0x00 前言
每次想要测试Oracle注入的时候都没环境测试,本地搭建一个方便自己测试
0x01 Oracle安装配置
获取阿里云的oracle镜像,挺大的3G多
docker pull registry.cn-hangzhou.aliyuncs.com/helowin/oracle_11g
下载完后启动容器
docker run -d -it -p 1521:1521 --name oracle11g registry.cn-hangzhou.aliyuncs.com/helowin/oracle_11g
进入容器
docker exec -it oracle11g bash
1.1修改数据库密码
切换到root账户(默认进入之后是oracle账户)root密码helowin
su root
编辑环境变量 vi /etc/profile 底部添加以下内容
export ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_2
export ORACLE_SID=helowin
export PATH=$ORACLE_HOME/bin:$PATH
使配置生效
source /etc/profile
创建软链接
ln -s $ORACLE_HOME/bin/sqlplus /usr/bin
切换到oracle用户,登录sqlplus
su - oracle
sqlplus /nolog
conn /as sysdba
修改sys、system用户密码:
alter user system identified by 密码;
alter user sys identified by 密码;
alter profile default limit PASSWORD_LIFE_TIME UNLIMITED;
1.2创建数据表及内容
创建名为“Mo60”的表空间,数据文件为"Mo60.dbf"
create tablespace Mo60 datafile 'Mo60.dbf' size 100m;
执行后可以使用以下语句查看是否添加成功:
select tablespace_name from user_tablespaces;
创建用户并指定表空间
create user mo60 identified by mo60 default tablespace Mo60;
赋予用户DBA权限:
grant connect,resource,dba to mo60;
然后退出使用mo60用户登入
sqlplus mo60/mo60
建表并
CREATE TABLE news (
id number,
title varchar(500),
data varchar(1000)
);
插入数据
INSERT INTO news (id, title, data) VALUES (1, 'Blog', 'A good blog YmxvZy5tbzYwLmNu');
INSERT INTO news (id, title, data) VALUES (2, 'news', 'Nothing happened today');
INSERT INTO news (id, title, data) VALUES (3, 'weather', 'It s sunny');
commit;
0x02 web环境搭建
下载镜像
docker pull thomasbisignani/docker-apache-php-oracle
启动镜像
docker run -p 5432:80 -d -v $PWD/Oracle-Injection-Web:/var/www/html thomasbisignani/docker-apache-php-oracle
cd到Oracle-Injection-Web目录下到新建一个php文件来测试,ip为宿主机ip
<?php
$username = 'mo60';
$password = 'mo60';
$connectText = '//10.68.1.3:1521/helowin';
$conn = oci_connect($username, $password, $connectText);
if (!$conn) {
$e = oci_error();
echo 'Oracle connect failed <br />';
exit($e['message']);
}
echo 'Oracle connect ok'."<br>";
?>
然后就是注入需要用到的php文件
<?php
$username = 'mo60';
$password = 'mo60';
$connectText = '//10.68.1.3:1521/helowin';
$conn = oci_connect($username, $password, $connectText);
if (!$conn) {
$e = oci_error();
echo 'Oracle connect failed <br />';
exit($e['message']);
}
if (!isset($_REQUEST['id']) || $_REQUEST['id'] == null) {
$stid = oci_parse($conn, "select * from NEWS");
} else {
$sql="SELECT * FROM NEWS where id=" . $_REQUEST['id'];
$stid = oci_parse($conn,$sql);
}
if (!$stid) {
$e = oci_error($conn);
exit($e['message']);
}
$r = oci_execute($stid);
if (!$r) {
$e = oci_error($stid);
exit($e['message']);
}
print "<table border='1'>\n";
print " <tr><td>ID</td><td>Title</td><td>Data</td></tr>";
while ($row = oci_fetch_array($stid, OCI_ASSOC+OCI_RETURN_NULLS)) {
print "<tr>\n";
foreach ($row as $item) {
$item = ($item !== null ? mb_convert_encoding($item, 'utf-8', 'gbk') : " ");
print " <td>" . $item . "</td>\n";
}
print "</tr>\n";
}
print "</table>\n<hr>";
echo htmlentities($sql);
oci_free_statement($stid);
oci_close($conn);
?>
效果图