2024年1月26日发(作者：)

外文文献资料

Overview

the data server

In this information age, the data server has become the heart of a company.

This one piece of software controls the rhythm of most organizations and is used to

pump information lifeblood through the arteries of the network. Because of the

critical nature of this application, the data server is also the one of the most popular

targets for hackers. If a hacker owns this application, he can cause the company's

"heart" to suffer a fatal arrest.

Ironically, although most users are now aware of hackers, they still do not

realize how susceptible their database servers are to hack attacks. Thus, this article

presents a description of the primary methods of attacking database servers (also

known as SQL servers) and shows you how to protect yourself from these attacks.

You should note this information is not new. Many technical white papers go

into great detail about how to perform SQL attacks, and numerous vulnerabilities

have been posted to security lists that describe exactly how certain database

applications can be exploited. This article was written for the curious non-SQL

experts who do not care to know the details, and as a review to those who do use

SQL regularly.

What Is a SQL Server?

A database application is a program that provides clients with access to data.

There are many variations of this type of application, ranging from the expensive

enterprise-level Microsoft SQL Server to the free and open source mySQL.

Regardless of the flavor, most database server applications have several things in

common.

- 1 -

First, database applications use the same general programming language

known as SQL, or Structured Query Language. This language, also known as a

fourth-level language due to its simplistic syntax, is at the core of how a client

communicates its requests to the server. Using SQL in its simplest form, a

programmer can select, add, update, and delete information in a database. However,

SQL can also be used to create and design entire databases, perform various

functions on the returned information, and even execute other programs.

To illustrate how SQL can be used, the following is an example of a simple

standard SQL query and a more powerful SQL query:

Simple: "Select * from ir"

This returns all information in the table tblChair from the database

dbFurniture.

Complex: "p_cmdshell 'dir c:'"

This short SQL command returns to the client the list of files and folders

under the c: directory of the SQL server. Note that this example uses an extended

stored procedure that is exclusive to MS SQL Server.

The second function that database server applications share is that they all

require some form of authenticated connection between client and host. Although

the SQL language is fairly easy to use, at least in its basic form, any client that

wants to perform queries must first provide some form of credentials that will

authorize the client; the client also must define the format of the request and

response.

This connection is defined by several attributes, depending on the relative

location of the client and what operating systems are in use. We could spend a

whole article discussing various technologies such as DSN connections, DSN-less

connections, RDO, ADO, and more, but these subjects are outside the scope of this

article. If you want to learn more about them, a little Google'ing will provide you

with more than enough information. However, the following is a list of the more

- 2 -

common items included in a connection request.



Database source



Request type



Database



User ID

Password

Before any connection can be made, the client must define what type of

database server it is connecting to. This is handled by a software component that

provides the client with the instructions needed to create the request in the correct

format. In addition to the type of database, the request type can be used to further

define how the client's request will be handled by the server. Next comes the

database name and finally the authentication information.

All the connection information is important, but by far the weakest link is the

authentication information—or lack thereof. In a properly managed server, each

database has its own users with specifically designated permissions that control

what type of activity they can perform. For example, a user account would be set

up as read only for applications that need to only access information. Another

account should be used for inserts or updates, and maybe even a third account

would be used for deletes. This type of account control ensures that any

compromised account is limited in functionality. Unfortunately, many database

programs are set up with null or easy passwords, which leads to successful hack

attacks.

Materials Management Software (MMS)

Materials Management Software (MMS) is one of the fastest growing

segments of the business software market, climbing to more than $16 billion in

annual sales since its beginnings in 1979. Although sales have slowed since Y2K,

- 3 -

some market analysts predict that the market for MMS and implementation

services could continue to grow to more than $21 billion annually. MMS offers a

single system,which links all corporate operations including planning,

manufacturing, inventory control, purchasing, sales, accounting, and human

resources.

Much of the growth of MMS implementation is fueled by "silver bullet"

promises of productivity enhancements from MMS applications. These include

inventory reduction, inventory accuracy improvements, added manufacturing

flexibility, faster customer responsiveness, better communications with suppliers

and vendors, more timely and accurate forecasting, rapid delivery of custom quotes

or special orders, and the elimination of redundant procedures. However, in

contrast to the promises, there is evidence that MMS implementations fail at a very

high rate. Some have suggested that 70 percent of implementations fail to meet

stated objectives. One $5 billion pharmaceutical company even filed bankruptcy

arguing that the primary cause of its difficulties was a failed MMS implementation

that had crippled the business.

