oracle注入环境搭建:建库+php源码

假设oracle数据库已经安装好并且可以远程连接
本机连接oracle

sqlplus / as sysdba

提示

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options

SQL>

下面建库、表并插入测试数据,sql语句将在 SQL> 之后执行

1.创建数据表空间

create tablespace pentest datafile '/u01/app/oracle/oradata/TSH1/pentest.dbf' size 100m;

2.创建用户并指定表空间

create user pentest identified by pentest default tablespace pentest;

3.给用户授予权限(因为是测试注入,所以给dba权限)

grant connect,resource,dba to pentest;

4.建表并插入数据
4.1建表

CREATE TABLE USERS (
IDX NUMBER(10) NOT NULL ,
NAME VARCHAR2(20 BYTE) NULL ,
SEX VARCHAR2(2 BYTE) NULL ,
AGE NUMBER(3) NULL ,
REGDATE DATE NULL 
)
LOGGING
NOCOMPRESS
NOCACHE;

4.2插入测试数据

INSERT INTO USERS VALUES ('1', 'xiaoming', 'M', '18', TO_DATE('2019-04-25 19:48:11', 'YYYY-MM-DD HH24:MI:SS'));
INSERT INTO USERS VALUES ('2', 'limao', 'F', '22', TO_DATE('2019-04-25 19:49:08', 'YYYY-MM-DD HH24:MI:SS'));

4.3设置主键

ALTER TABLE USERS ADD PRIMARY KEY ("IDX");

有漏洞的php源码


<?php
//$conn = oci_connect('username', 'password', 'host or ip/SID');
$conn = oci_connect('pentest', 'pentest', '192.168.x.x/ORCL');
if(!$conn)
{
        $e = oci_error();
        echo $e['message'];
        exit();
}
if(!isset($_GET['nm']) || $_GET['nm'] == null)
{
        echo "oracle sqlinjection test: oracle_test.php?nm=limao</br>";
        $sql = "select * from USERS";
}
else
{
        $name = $_GET['nm'];
        $sql = "select * from USERS WHERE NAME='" .$name."'";
        echo $sql;
}
$stid = oci_parse($conn, $sql);
oci_execute($stid);

echo "<table border='1'>\n";
while ($row = oci_fetch_array($stid, OCI_ASSOC+OCI_RETURN_NULLS))
{
        echo "<tr>\n";
        foreach ($row as $item)
        {
                echo "    <td>" . ($item !== null ? htmlentities($item, ENT_QUOTES) : "&nbsp;") . "</td>\n";
        }
        echo "</tr>\n";
}
echo "</table>\n";
?>

成功后打开的页面效果

注入:

sqlmap.py -u "http://x.x.x.x/oracle_test.php?nm=limao" -p nm --dbms=ORACLE