oracle注入环境搭建:建库+PHP源码+ASP源码
|
|
0
|
3,316
|
数据库,脚本漏洞

599 字
|
4 分钟

假设oracle数据库已经安装好并且可以远程连接
本机连接oracle

sqlplus / as sysdba

提示

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options

SQL>

下面建库、表并插入测试数据,sql语句将在 SQL> 之后执行

1.创建数据表空间
TSH1 是 SID

create tablespace pentest datafile '/u01/app/oracle/oradata/TSH1/pentest.dbf' size 100m;

2.创建用户并指定表空间

create user pentest identified by pentest default tablespace pentest;

3.给用户授予权限(因为是测试注入,所以给dba权限)

grant connect,resource,dba to pentest;

4.建表并插入数据
4.1建表

CREATE TABLE USERS (
IDX NUMBER(10) NOT NULL ,
NAME VARCHAR2(20 BYTE) NULL ,
SEX VARCHAR2(2 BYTE) NULL ,
AGE NUMBER(3) NULL ,
REGDATE DATE NULL 
)
LOGGING
NOCOMPRESS
NOCACHE;

4.2插入测试数据

INSERT INTO USERS VALUES ('1', 'xiaoming', 'M', '18', TO_DATE('2019-04-25 19:48:11', 'YYYY-MM-DD HH24:MI:SS'));
INSERT INTO USERS VALUES ('2', 'limao', 'F', '22', TO_DATE('2019-04-25 19:49:08', 'YYYY-MM-DD HH24:MI:SS'));

4.3设置主键

ALTER TABLE USERS ADD PRIMARY KEY ("IDX");

有漏洞的php源码


<?php
//$conn = oci_connect('username', 'password', 'host or ip/SID');
$conn = oci_connect('pentest', 'pentest', '192.168.x.x/ORCL');
if(!$conn)
{
        $e = oci_error();
        echo $e['message'];
        exit();
}
if(!isset($_GET['nm']) || $_GET['nm'] == null)
{
        echo "oracle sqlinjection test: oracle_test.php?nm=limao</br>";
        $sql = "select * from USERS";
}
else
{
        $name = $_GET['nm'];
        $sql = "select * from USERS WHERE NAME='" .$name."'";
        echo $sql;
}
$stid = oci_parse($conn, $sql);
oci_execute($stid);

echo "<table border='1'>\n";
while ($row = oci_fetch_array($stid, OCI_ASSOC+OCI_RETURN_NULLS))
{
        echo "<tr>\n";
        foreach ($row as $item)
        {
                echo "    <td>" . ($item !== null ? htmlentities($item, ENT_QUOTES) : "&nbsp;") . "</td>\n";
        }
        echo "</tr>\n";
}
echo "</table>\n";
?>

成功后打开的页面效果

注入:
字符型

sqlmap.py -u "http://x.x.x.x/oracle_test.php?nm=limao" -p nm --dbms=ORACLE

—————————————-ASP注入漏洞代码————

<%
Dim connStr
Dim conn,sql,rs
Dim idx
idx = request("idx")
Set conn = Server.CreateObject("ADODB.Connection")
'conn.open "Provider=OraOLEDB.Oracle;Data Source=ORCL;User ID=pentest;Password=pentest;"
conn.open "Provider=OraOLEDB.Oracle;Data Source=127.0.0.1/ORCL;User ID=pentest;Password=pentest;"

if idx<>"" then
	sql = "select * from USERS where IDX=" & idx
else
	sql = "select * from USERS"
End If

if err then
    err.clear
    set Conn=Nothing
    Response.Write "connect error!"
    Response.End
else
End If

Response.Write "connect ok!</br>"
Response.Write "oracle.asp?idx=1   idx(1-11)</br>"
Set rs = conn.Execute(sql)
Do Until(rs.eof)
For i=0 to rs.fields.count-1
Response.Write (rs.fields(i))
Response.Write ("<br>")
Next
rs.MoveNext
Loop
rs.Close
Set rs = Nothing
conn.Close
Set conn = Nothing 
%>

注入:
整型

sqlmap.py -u "http://x.x.x.x/oracle.asp?idx=1" -p idx --dbms=ORACLE
oracle
上一篇
下一篇