• VIEWS for Oracle object privileges


    The most important VIEWS for Oracle object privileges are:

    USER_TAB_PRIVS
    ALL_TAB_PRIVS
    ROLE_TAB_PRIVS
    DBA_TAB_PRIVS

    USER_ROLE_PRIVS
    ALL_ROLE_PRIVS
    ROLE_ROLE_PRIVS
    DBA_ROLE_PRIVS

     

    Additionally there are Oracle object privileges that pertain to the whole system called system privileges.

    USER_SYS_PRIVS
    ALL_SYS_PRIVS
    ROLE_SYS_PRIVS
    DBA_SYS_PRIVS

    Then the VIEWS that contain information about the users in the database are:

    USER_USERS
    ALL_USERS
    DBA_USERS
     

    There are many others but these are the starting points. Remember to use the “desc” <name> command to see what the view has in it.

    We will now create a user with low Oracle object privileges to test the vulnerabilities later on in this book. Please note this is not an example of a securely created user as connect and resource are not recommended default roles so do not do this on your production database. This is in order to get you up and running.

    Create_user.sql

    create user userexample identified by userexample
    default tablespace users
    temporary tablespace temp;
    grant create session to userexample;
    grant connect to userexample;
    grant resource to userexample;
    alter user userexample quota unlimited on users;
    /

    Please note the secure method for you to set your personal password in Oracle is by using the password command after the user has been created as follows.

    SQL>password <username>

    Alter user is used in the scripts in this book with the proviso that the account will have its password changed using the password command. The reason for this is that the  alter user identified by command will show in the redo logs and there will also be clear text on the network in early versions of Oracle. The password command is encrypted and not in the redo.

    If we connect as userexample the low privileged user, we can test the VIEWS above.

    SQL> conn userexample/userexample@dbinstancename;

    Connected.

    N.B. Default dbinstancename is “orcl”

    You can see the role privileges assigned to your account by entering:

    SQL> select * from user_role_privs; 
    USERNAME                       GRANTED_ROLE                   ADM DEF OS_
    ------------------------------ ------------------------------ --- --- ---
    USEREXAMPLE                    CONNECT                        NO  YES NO
    USEREXAMPLE                    RESOURCE                       NO  YES NO

    The aim of an attacker is often to elevate this low account to access higher level Oracle Object Privileges or to include the DBA Role, as we shall see later.

    Formating SQL*PLUS can be awkward but as a rule using the set command as follows will help.

    Set wrap off
    Set linesize 600 (or preference)
    Set serveroutput on (for plsql display)

    For the purposes of the rest of the book you may find it easier to use SQL*PLUS for the administrative commands and for reports of large datasets use a separate formatted interface such as that provided by SQL Developer or SQLTools which are both free of charge.

    Oracle documentation is free, though in-depth support information is via MOSC, which requires a valid license in order to access.

    That is the end of the Oracle primer and the next section moves onto Oracle Security.

    This is an excerpt from the book "Oracle Forensics: Oracle Security Best Practices", by Paul M. Wright, the father of Oracle Forensics.

     

  • 相关阅读:
    Effective C# Item6:明辨值类型和引用类型的使用场合
    Effective C# Item15:利用using和try/finally语句来清理资源
    Effective C# Item12:变量初始化器优于赋值语句
    Effective C# Item19:定义并实现接口优于继承类型
    Effective C# Item14:利用构造器链
    Effective C# Item18:实现标准Dispose模式
    Effective C# Item17:尽量减少装箱和拆箱
    Effective C# Item7:将值类型尽可能实现为具有常量性和原子性的类型
    Effective C# Item10:理解GetHashCode()方法的缺陷
    Effective C# Item20:明辨接口实现和虚方法重写
  • 原文地址:https://www.cnblogs.com/weaver1/p/2807388.html
Copyright © 2020-2023  润新知