In an implementation failure, problems tend to increase the closer you get to

value-adding operations. Ask an MMS user if the system really supports

manufacturing operations. Then ask why the answer to this question is often

different in the accounting department than it is in the manufacturing department.

The answers may be found in the beginnings of MMS.

The initial goal of MMS systems was not the improvement of manufacturing

operations, but the reduction of the effort invested in managing data entry and

paperwork. Early systems (such as the first MMS system, SAP R/2) simply

integrated operational and financial data into a single database. They were

designed by finance and accounting people with help from the computer staff. The

net result was that the MMS system serviced the data needs of the finance and

accounting departments, while manufacturing and operations serviced the data

needs of the MMS system. This is still largely the case for many MMS

implementations. Consider this: of the five largest MMS consulting firms

- 4 -

(Anderson Consulting, Ernst & Young, PriceWaterhouseCoopers, Deloitte &

Touche, and IBM Global Services), all but one has grown out of the accounting

industry, and that one is a computer firm.

A manufacturing operation marches on its shop-floor operations. Failure to

recognize this causes MMS implementers to favor accounting and finance needs at

the expense of manufacturing, so what is seen as a tool at the corporate office is

seen as a burden on the shop floor. One consumer products manufacturer installed

an MMS system with a component that collected machine down-time from the

shop floor. Operators were required to input data describing the nature of all

down-time. The system then took this data and transmitted it to the corporate

accounting department three states away instead of providing feedback to the shop.

Worse still, this information was later used to attack unarmed manufacturing

supervisors.

The good news is that an MMS system does not have to be an either/or tool

for the corporate office or the shop floor. Most systems capture the information

needed to support both or can be modified to do so. The key is to understand what

data is required where and when to drive operations, then providing systems to

supply this data. The shop floor requires a lower level of operational data at a

higher frequency than the front office. How they did last month is of little use to an

operator; he or she needs to know how they are doing right now.

Using the MMS system to support manufacturing operations requires three

things. First, a thorough understanding of the manufacturing operations and shop

floor data needs should precede the selection of an MMS package. Manufacturing

will need quick operational feedback and visual controls to improve efficiency. If

the package comes with the functionality to support your operations, it will cut

down on software customization or operational compromises. Flow charting shop

floor operations-both materials and information flow-is the best place to start

understanding the requirements for an MMS implementation or evaluate

improvements to an existing MMS system.

Second, involving manufacturing personnel in the MMS development or

- 5 -

improvement effort will promote acceptance and use of the system, greatly

increase your probability of a successful implementation, and allow the creation of

a shop floor tool instead of a shop floor burden. Only through the involvement of

manufacturing personnel can you produce a system that does something for them

instead of to them.

Finally, choose a consultant carefully. An MMS consultant (or system

integrator) will lead you through the system implementation or modification

process. It has been said that if your only tool is a hammer everything looks like a

nail. The same applies to consultants who follow an MMS script instead of really

understanding your operations. If you are a manufacturer, find a consultant who

understands manufacturing. You can't expect the makeup counter at Parisian to

overhaul your transmission. IT and finance knowledge are important, but by

themselves they won't help much in getting your MMS system to support the shop

floor.

If you compete through manufacturing, installing an MMS system that doesn't

support the shop floor is like putting a $2,000 stereo into your car but never

changing the oil. Don't stop with a system that simply reduces paperwork and

speeds the preparation of financial statements. Timely, accurate, and pertinent

information in the hands of shop floor personnel will improve your operations and

might be just what is needed to awaken a sleeping giant.

Is ERP a Silver Bullet?

J. Palmer Brown

Enterprise resources planning (ERP) is one of the fastest growing segments of

the business software market, climbing to more than $16 billion in annual sales

since its beginnings in 1979. Although sales have slowed since Y2K, some market

analysts predict that the market for ERP software and implementation services

could continue to grow to more than $21 billion annually. ERP offers a single

system, which links all corporate operations including planning, manufacturing,

inventory control, purchasing, sales, accounting, and human resources.

