怎么看都觉得pangolin是抄的WebRavor的老功能做它的新功能 oracle提权,执行命令等等都是很老的了,没什么好炫耀的 提权,执行系统命令老早就有了,破解hash也是工具自带的,用ULT_HTTP来查询数据库内容需要配置自己的环境,而且对方能允许这样的条件也比较苛刻。 我们买的WebRavor,以前配合pangolin一起使用,现在连pangolin也收费了,唉。
2009/4/20 54netkey <[email protected]> > 转发个zwell的mail。 > > ----- Original Message ----- From: "ZwelL" <[email protected]> > To: <[email protected]>; <[email protected]>; < > [email protected]>; <[email protected]> > Sent: Monday, April 20, 2009 8:24 AM > Subject: Advanced Oracle SQL Injection > > Hi guys: > > Sometimes we meet Oracle database when we do web sql injection testing. All > we do is to dump some data in the db. But you know what? Actually, we can do > more and more operation of it, just like: > 1、Fast data dumping even cannot use union select > 2、Dump server information like : db name, sid, real internet ip address, > user list, user hash and so on. > 3、Execute PL/SQL > 4、Privilege escalation > 5、Crack user password > 6、Execute system command > 7、Install oracle rootkit > 8、and so many others > > Maybe you could say it cannot execute multi-sql through a single query. > Don't worry. There is a demo at > http://down2.nosec.org/swf/pangolin_oracle.html, you can watch it and > learn a lot of things about Oracle sql injection. > > Please visit http://www.nosec.org for more information. Good luck ;) > > ----- Original Message ----- > *From:* hack bus <[email protected]> > *To:* [email protected] > *Sent:* Monday, April 20, 2009 3:08 PM > *Subject:* [Ph4nt0m] Re: oracle数据库注入工具 > > 手工注入其实很简单的!你查看下相关的资料就知道了! > > 2009/3/30 gyreg gyreg <[email protected]> > >> >> 使用oracle数据库注入器【线程版】那个工具,针对oracle数据库进行注入,到查找字段名的时候就出现注入数据错误的情况,穿山甲对注入点识别不出来,不知道大牛们有什么好点的工具针对oracle数据库进行注入的。谢谢~~ >> >> >> > > > --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [email protected] -~----------~----~----~----~------~----~------~--~---
