I'm doing some post exploitation work and I've been stuck trying to show a full OS compromise by running a command or uploading a payload.
I've tried using DBMS_SCHEDULER to create an executable job, but the jobs don't seem to be created when I run a query like this. I'm not real familiar with Oracle 11g (I don't ususally do post exploitation work) and this system seems fairly well patched, but I have DBA access.
Here is an example of what I'm trying via SQLi via the web app:
0' OR 1 in ( DBMS_SCHEDULER.CREATE_JOB (job_name=>'test', job_type=>'EXECUTABLE',
job_action=>'c:\windows\syswow64\ping.exe <IP>', enabled=>true) ) AND '1'='1
The error I get back is this:
OraOLEDB error '80004005'
ORA-00904: "DBMS_SCHEDULER"."CREATE_JOB": invalid identifier
I'm not sure if this is a limitation of the query or what. Most of what I've seen around this has the jobs being created within a BEGIN / END block. I'm not sure what that does.
When I looked at the components in dba_registry table, I don't think Java is enabled.