- 6 -

Much of the growth of ERP implementation is fueled by "silver bullet"

promises of productivity enhancements from ERP applications. These include

inventory reduction, inventory accuracy improvements, added manufacturing

flexibility, faster customer responsiveness, better communications with suppliers

and vendors, more timely and accurate forecasting, rapid delivery of custom quotes

or special orders, and the elimination of redundant procedures. However, in

contrast to the promises, there is evidence that ERP implementations fail at a very

high rate. Some have suggested that 70 percent of implementations fail to meet

stated objectives. One $5 billion pharmaceutical company even filed bankruptcy

arguing that the primary cause of its difficulties was a failed ERP implementation

that had crippled the business.

In an implementation failure, problems tend to increase the closer you get to

value-adding operations. Ask an ERP user if the system really supports

manufacturing operations. Then ask why the answer to this question is often

different in the accounting department than it is in the manufacturing department.

The answers may be found in the beginnings of ERP.

The initial goal of ERP systems was not the improvement of manufacturing

operations, but the reduction of the effort invested in managing data entry and

paperwork. Early systems (such as the first ERP system, SAP R/2) simply

integrated operational and financial data into a single database. They were

designed by finance and accounting people with help from the computer staff. The

net result was that the ERP system serviced the data needs of the finance and

accounting departments, while manufacturing and operations serviced the data

needs of the ERP system. This is still largely the case for many ERP

implementations. Consider this: of the five largest ERP consulting firms (Anderson

Consulting, Ernst & Young, PriceWaterhouseCoopers, Deloitte & Touche, and

IBM Global Services), all but one has grown out of the accounting industry, and

that one is a computer firm.

A manufacturing operation marches on its shop-floor operations. Failure to

recognize this causes ERP implementers to favor accounting and finance needs at

- 7 -

the expense of manufacturing, so what is seen as a tool at the corporate office is

seen floor. One consumer products manufacturer installed an ERP system with a

component that collected machine down-time from the shop floor. Operators were

required to input data describing the nature of all down-time. The system then took

this data and transmitted it to the corporate accounting department three states

away instead of providing feedback to the shop. Worse still, this information was

later used to attack unarmed manufacturing supervisors.

The good news is that an ERP system does not have to be an either/or tool for

the corporate office or the shop floor. Most systems capture the information needed

to support both or can be modified to do so. The key is to understand what data is

required where and when to drive operations, then providing systems to supply this

data. The shop floor requires a lower level of operational data at a higher frequency

than the front office. How they did last month is of little use to an operator; he or

she needs to know how they are doing right now.

Using the ERP system to support manufacturing operations requires three

things. First, a thorough understanding of the manufacturing operations and shop

floor data needs should precede the selection of an ERP package. Manufacturing

will need quick operational feedback and visual controls to improve efficiency. If

the package comes with the functionality to support your operations, it will cut

down on software customization or operational compromises. Flow charting shop

floor operations-both materials and information flow-is the best place to start

understanding the requirements for an ERP implementation or evaluate

improvements to an existing ERP system.

Second, involving manufacturing personnel in the ERP development or

improvement effort will promote acceptance and use of the system, greatly

increase your probability of a successful implementation, and allow the creation of

a shop floor tool instead of a shop floor burden. Only through the involvement of

manufacturing personnel can you produce a system that does something for them

instead of to them.

Finally, choose a consultant carefully. An ERP consultant (or system

- 8 -

integrator) will lead you through the system implementation or modification

process. It has been said that if your only tool is a hammer everything looks like a

nail. The same applies to consultants who as a burden on the shop

follow an ERP script instead of really understanding your operations. If you

are a manufacturer, find a consultant who understands manufacturing. You can't

expect the makeup counter at Parisian to overhaul your transmission. IT and

finance knowledge are important, but by themselves they won't help much in

getting your ERP system to support the shop floor.

If you compete through manufacturing, installing an ERP system that doesn't

support the shop floor is like putting a $2,000 stereo into your car but never

changing the oil. Don't stop with a system that simply reduces paperwork and

speeds the preparation of financial statements. Timely, accurate, and pertinent

information in the hands of shop floor personnel will improve your operations and

might be just what is needed to awaken a sleeping giant.

