Description of the basic idea of Oracle Web Hacking

The following articles mainly describe the basic idea of Oracle Web Hacking. If you are a beginner in the basic idea of Oracle Web Hacking, you can use the following articles to better understand the basic idea of Oracle Web Hacking. The following is a detailed description of the article.

The following describes how to determine the target, and how to determine the injection parameters. The main difference is how to determine that the database belongs to Oracle and can easily be determined based on the characteristics of the database. Oracle supports -- type annotation, but it is not supported. Multiple statements are executed separately. Oracle has many system tables, such as all_tables. By accessing these tables, you can determine whether the tables belong to Oracle.

In addition, some functions in Oracle can also be used to judge, such as utl_http.request, and small language details can also be used to distinguish systems, such as in Oracle | is a connection symbol, but it is not in other databases, so and chr (123) | chr (123) = chr (123) | chr (123), if it can be smoothly executed, it should basically be Oracle. In addition, when some scripts encounter database query errors, the error information is not processed, and the real background database will also be leaked, this can be clearly seen.

Then you need to determine the injection point type. In general, the parameter we enter is basically a character type if it is not a number type (the search injection that many others call should actually be attributed to the character type), so there is no need to consider the numeric type, it is easy to add -- Comment Characters so that the statement can be properly closed. If it is of the character type, we should consider how to make the entire statement correct, generally, add 'and -- these injection characters to construct your injection environment.

In some complex situations, just as a parameter appears in multiple SQL statements and logic, you must carefully construct injection statements that meet the environment. Remember, we only need a good environment to facilitate the insertion of our own SQL commands :)

When you determine that the target database is OracleWeb Hacking and can be injected, you can try to construct statements. Generally, the first step is to determine the current permission. in Oracle databases, the DBA permission is relatively high, and all permissions are granted to the Oracle database. In addition, if the current user's permission is not granted, you can also perform cross-database queries. You can try to access a dba table such as dba_tables to determine whether it is a dba.

In general injection, there are select injection, insert injection, and update injection. Update and insert injection can change the data in the database based on the context. For example, if an update injection is used to change an important field in the table to the value we want, it doesn't matter even if these databases are irrelevant, we can use the select Sub-statement to query the data we need and then read the data somewhere else. As long as we follow the database syntax, we can achieve our own goal.

Here we mainly talk about the select injection. If we can control a part of the select statement, this type of injection may be implemented. If the query results can be returned to the page, you can also try to use union to query the result and directly display the content on the page. This is the most convenient one. In fact, we can see that no matter what injection, in the Oracle web environment, you can directly execute system commands to return shell.

To obtain sensitive data in Oracle, you must first obtain a system table in Oracle. You can obtain any data with the permission. Key system tables include all_tables and all_objects, which are accessible with the permission, this includes permissions granted to you by others. Therefore, if your permissions are dba, you can see all the tables in the system, one technique in injection is that if you need to log in from the background but do not know the password, you can use it here. For example, you can guess that the column name contains a method that does not contain a password, which is also described in the following example.

In addition, you need to know the union query, which is similar to other databases in Oracle union query and requires the same number of columns and the same type. There are many Oracle types and common character types, numeric and date types. Generally, we can use union queries and display character types. Therefore, we need to precisely locate which field meets our requirements.

1. The data will be displayed on the page, and there will be a lot of processes from the beginning to the end. A lot of data will be processed multiple times in the middle, so if you want to find the data that can be displayed, in many cases, it is not so smooth. This display includes many areas, including the returned http header, page body, and even cookie.

2-character type because most of the data we output is of the character type, this type is required for correct matching.

3. The length must be sufficient. Although we can use some character functions to solve this problem, the long enough fields are always very simple.) OracleWeb Hacking does not perform data type conversion on its own, however, Oracle provides a NULL type that can match all data types. Therefore, after locating the number of fields, we can enter null in each field of union to match, in addition, Oracle does not support queries such as select 1. The syntax requires that the select statement have a keyword. If we do not have a table, we can use it.

You can use the dual table that is assigned permissions by default in the system. The number of fields to be located is also relatively simple. Like other databases, order by 1 can be used. If the number of fields exists, it will be normal, generally, the page logic will make this parameter appear in more than one place, so order by is inconsistent, so union query is not allowed. In this case, the target language does not support '', so you can use the chr functions to solve these problems.

Even if union is not supported, some features of Oracle make it easy for us to get the desired information, that is, using the utl_http.request package of the system. You can think of this package as a common function, therefore, we can monitor the port by ourselves, and then use this function to send the required data in a request. At this time, we can also check whether the database can access the Internet or access the egress IP address, is a very important point.

With the rich packages, functions, and stored procedures in these systems, you can do anything in the basic OracleWeb Hacking idea as long as you have an injection point, including permitted permissions and not permitted permissions. Remember, it is everything.