为什么你会觉得是炫耀呢? 2009/4/20 update windows <[email protected]>
> 怎么看都觉得pangolin是抄的WebRavor的老功能做它的新功能 > oracle提权,执行命令等等都是很老的了,没什么好炫耀的 > 提权,执行系统命令老早就有了,破解hash也是工具自带的,用ULT_HTTP来查询数据库内容需要配置自己的环境,而且对方能允许这样的条件也比较苛刻。 > 我们买的WebRavor,以前配合pangolin一起使用,现在连pangolin也收费了,唉。 > > > 2009/4/20 54netkey <[email protected]> > > 转发个zwell的mail。 >> >> ----- Original Message ----- From: "ZwelL" <[email protected]> >> To: <[email protected]>; <[email protected]>; < >> [email protected]>; <[email protected]> >> Sent: Monday, April 20, 2009 8:24 AM >> Subject: Advanced Oracle SQL Injection >> >> Hi guys: >> >> Sometimes we meet Oracle database when we do web sql injection testing. >> All we do is to dump some data in the db. But you know what? Actually, we >> can do more and more operation of it, just like: >> 1、Fast data dumping even cannot use union select >> 2、Dump server information like : db name, sid, real internet ip address, >> user list, user hash and so on. >> 3、Execute PL/SQL >> 4、Privilege escalation >> 5、Crack user password >> 6、Execute system command >> 7、Install oracle rootkit >> 8、and so many others >> >> Maybe you could say it cannot execute multi-sql through a single query. >> Don't worry. There is a demo at >> http://down2.nosec.org/swf/pangolin_oracle.html, you can watch it and >> learn a lot of things about Oracle sql injection. >> >> Please visit http://www.nosec.org for more information. Good luck ;) >> >> ----- Original Message ----- >> *From:* hack bus <[email protected]> >> *To:* [email protected] >> *Sent:* Monday, April 20, 2009 3:08 PM >> *Subject:* [Ph4nt0m] Re: oracle数据库注入工具 >> >> 手工注入其实很简单的!你查看下相关的资料就知道了! >> >> 2009/3/30 gyreg gyreg <[email protected]> >> >>> >>> 使用oracle数据库注入器【线程版】那个工具,针对oracle数据库进行注入,到查找字段名的时候就出现注入数据错误的情况,穿山甲对注入点识别不出来,不知道大牛们有什么好点的工具针对oracle数据库进行注入的。谢谢~~ >>> >>> >>> >> >> > > > > -- hitest --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [email protected] -~----------~----~----~----~------~----~------~--~---