中文翻译稿

概述

数据库服务器

在这个信息时代，数据库服务器已经变成公司的核心。这一软件控制着所有组织的运行节奏就像人体的动脉一样控制血液在身体流动。由于这类应用的关键性，数据库服务器也是黑客最为关心的目标之一。如果一个黑客拥有了身份验证，他将能使公司的“心脏”受到致命的破坏。

具有讽刺地说，虽然很多用户现在意识到有黑客，但是他们仍然不了解他们的数据库服务器是多么容易受到黑客攻击。因此，这篇文章描述了黑客如何攻击数据库服务器（例如SQL服务器）并且展现了当你在受攻击时应该如何保护你自己的数据。

我们应该注意信息是在不断更新。很多技术白皮书详细描述黑客如何执行攻击SQL数据库，并且众多的漏洞已经写在安全列表中，详细说明了应用程序如何被利用

- 9 -

什么是SQL服务器？

一个数据库应用程序是为用户的提供数据通道的程序。应用有很多种，从大企业微软SQL服务器到公开的mySQL排列。不管是什么，大多数数据库服务器的应用程序都有几个共同的东西。

首先，数据库应用程序都使用相同的SQL语言，或者结构查询语言。这种语言，也属于第四代语言，由于他的简单的语法，是客户向数据库服务器发送请求的核心。使用SQL最简单的形式，一个程序员可以选择、增加、更新和删除数据库中的信息。然而，SQL也能够用来产生并设计整个数据库，根据返回信息完成各种功能，甚至可以运行其他程序。

为了举例SQL如何使用，下面是一个简单标准SQL查询和一个复杂的SQL查询：

简单的："Select * from ir"

这是从数据库dbFurniture选择出tblChair中的所有数据。

复杂的："p_cmdshell 'dir c:'"

这是一个短的命令SQL返回到客户SQL服务器 c: directory之下的文件，要注意的是这个例子使用了以MS SQL 服务器独家的一个扩展存储。

第二个功能是数据库服务器应用程序共享的是他们都需要某种形式的身份验证连接客户端和主机。虽然SQL语言的基本语法很容易使用，但任何用户想查询都必须提供身份验证，通过身份验证将授权给客户端，而且客户端必须定义请求和回应的格式。

这种连接被一些属性定义，依赖于客户端的位置和客户端正在使用的是什么操作系统。我们能够使用一整章的内容来讨论这些链接的技术，例如DSN连接，DSN-less连接，RDO,ADO等等，但这些



数据库来源

请求类型

数据库





- 10 -



使用者身份证

密码



任何的连接在连接之前，客户要连接到什么类型的服务器. 这被一个提供被需要在正确的格式中产生请求的指令给客户的软件成份处理. 除了数据库的类型，请求类型能用来比较进一步定义客户的请求将会如何被数据库处理. 下一个来数据库名字和最后证明数据.

所有的连接信息都很重要，但是显然最弱的联编是关于证明数据或缺乏. 在适当地处理了伺候器,每个数据库明确地用有它的自己使用者指定了控制他们能运行什麽类型的活动许可. 举例来说，一个使用者帐户会是建立如申请所只有读哪一对唯一的通路数据需要.

另外的一个帐户应该作为插入物或更新，而且也许甚至一个第三帐户会是使用过的因为划除. 帐户控制的这个类型确定那个任何的被妥协处理的帐户在功能性中被限制. 不幸地，许多数据库计画是建立由于无效力的或容易的密码, 导致成功的劈攻击.

物资管理软件( MMS)

物资管理软件MMS是软件市场增长最迅速的部分之一，自1979 年问世以来,其年销售额已经攀升到160多亿美元。尽管销售从2000年起已经变慢了，但是一些市场分析家预言 MMS软件和实施服务市场能持续增长到每年销售额超过210亿美元。 ERP 提供一个单独的系统，它连接包括计划、生产、存货控制、 购买、出售、财务和人力资源在内的全部协同操作。

大部分MMS实施的增长动力来自应用MMS软件会使生产力提高的"银子弹"承诺，这包括存货减少，存货清单精确度改进，增加生产灵活性，更快的用户响应性，更好的与供应者和卖主联系，更及时和准确的预测，迅速发送报价或者特别订货单， 并且能够消除多余的程序。 但是，和那些诺言形成对比， MMS的实施中明显存在一个非常高的失败比率。 一些数据表明70%的预期目标不能实现。 一家50亿美元的医药公司甚至申请破产，声明主要原因是失败的MMS实施已经严重削弱了生意。

