感谢xnquan的 投递

#Trace: 用圆括号绕过过滤空格的用法07年寂寞的刺猬写过中文版的<突破空格的限制>.

Dirty Tricks

使用低权限Oracle数据库账户得到OS访问权限

I just uploaded the presentation “SQL Injection in Oracle Webapps” to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.

With Oracle 11g, Oracle introduced some  security enhancements by default, e.g. the ACL for PLSQL packages accessing the network. These packages are UTL_HTTP, UTL_INADDR, UTL_TCP, … Some old well known tricks like the usage of utl_inaddr are no longer working for non-DBAs in 11g… The following tutorial will show how to bypass these restrictions and will show some new tricks…

#Trace: 仅供参考，不全正确。

#Trace: Sid总结的。补充的在留言里贴吧。

Trace注：里面对sqlmap一些功能的实现做了分析。

Metasploit Auxiliary module for Oracle FTP Script Write/Binary Download/Execute via Oracle Packages.

As DBA (yea for SQLI) we use UTL_FILE to write out our FTP download script, using DBMS_SCHEDULER we create a job to run the script to download our binary and create a 2nd job to execute our binary and get our meterpreter shell. Oracle...Unbreakable.

In SQL server 2005, if you are not ’sa’ you can’t do much. This is primarily because openrowset is by default not available unless you are privileged. Stored procedure sp_who is available for public(in mssql 2000 and 2005). This procedure “provides information about current Microsoft® SQL Server™ users and processes”.

#Trace: Good paper.

Over the last few months I've been teaching free classes for the ISSA Kentuckiana chapter in Louisville Kentucky. After doing one on Nmap and another on Sniffers, I talked it over with my buddies Brian and Jeff and decided that the next one should be on web application vulnerabilities. Now the question becomes what to test against in a classroom environment? To tell the truth, I'm not as up on web application security as I think I need to be to teach the class yet, and I don't want to have to develop my own insecure code just to have something to test against in the lab. I could look through BugTraq for good candidates and install old venerable versions of  apps like phpBB but I did not think that would be the clearest way to illustrate some concepts. What I wanted was a "one stop shop" for a bunch of common vulnerabilities. It also occurred to me to use one of the many online wargame/hacker challenge sites, but there are a few major problems with that approach:

Oracle 9i 在8i的基础上对,union all 函数的改进.