Hi,
I need to somehow pipe the password to a command and run some SQL, for example, something like echo $password | sqlplus -s system @query01.sql
To make it not so obvious, I decided to try out writing a small C program that basically just do echo $password. So now I just do x9.out | sqlplus -s system@query01.sql.
I understand it still is not a secure thing to do as someone can just run x9.out and knows the password. Anyway, the intent is to make is less obvious that I am echo'ing a password so I am more than happy with that for the time being as a start.
The very, very simple C program is a below:
$ cat x9.c
#include <stdio.h>
int main()
{
char array[20] = "hello";
printf("%s",array);
return 0;
}
$ cc -o x9.out x9.c
$ ./x9.out
hello$
$ strings x9.out
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
printf
__libc_start_main
GLIBC_2.2.5
l$ L
t$(L
|$0H
hello
Unfortunately, as you can see if I do a strings of the x9.out file, it is quite obvious that the word hello stands out.
Can anyone please advise how I can somehow hide that word in the bushes ;)?
For example, maybe I can do a printf of the ASCII values of the word so that if anyone do a strings of it, it shows number instead of words.
Finally, eventually, I would want to put something more into the code so that it will be an array that stores a list of username+password, so that if I do x9.out user01 it prints the password of user01, x9.out user02 prints the password of user02 and so on. It will probably be wise that it prompts for a username/password before it allows me to display the information.
BTW, it would be nice if I can put the whole "echo $password | sqlplus -s system" string into the C program so that I only do x9.out @query01.sql so it hides the username and password. I don't see how that they can be done, maybe one of the gurus can advice how to do that.
Anyway for now, I just want to know how to hide from UNIX strings