentication process of the handshake phase of the Oracle protocol and tampers the real user name and the real password into the virtual user name and the virtual password, prevents the leakage of the real user name and the real password of the client from causing low safety, and improves the safety of the client and the server.
Specifically, when capturing a return data packet of the fifth data packet from the server, the authentication state is determined according to the data value of the PacketType, and when the data value of the PacketType is 0x08, the authentication is determined to be successful, otherwise, the authentication is determined to be failed, an authentication result is recorded, and the authentication result is forwarded to the client.
Specifically, the embodiment of the invention judges whether the authentication is successful or not by analyzing the returned data packet of the server again and sends the successfully authenticated data packet to the client, analyzes the communication protocol of Oracle through the agent application program, replaces and tampers the real user name and the real password in the authentication process in the handshake phase of the Oracle protocol into the virtual user name and the virtual password, and prevents the leakage of the real user name and the real password of the client from causing low safety, thereby improving the safety of the client and the server.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is apparent to those skilled in the art that the scope of the present invention is not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for replacing a user name and a password in an ORACLE10G authentication process based on a proxy is characterized by comprising the following steps:
the agent application program issues a real user name and a real password for the client side, and issues a virtual user name which has a mapping relation with the real user name and the real password;
connecting the client with the agent application program according to the real user name and the real password;
capturing a first data packet sent by the client;
judging whether the user name in the first data packet is consistent with the real user name according to the real user name issued by the agent application program, if so, replacing the user name length and the data value of the user name in the first data packet to form a second data packet, and sending the second data packet to a server;
capturing a return data packet of the server to the second data packet, replacing a key of the return data packet to form a third data packet, and sending the third data packet to the client;
capturing a fourth data packet of the client;
judging whether the user name in the fourth data packet is consistent with the virtual user name issued by the agent application program or not according to the user name in the fourth data packet, if so, replacing the user name length and the data value of the user name in the fourth data packet, replacing the data value of the parameter name in the parameter array with the data value of the parameter array of the secret key, forming a fifth data packet from the replaced fourth data packet, and sending the fifth data packet to the server;
and capturing a return data packet of the fifth data packet from the server side, judging whether the authentication is successful or not to record the authentication state, and sending the return data packet of the fifth data packet which is successfully authenticated to the client side.
2. The method for replacing username and password in ORACLE10G proxy based authentication procedure according to claim 1, wherein the generic data structures of the TNS protocol used by the proxy application and the client and server each comprise: length, packetCheckSum, packetType, reserved, headerCheckSum and PacketData, wherein the data value of the Length is the Length of a complete TNS;
when the Data value of PacketType is 0x6, data is represented, and the Data structure of the PacketData packet includes: dataFlag, dataID, and DataContent;
when the data value of the DataID is 0x03, the data structure of the DataContent packet includes: callId, callSeq, and CallData.
3. The method as claimed in claim 2, wherein when the data value of the callld is 0x76 and the type of the packet is GetSessionKey, the first packet is captured, and the data structure of the first packet comprises: ununsed 0, encryptedUsernameLength, ununsed 1, usernameLength, username, and Extratdata.
4. The method as claimed in claim 3, wherein when the Username and the Username in the first data packet are determined to be consistent with the actual Username issued by the proxy application, the Username in the GetSessionKey is compared with the actual Username issued by the proxy application to determine whether the Username and the actual Username are consistent, and if so, the Username and the Username in the GetSessionKey are replaced and the replaced data packet is sent to the server.
5. The method as claimed in claim 4, wherein, when capturing the return packet of the second packet from the server, the basic structure of the return packet is PacketData, and when the data value of DataID in PacketData is 0 × 08, the data structure of the datacontent packet includes: numberOfParameters, parameters, and Payload.
6. The method of claim 5, wherein the Parameters comprise Parameters, and wherein the data structure of any Parameter packet comprises: beforeFlag, parameterKey, parameterValue, and Flag.
7. The method of claim 6, wherein the data structure of the ParameteKey packet comprises: bigLength, length, and Value;
when AUTH _ SESSKEY of the returned data packet is replaced to form a third data packet, replacing a data Value of Value in the ParametereKey data packet with a data Value of ParametereValue of Parameter in AUTH _ SESSKEY, calculating a virtual password for the virtual user name according to the real user name and the real password, replacing the real password with the virtual password, and sending the third data packet formed after replacement to the client.
8. The method of claim 7, wherein the fourth data packet captured from the client is an authentication data packet, and the data structure of the fourth data packet includes: callId, callSeq, and CallData;
when the data value of the CallID is 0x73, the data structure of the CallData packet includes: placeholder, bigUsernameLength, flag, placeholder1, numOfParameters, placeholder2, placeholder3, usernameLength, username, parameters, and Payload.