在MMS的失败案例中，问题倾向于增加你的增值业务。问一个MMS用户系统是否真的支持生产流程， 然后问为什么这个问题的答案在财务部门和生产部门经常是不同的。答案可能会在ERP开始的过程中发现。

MMS系统的最初目标不是生产操作的改进，而是减少在管理数据条目和文书工作方面的投资。 早期的系统( 例如第一个MMS 系统，SAP R/2) 仅仅把操作和金融数据整合到一个单一的数据库中，是由金融、会计人员在计算机人员帮助下一起设计的。最终结果 - 11 -

是MMS 系统为金融和财务处需要的数据服务，而生产和操作为MMS系统所需要的数据服务。这仍然是很多MMS系统实施的状况。考虑一下： 5家最大的MMS咨询公司(Anderson

Consulting, Ernst & Young, PriceWaterhouseCoopers, Deloitte & Touche, and IBM Global

Services)，几乎是一部分在会计行业产生，另一些则是计算机公司。

一个制造企业的运转在它的生产车间里进行。 如果认识不到这一点，MMS实施支持金融和会计的需要将以生产为代价，因此在综合办公室作为一件工具的MMS 被看作车间的一个负担。 一个消费产品制造商安装了一个MMS系统，收集车间机器的停工期，操作者被要求输入数据描述每次停工期，然后系统读取这些数据并且传送到3个州以外的财务处，代替给车间提供反馈单。更糟糕的是，这些信息过后还会被用来攻击毫无准备的生产监督人。

好在MMS系统并非是要么支持综合办公室要么支持车间的工具。 大多数系统俘获的信息二者都能够支持，或者可以改进成这样。 关键是理解什么数据是必需的，什么时候在哪里驱动操作，然后规定系统提供这些数据。与前台的办公室相比，车间需要的操作数据要求更低而频率更高。他们上个月怎样做的对一位操作者用处不大，他或者她只需要知道他们现在正怎样做

用MMS系统支持生产操作要求做到三点：

首先，在选择ERP软件之前应该彻底了解生产运转过程和车间的数据需要，制造业需要快速的操作反馈和直观的控制来提高效率。 如果软件包有支持你生产操作的功能，将减少软件用户化或者操作妥协。要理解一个MMS系统必需的条件或评价一个现有的MMS系统，用流程图表示车间操作----包括物料流和信息流是一个最好的起点。

其次，使生产人员参与MMS发展或者改进努力将促进系统的接受和使用价值， 大大增加你实施成功的可能性，并且可以创造一件车间工具而不是一个车间负担。 仅仅通过生产人员的介入，你将生成一个系统为他们做某些事情的，而不是去指挥他们。

最后，仔细选择一个顾问。 一个MMS顾问( 或者系统综合者) 将指导你通过系统实施或者流程改造的全过程。 人们常说，如果你唯一的工具是一把铁锤，那么所有的东西看起来都象一根钉子。 对于只遵循一个MMS原本而不了解你的操作的顾问也是一样。 如果你是一个制造商，就找一个了解生产的顾问。 你不能期望巴黎的化妆品柜台来检查你的输送，信息技术和金融知识是重要的，但是在使你的MMS系统支持生产车间方面，它们本身起不了多大作用。

如果你在生产领域竞争，安装一个不支持生产车间的MMS系统就象在你的小汽车里安装一台2，000 美元立体音响但是从不加油。 不要满足于仅仅降低文书工作和加快财务报表的准备工作。 车间人员掌握的及时、准确的信息将改进你的经营，而且很可能正好可以用来唤醒一个沉睡的巨人。

- 12 -

ERP真的是银子弹吗？

企业资源计划( ERP) 是生意软件市场增长最迅速的部分之一，自1979 年问世以来,其年销售额已经攀升到160多亿美元。尽管销售从2000年起已经变慢了，但是一些市场分析家预言ERP 软件和实施服务市场能持续增长到每年销售额超过210亿美元。 ERP

提供一个单独的系统，它连接包括计划、生产、存货控制、 购买、出售、财务和人力资源在内的全部协同操作。

大部分ERP 实施的增长动力来自应用ERP软件会使生产力提高的"银子弹"承诺，这包括存货减少，存货清单精确度改进，增加生产灵活性，更快的用户响应性，更好的与供应者和卖主联系，更及时和准确的预测，迅速发送报价或者特别订货单， 并且能够消除多余的程序。 但是，和那些诺言形成对比， ERP的实施中明显存在一个非常高的失败比率。 一些数据表明70%的预期目标不能实现。 一家50亿美元的医药公司甚至申请破产，声明主要原因是失败的ERP实施已经严重削弱了生意。

在ERP的失败案例中，问题倾向于增加你的增值业务。问一个ERP用户系统是否真的支持生产流程， 然后问为什么这个问题的答案在财务部门和生产部门经常是不同的。答案可能会在ERP开，SAP R/2) 仅仅把操作和金融数据整合到一个单一的数据库中，是由金融、会计人员在计算机人员帮助下一起设计的。最终结果是ERP 系统为金融和财务处需要的数据服务，而始的过程中发现。

ERP系统的最初目标不是生产操作的改进，而是减少在管理数据条目和文书工作方面的投资。 早期的系统( 例如第一个ERP 系统生产和操作为ERP系统所需要的数据服务。这仍然是很多ERP系统实施的状况。考虑一下： 5家最大的ERP咨询公司(Anderson

Consulting, Ernst & Young, PriceWaterhouseCoopers, Deloitte & Touche, and IBM Global

Services)，几乎是一部分在会计行业产生，另一些则是计算机公司。

一个制造企业的运转在它的生产车间里进行。 如果认识不到这一点，ERP实施支持金融和会计的需要将以生产为代价，因此在综合办公室作为一件工具的ERP 被看作车间的一个负担。 一个消费产品制造商安装了一个ERP系统，收集车间机器的停工期，操作者被要求输入数据描述每次停工期，然后系统读取这些数据并且传送到3个州以外的财务处，代替给车间提供反馈单。更糟糕的是，这些信息过后还会被用来攻击毫无准备的生产监督人。

好在ERP系统并非是要么支持综合办公室要么支持车间的工具。 大多数系统俘获的信息二者都能够支持，或者可以改进成这样。 关键是理解什么数据是必需的，什么时候 - 13 -

在哪里驱动操作，然后规定系统提供这些数据。与前台的办公室相比，车间需要的操作数据要求更低而频率更高。他们上个月怎样做的对一位操作者用处不大，他或者她只需要知道他们现在正怎样做。

用ERP系统支持生产操作要求做到三点：

首先，在选择ERP软件之前应该彻底了解生产运转过程和车间的数据需要，制造业需要快速的操作反馈和直观的控制来提高效率。 如果软件包有支持你生产操作的功能，将减少软件用户化或者操作妥协。要理解一个ERP系统必需的条件或评价一个现有的ERP系统，用流程图表示车间操作----包括物料流和信息流是一个最好的起点。

其次，使生产人员参与ERP 发展或者改进努力将促进系统的接受和使用价值， 大大增加你实施成功的可能性，并且可以创造一件车间工具而不是一个车间负担。 仅仅通过生产人员的介入，你将生成一个系统为他们做某些事情的，而不是去指挥他们。

最后，仔细选择一个顾问。 一个ERP 顾问( 或者系统综合者) 将指导你通过系统实施或者流程改造的全过程。 人们常说，如果你唯一的工具是一把铁锤，那么所有的东西看起来都象一根钉子。 对于只遵循一个ERP原本而不了解你的操作的顾问也是一样。

如果你是一个制造商，就找一个了解生产的顾问。 你不能期望巴黎的化妆品柜台来检查你的输送，信息技术和金融知识是重要的，但是在使你的ERP 系统支持生产车间方面，它们本身起不了多大作用。

如果你在生产领域竞争，安装一个不支持生产车间的ERP系统就象在你的小汽车里安装一台2，000 美元立体音响但是从不加油。 不要满足于仅仅降低文书工作和加快财务报表的准备工作。 车间人员掌握的及时、准确的信息将改进你的经营，而且很可能正好可以用来唤醒一个沉睡的巨人。

- 14 -