9. The method as claimed in claim 8, wherein when the Username in the fourth data packet is determined to be consistent with the virtual Username issued by the agent application, the Username and password in the fourth data packet are replaced with the data values of Username and Username Length of the CallData packet, wherein,
the Parameters comprise a plurality of Parameters, and the data structure of any Parameter data packet comprises: the BeforeFlag, parametereKey, parameterValue and Flag, wherein the data structure of the ParametereKey data packet comprises: bigLength, length and Value, replacing the Value data Value of Parameter of AUTH _ SESSKEY according to the Value data Value to form a fifth data packet, and sending the fifth data packet to the server.
10. The method for replacing the user name and the password in the ORACLE10G authentication process based on the agent as claimed in claim 9, wherein when capturing the returned data packet of the fifth data packet from the server, the authentication state is determined according to the data value of the PacketType, when the data value of the PacketType is 0x08, the authentication is determined to be successful, otherwise, the authentication is determined to be failed, the authentication result is recorded, and the authentication result is forwarded to the client.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211663150.1A CN115632892B (en) | 2022-12-23 | 2022-12-23 | Method for replacing user name and password in ORACLE10G authentication process based on proxy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211663150.1A CN115632892B (en) | 2022-12-23 | 2022-12-23 | Method for replacing user name and password in ORACLE10G authentication process based on proxy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115632892A CN115632892A (en) | 2023-01-20 |
CN115632892B true CN115632892B (en) | 2023-03-10 |
Family
ID=84910604
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211663150.1A Active CN115632892B (en) | 2022-12-23 | 2022-12-23 | Method for replacing user name and password in ORACLE10G authentication process based on proxy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115632892B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106330972A (en) * | 2016-10-27 | 2017-01-11 | 成都知道创宇信息技术有限公司 | Method for protecting website password of user |
CN112749182A (en) * | 2019-10-30 | 2021-05-04 | 深圳市傲冠软件股份有限公司 | Method, audit terminal, device and storage medium for agent access to Oracle database |
CN113630387A (en) * | 2021-07-21 | 2021-11-09 | 北京景安云信科技有限公司 | Method for realizing user name and password replacement in MySQL protocol authentication process based on proxy |
CN113641974A (en) * | 2021-10-18 | 2021-11-12 | 北京安华金和科技有限公司 | Database access control method and system based on cryptographic bridge |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8307433B2 (en) * | 2009-11-20 | 2012-11-06 | College Of William And Mary | Client side username/password credential protection |
US10454921B1 (en) * | 2014-09-18 | 2019-10-22 | Trend Micro Inc. | Protection of authentication credentials of cloud services |
-
2022
- 2022-12-23 CN CN202211663150.1A patent/CN115632892B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106330972A (en) * | 2016-10-27 | 2017-01-11 | 成都知道创宇信息技术有限公司 | Method for protecting website password of user |
CN112749182A (en) * | 2019-10-30 | 2021-05-04 | 深圳市傲冠软件股份有限公司 | Method, audit terminal, device and storage medium for agent access to Oracle database |
CN113630387A (en) * | 2021-07-21 | 2021-11-09 | 北京景安云信科技有限公司 | Method for realizing user name and password replacement in MySQL protocol authentication process based on proxy |
CN113641974A (en) * | 2021-10-18 | 2021-11-12 | 北京安华金和科技有限公司 | Database access control method and system based on cryptographic bridge |
Also Published As
Publication number | Publication date |
---|---|
CN115632892A (en) | 2023-01-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111092869B (en) | Security management and control method for terminal access to office network and authentication server | |
CN114598540B (en) | Access control system, method, device and storage medium | |
CN114978584A (en) | Network security protection safety method and system based on unit cell | |
US8219496B2 (en) | Method of and apparatus for ascertaining the status of a data processing environment | |
US20060048228A1 (en) | Communication system and security assurance device | |
CN110049141A (en) | Internet of Things distributed authentication method and its framework based on block chain | |
CN111917714B (en) | Zero trust architecture system and use method thereof | |
CN113868659B (en) | Vulnerability detection method and system | |
CN111314381A (en) | Safety isolation gateway | |
CN113468075A (en) | Security testing method and system for server-side software | |
CN114553471A (en) | Tenant safety management system | |
Terplan | Intranet performance management | |
CN112019330A (en) | Intranet security audit data storage method and system based on alliance chain | |
WO2001033359A1 (en) | Netcentric computer security framework | |
CN112347440B (en) | User access authority division system of industrial control equipment and application method thereof | |
CN113868669A (en) | Vulnerability detection method and system | |
CN112015111A (en) | Industrial control equipment safety protection system and method based on active immunity mechanism | |
CN115632892B (en) | Method for replacing user name and password in ORACLE10G authentication process based on proxy | |
CN113922975A (en) | Security control method, server, terminal, system and storage medium | |
CN115189958B (en) | Method for realizing authentication roaming and authentication between multi-level architectures | |
JP3737594B2 (en) | Network management system, security management device, and security management method | |
CN113868670A (en) | Vulnerability detection flow inspection method and system | |
CN113886837A (en) | Vulnerability detection tool credibility verification method and system | |
KR102156359B1 (en) | A Method for Checking Vulnerability Diagnosis Command Execution through Sending Pre-Command and Its System | |
JP4039361B2 (en) | Analysis system using network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |